Git-Mirrors/backend-and-orchestration-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/backend-and-orchestration-toolkit.git synced 2025-06-08 15:02:55 -04:00
Code Issues Projects Releases Packages Wiki Activity

🛌 Commit progress before sleep break

Browse source
This commit is contained in:
steinkirch.eth, phd 2023-07-14 21:50:31 -07:00
parent 119cc7f62c
commit 585ee80f5d
319 changed files with 29 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

2
code/chef/.github/FUNDING.yml vendored Normal file
View file

@ -0,0 +1,2 @@
custom: paypal.me/miasteinkirch

9
code/chef/.gitignore vendored Normal file
View file

@ -0,0 +1,9 @@
.vagrant
/cookbooks
# Bundler
bin/*
.bundle/*
.kitchen/
.kitchen.local.yml

201
code/chef/LICENSE Executable file
View file

@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

23
code/chef/README.md Executable file
View file

@ -0,0 +1,23 @@
# resources on chef
<br>
## Suricata Chef Cookbook
This cookbook installs and configures Suricata.
## Usage
### suricata::default
* include `suricata` in your node's `run_list`:
```json
{
"name":"my_node",
"run_list": [
"recipe[suricata]"
]
}
```

1
code/chef/attributes/default.rb Executable file
View file

@ -0,0 +1 @@
default['suricata']['version'] = '3.1'

68
code/chef/files/default/classification.config Executable file
View file

@ -0,0 +1,68 @@
# $Id$
# classification.config taken from Snort 2.8.5.3. Snort is governed by the GPLv2
#
# The following includes information for prioritizing rules
#
# Each classification includes a shortname, a description, and a default
# priority for that classification.
#
# This allows alerts to be classified and prioritized. You can specify
# what priority each classification has. Any rule can override the default
# priority for that rule.
#
# Here are a few example rules:
#
# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
# dsize: > 128; classtype:attempted-admin; priority:10;
#
# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
# content:"expn root"; nocase; classtype:attempted-recon;)
#
# The first rule will set its type to "attempted-admin" and override
# the default priority for that type to 10.
#
# The second rule set its type to "attempted-recon" and set its
# priority to the default for that type.
#
#
# config classification:shortname,short description,priority
#
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: kickass-porn,SCORE! Get the lotion!,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2

25
code/chef/files/default/reference.config Executable file
View file

@ -0,0 +1,25 @@
# config reference: system URL
config reference: bugtraq http://www.securityfocus.com/bid/
config reference: bid http://www.securityfocus.com/bid/
config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=
config reference: cve http://cvedetails.com/cve/
config reference: secunia http://www.secunia.com/advisories/
config reference: arachNIDS http://www.whitehats.com/info/IDS
config reference: McAfee http://vil.nai.com/vil/content/v_
config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url http://
config reference: et http://doc.emergingthreats.net/
config reference: etpro http://doc.emergingthreatspro.com/
config reference: telus http://
config reference: osvdb http://osvdb.org/show/osvdb/
config reference: threatexpert http://www.threatexpert.com/report.aspx?md5=
config reference: md5 http://www.threatexpert.com/report.aspx?md5=
config reference: exploitdb http://www.exploit-db.com/exploits/
config reference: openpacket https://www.openpacket.org/capture/grab/
config reference: securitytracker http://securitytracker.com/id?
config reference: secunia http://secunia.com/advisories/
config reference: xforce http://xforce.iss.net/xforce/xfdb/
config reference: msft http://technet.microsoft.com/security/bulletin/

33
code/chef/files/default/suricata_logrotate Executable file
View file

@ -0,0 +1,33 @@
/var/log/suricata/*.log
{
weekly
missingok
create
sharedscripts
postrotate
/bin/kill -HUP $(cat /var/run/suricata.pid)
endscript
delaycompress
copytruncate
compresscmd /usr/bin/pigz
compress
dateext
notifempty
}
/var/log/suricata/eve.json
{
weekly
missingok
create
sharedscripts
postrotate
/bin/kill -HUP $(cat /var/run/suricata.pid)
endscript
rotate 32
delaycompress
compresscmd /usr/bin/pigz
compress
dateext
notifempty
}

32
code/chef/files/default/threshold.config Executable file
View file

@ -0,0 +1,32 @@
# Thresholding:
#
# This feature is used to reduce the number of logged alerts for noisy rules.
# Thresholding commands limit the number of times a particular event is logged
# during a specified time interval.
#
# The syntax is the following:
#
# threshold gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t>
#
# event_filter gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t>
#
# suppress gen_id <gid>, sig_id <sid>
# suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst>, ip <ip|subnet>
#
# The options are documented at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds
#
# Please note that thresholding can also be set inside a signature. The interaction between rule based thresholds
# and global thresholds is documented here:
# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds#Global-thresholds-vs-rule-thresholds
# Limit to 10 alerts every 10 seconds for each source host
#threshold gen_id 0, sig_id 0, type threshold, track by_src, count 10, seconds 10
# Limit to 1 alert every 10 seconds for signature with sid 2404000
#threshold gen_id 1, sig_id 2404000, type threshold, track by_dst, count 1, seconds 10
# Avoid to alert on f-secure update
# Example taken from http://blog.inliniac.net/2012/03/07/f-secure-av-updates-and-suricata-ips/
#suppress gen_id 1, sig_id 2009557, track by_src, ip 217.110.97.128/25
#suppress gen_id 1, sig_id 2012086, track by_src, ip 217.110.97.128/25
#suppress gen_id 1, sig_id 2003614, track by_src, ip 217.110.97.128/25

6
code/chef/metadata.rb Executable file
View file

@ -0,0 +1,6 @@
name 'suricata'
maintainer 'bt3'
license 'All rights reserved'
description 'Major suricata update to 3.1'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.3.52'

138
code/chef/recipes/centos.rb Executable file
View file

@ -0,0 +1,138 @@
# Cookbook Name:: suricata
# Recipe:: centos
#
# Variable Definitions
suropts = node[:suricata]
suricata_interface = suropts[:interface]
# Do we have multiple interfaces to listen on?
if suricata_interface.is_a? String
suricata_interface = [ suricata_interface ]
end
raise 'No suricata rules defined for this host' if suropts[:rules].nil?
rules = suropts[:rules]
# Setup
yum_package 'libcap-ng'
yum_package 'libhtp'
%w[ libmnl libnetfilter_queue ].each do |pkg|
yum_package pkg
end
# Install Suricata
yum_package 'suricata' do
notifies :restart, 'service[suricata]', :delayed
end
group 'suricata' do
gid 683
action :create
end
user 'suricata' do
comment 'suricata IDS user'
gid 683
shell '/sbin/nologin'
system true
action :create
end
if node[:platform_version][0] == '6'
template '/etc/init.d/suricata' do
mode 0555
owner 'root'
group 'root'
source 'suricata.init.erb'
variables({:interface => suricata_interface})
end
else
template '/etc/systemd/system/suricata.service' do
mode 0444
owner 'root'
group 'root'
source 'suricata.service.erb'
variables({:interface => suricata_interface})
end
end
cookbook_file '/etc/logrotate.d/suricata' do
source 'suricata_logrotate'
owner 'root'
group 'root'
mode 0644
end
# Set Rules Up
directory '/etc/suricata/rules' do
action :create
end
# Need to create these rules when time comes.
#template '/etc/suricata/rules/local.rules' do
# mode 0644
# owner 'root'
# group 'wheel'
# source 'centos/local.rules.erb'
#end
# Set and configurate Suricata for centos
magic_file = '/usr/share/file/magic'
service_name = 'suricata'
corpmacs = search(:node, 'roles:CorpMacDNS').map { |node| node['ipaddress'] }.sort!
template '/etc/suricata/suricata.yaml' do
mode 0644
source 'suricata.yaml.erb'
variables({:pcapinterface => suricata_interface,
:rules => rules,
:magic_file => magic_file,
:corpmacs => corpmacs})
notifies :restart, "service[#{service_name}]", :delayed
end
%w[ classification.config reference.config threshold.config ].each do |configfile|
cookbook_file "/etc/suricata/#{configfile}" do
source configfile
mode 0644
owner 'root'
end
end
# Setup logging
directory '/var/log/suricata/' do
owner 'root'
group 'suricata'
mode 0775
action :create
end
logfile_group = 'suricata'
if system('getent group splunk')
logfile_group = 'splunk'
end
%w[ fast.log outputs.log suricata.log tls.log eve.json ].each do |logfile|
file "/var/log/suricata/#{logfile}" do
mode 0640
owner 'suricata'
group logfile_group
end
end
# Start Suricata
service 'suricata' do
supports :status => true, :restart => true, :reload => true
action [ :enable, :start ]
end

25
code/chef/recipes/default.rb Executable file
View file

@ -0,0 +1,25 @@
#
# Cookbook Name:: suricata
# Recipe:: default
#
suropts = node[:suricata]
raise 'No suricata interface defined for this host' if suropts[:interface].nil?
suricata_interface = suropts[:interface]
# Do we have multiple interfaces to listen on?
if suricata_interface.is_a? String
suricata_interface = [ suricata_interface ]
end
# The list of rules to populate the yaml config with.
raise 'No suricata rules defined for this host' if suropts[:rules].nil?
rules = suropts[:rules]
case node[:platform]
when 'centos'
include_recipe 'suricata::centos'
else
include_recipe 'suricata::corpmac'
end

172
code/chef/recipes/mac.rb Executable file
View file

@ -0,0 +1,172 @@
# Cookbook Name:: suricata
# Recipe:: corpmac.rb
#
# Variable Definitions
suropts = node[:suricata]
raise 'No suricata interface defined for this host' if suropts[:interface].nil?
suricata_interface = suropts[:interface]
if suricata_interface.is_a? String
suricata_interface = [ suricata_interface ]
end
raise 'No suricata rules defined for this host' if suropts[:rules].nil?
rules = suropts[:rules]
# Setup
group 'suricata' do
gid 683
action :create
end
user 'suricata' do
comment 'suricata IDS user'
gid 683
shell '/sbin/nologin'
system true
action :create
end
# Install Suricata
package "libmagic" do
action :install
provider Chef::Provider::Package::Homebrew
end
homebrew_package "suricata" do
homebrew_user 'user'
action :install
end
directory '/etc/suricata/' do
action :create
end
# Set Rules Up
directory '/etc/suricata/rules' do
action :create
end
template '/etc/suricata/rules/local.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/local.rules.erb'
end
template '/etc/suricata/rules/shellcode.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/shellcode.rules.erb'
end
template '/etc/suricata/rules/osxmalware.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/osxmalware.rules.erb'
end
template '/etc/suricata/rules/nmap.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/nmap.rules.erb'
end
template '/etc/suricata/rules/mobilemalware.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/mobilemalware.rules.erb'
end
template '/etc/suricata/rules/emerging-exploit.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/emerging-exploit.rules.erb'
end
template '/etc/suricata/rules/emerging-shellcode.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/emerging-shellcode.rules.erb'
end
template '/etc/suricata/rules/dshield.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/dshield.rules.erb'
end
template '/etc/suricata/rules/compromised.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/compromised.rules.erb'
end
template '/etc/suricata/rules/tor.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/tor.rules.erb'
end
magic_file = '/usr/local/share/misc/magic.mgc'
include_recipe "logrotate::suricata_os_x"
service_name = 'com.host.suricata'
corpmacs = search(:node, 'roles:CorpMacDNS').map { |node| node['ipaddress'] }.sort!
template '/etc/suricata/suricata.yaml' do
mode 0644
source 'suricata.yaml.erb'
variables({:pcapinterface => suricata_interface,
:rules => rules,
:magic_file => magic_file,
:corpmacs => corpmacs})
notifies :restart, "service[#{service_name}]", :delayed
end
%w[ classification.config reference.config threshold.config ].each do |configfile|
cookbook_file "/etc/suricata/#{configfile}" do
source configfile
mode 0644
owner 'root'
end
end
# Setup logging
directory '/var/log/suricata/' do
owner 'root'
group 'suricata'
mode 0775
action :create
end
logfile_group = 'suricata'
if system('getent group splunk')
logfile_group = 'splunk'
end
# Start Suricata
service 'com.host.suricata' do
action [ :start ]
restart_command "kill -USR2 `cat /var/run/suricata.pid`"
end

86
code/chef/templates/centos/compromised.rules.erb Executable file
View file

@ -0,0 +1,86 @@
#
# $Id: emerging-compromised.rules
# Rules to block known hostile or compromised hosts. These lists are updated daily or better from many sources
#
#Sources include:
#
# Daniel Gerzo's BruteForceBlocker
# http://danger.rulez.sk/projects/bruteforceblocker/
#
# The OpenBL
# http://www.openbl.org/ (formerly sshbl.org)
#
# And the Emerging Threats Sandnet and SidReporter Projects
#
# More information available at www.emergingthreats.net
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# VERSION 4467
# Generated 2017-09-22 00:30:02 EDT
alert ip [101.132.70.58,101.226.164.254,101.230.200.173,101.231.117.54,101.236.51.134,101.251.201.246,101.64.237.31,101.79.44.115,103.17.51.78,103.207.36.217,103.207.36.220,103.207.36.225,103.207.36.226,103.207.36.246,103.207.36.251,103.207.36.84,103.207.37.200,103.207.38.144,103.207.38.178,103.207.38.202,103.207.38.86,103.207.39.125,103.207.39.203,103.210.239.167,103.212.222.16,103.212.223.150,103.212.223.42,103.217.152.20,103.228.152.141,103.237.56.230] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500000; rev:4467;)
alert ip [103.27.239.143,103.28.38.74,103.45.5.85,103.53.77.118,103.69.219.46,103.71.255.27,103.73.86.76,103.79.142.18,103.89.88.138,103.89.88.147,103.89.88.168,103.89.88.64,103.89.88.86,103.89.88.95,103.89.88.98,103.89.90.28,103.90.226.162,103.9.156.251,104.130.138.184,104.131.40.115,104.131.41.77,104.131.73.27,104.154.89.43,104.168.235.233,104.192.3.34,104.192.3.46,104.193.10.228,104.198.193.205,104.203.45.174,104.211.183.174] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500002; rev:4467;)
alert ip [104.218.140.228,104.223.123.98,104.238.95.233,104.244.77.64,104.244.78.156,104.37.214.97,104.42.197.23,105.209.67.118,105.225.167.218,106.112.59.106,106.172.82.195,106.247.22.57,106.254.62.123,106.38.252.50,106.39.70.232,106.39.93.84,106.51.1.164,106.51.44.4,106.57.168.64,106.75.134.62,106.75.143.3,106.75.48.185,106.75.71.224,107.132.53.129,107.167.184.140,107.175.145.42,108.14.52.60,108.162.151.203,108.172.246.196,108.172.71.183] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500004; rev:4467;)
alert ip [108.173.38.92,108.180.129.213,108.208.120.134,108.48.123.223,108.58.41.139,108.61.166.208,109.110.63.131,109.171.3.184,109.195.1.224,109.204.44.230,109.205.136.10,109.206.50.173,109.230.0.69,109.30.27.127,109.98.100.108,110.200.221.235,110.20.113.244,110.228.34.174,110.45.165.12,110.45.244.113,110.8.188.38,111.119.197.73,111.122.211.147,111.125.89.10,111.127.116.215,111.194.196.27,111.204.175.228,111.205.121.92,111.206.115.107,111.231.194.103] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500006; rev:4467;)
alert ip [111.26.139.65,111.26.182.3,111.39.46.47,111.89.5.185,112.101.172.18,112.148.101.13,112.161.232.55,112.4.81.93,112.5.140.230,112.64.33.92,112.81.182.17,112.82.237.169,113.105.152.226,113.116.60.141,113.122.140.67,113.124.141.122,113.124.141.48,113.141.70.163,113.178.66.10,113.179.135.18,113.195.226.160,113.200.203.102,113.201.169.192,113.247.233.90,113.252.218.53,113.252.222.216,113.57.160.51,113.77.11.29,114.112.65.226,114.113.101.107] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500008; rev:4467;)
alert ip [114.207.102.52,114.34.101.101,115.159.152.47,115.195.208.191,115.209.180.49,115.213.144.133,115.231.8.12,115.231.94.238,115.236.47.25,115.236.47.27,115.249.75.29,115.25.138.222,115.68.3.153,116.101.123.47,116.101.17.10,116.107.220.24,116.107.221.141,116.107.223.107,116.15.8.12,116.196.108.252,116.196.84.88,116.231.57.98,116.246.11.101,1.164.9.109,116.62.155.36,117.107.159.144,117.146.60.13,117.18.105.172,117.2.123.42,117.48.194.129] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500010; rev:4467;)
alert ip [117.79.147.217,118.140.111.22,118.144.138.200,118.144.138.203,118.151.209.235,118.165.126.206,118.179.220.203,118.180.18.102,118.186.21.234,118.186.36.50,118.221.123.174,118.221.201.81,118.244.238.14,118.244.238.18,118.244.238.19,118.244.238.4,118.26.170.129,118.32.27.85,118.34.18.148,118.89.239.137,119.14.160.126,119.146.201.177,119.192.239.231,119.195.208.150,119.197.4.164,119.236.181.148,119.254.153.43,119.44.217.220,119.52.229.151,120.132.113.76] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500012; rev:4467;)
alert ip [120.132.113.82,120.132.113.84,120.132.113.85,120.132.14.35,120.132.30.150,1.202.166.74,120.234.5.228,120.237.101.134,120.52.118.33,120.52.56.152,120.77.204.253,120.83.5.28,120.89.29.132,1.209.148.74,120.92.74.178,120.92.85.3,121.12.120.171,121.129.186.183,121.159.89.132,121.160.21.13,121.177.23.189,121.194.2.248,121.201.18.228,121.35.209.94,121.46.31.50,121.56.147.48,121.78.87.138,121.8.107.234,121.96.57.204,122.114.213.144] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500014; rev:4467;)
alert ip [122.117.90.221,122.146.46.145,122.207.17.20,122.224.144.131,122.228.196.166,122.228.249.84,122.243.182.219,122.46.210.188,122.72.22.132,123.122.123.172,123.132.243.89,123.134.87.51,123.150.101.229,123.150.108.238,123.16.84.49,123.169.170.158,123.169.192.151,123.169.192.77,123.169.200.247,123.171.114.246,123.184.35.48,123.196.120.135,123.207.236.127,123.207.242.81,123.247.9.244,123.249.20.27,123.249.20.31,1.234.4.14,123.96.186.129,123.96.49.127] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500016; rev:4467;)
alert ip [124.117.241.152,1.241.184.143,124.135.31.202,124.205.195.3,124.207.190.60,124.251.36.75,124.42.66.91,124.61.247.61,124.67.81.2,124.90.206.204,125.100.114.3,125.121.111.64,125.123.155.119,125.130.103.130,125.208.29.140,125.212.253.176,125.34.210.238,125.75.207.25,126.25.84.195,128.199.112.13,128.199.62.192,1.28.86.194,129.121.178.56,129.125.75.199,131.255.6.32,132.148.133.186,133.232.74.108,134.19.181.20,13.54.136.89,13.59.109.162] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500018; rev:4467;)
alert ip [136.144.156.254,137.186.227.52,137.44.3.243,13.75.158.218,13.76.245.100,137.74.6.238,13.81.217.61,138.197.101.38,138.197.103.4,13.84.188.226,138.68.239.21,138.68.5.130,139.159.220.163,139.219.103.115,139.219.190.2,139.219.70.7,139.255.93.122,139.5.71.112,139.59.123.240,139.59.123.37,139.59.18.218,139.99.104.118,140.114.75.64,140.207.213.31,140.207.2.182,140.255.69.150,140.255.99.4,141.105.69.248,14.163.184.137,14.166.71.61] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500020; rev:4467;)
alert ip [14.169.1.86,14.177.68.22,14.198.124.91,14.204.87.108,14.228.254.184,14.235.138.51,14.29.118.197,14.34.27.163,144.0.242.178,144.217.128.26,144.217.146.49,144.48.168.8,145.249.106.104,14.58.109.187,14.58.118.69,146.148.108.195,14.63.165.247,147.135.136.81,147.135.226.50,147.178.194.71,149.56.128.14,149.56.180.126,149.56.223.104,151.84.133.210,152.149.59.147,152.204.2.160,153.127.194.180,153.166.65.77,154.0.165.125,154.0.169.254] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500022; rev:4467;)
alert ip [155.133.82.12,156.67.106.30,157.7.137.248,159.203.102.134,159.203.104.139,159.203.66.209,159.203.68.222,159.203.90.141,159.203.93.23,159.224.62.130,159.226.162.195,160.202.161.28,160.202.161.30,160.3.126.165,162.223.162.11,162.223.162.62,162.243.170.180,162.253.41.66,162.253.42.106,163.172.118.208,163.172.119.32,163.172.125.238,163.172.135.37,163.172.167.129,163.172.170.212,163.172.174.231,163.172.200.128,163.172.223.87,163.172.48.201,163.172.67.180] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500024; rev:4467;)
alert ip [164.132.51.91,164.177.113.231,165.227.109.171,165.227.124.196,165.227.124.86,165.227.144.103,166.111.131.71,166.62.40.246,167.114.61.195,167.250.73.80,168.1.128.133,168.235.102.145,168.235.89.230,168.70.82.160,169.50.107.11,169.50.86.185,169.50.86.187,169.50.86.188,169.50.86.190,169.50.86.191,170.250.90.139,171.234.231.115,171.245.13.106,171.25.165.26,173.0.52.106,173.16.233.5,173.166.99.116,173.198.206.107,173.212.222.115,173.214.175.146] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500026; rev:4467;)
alert ip [173.254.233.195,173.63.215.158,174.100.60.23,174.138.80.41,175.125.93.32,175.126.232.29,175.139.173.1,175.156.152.231,175.207.20.177,175.99.86.177,176.105.180.147,176.126.252.11,176.162.154.1,176.9.156.75,177.11.50.67,177.155.104.44,177.182.109.43,177.201.127.209,177.240.165.184,177.55.160.207,177.55.98.244,177.67.82.109,177.99.236.237,178.124.171.187,178.159.36.6,178.159.37.11,178.170.172.85,178.17.173.74,178.238.239.123,178.239.62.109] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500028; rev:4467;)
alert ip [178.62.34.57,178.62.95.5,178.73.195.109,178.93.174.229,179.159.163.243,179.198.1.41,179.41.195.194,180.101.143.2,180.150.224.2,180.150.224.4,180.153.151.93,180.153.19.139,180.166.22.98,180.168.166.121,180.168.76.230,180.169.129.228,180.175.55.213,180.76.140.154,180.76.150.192,180.76.165.244,181.168.78.160,181.214.205.130,181.214.87.4,181.26.141.193,182.126.102.242,182.163.126.241,182.18.153.206,182.245.29.89,182.253.226.82,182.253.66.2] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500030; rev:4467;)
alert ip [182.36.201.180,182.38.118.131,182.45.108.45,182.45.43.33,182.45.45.24,18.248.2.85,183.136.188.116,183.152.50.38,183.152.95.93,183.214.148.89,183.239.228.51,183.87.56.75,183.91.0.68,184.149.38.74,185.100.84.108,185.107.94.40,185.140.120.153,185.156.173.106,185.165.29.111,185.165.29.116,185.165.29.122,185.165.29.128,185.165.29.23,185.165.29.50,185.165.29.69,185.165.29.77,185.165.29.78,185.168.242.215,185.200.35.233,185.200.35.3] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500032; rev:4467;)
alert ip [185.2.82.45,185.48.207.32,185.55.218.100,185.55.218.34,185.55.218.95,185.56.81.2,185.67.3.144,185.74.36.30,185.8.50.36,186.227.226.158,186.227.234.116,186.4.156.124,187.177.120.75,187.18.54.167,187.18.58.193,187.189.153.69,187.22.231.227,187.84.3.188,188.0.67.184,188.120.254.159,188.121.2.243,188.121.26.102,188.152.201.116,188.165.230.6,188.166.175.211,188.166.34.129,188.187.121.39,188.190.59.137,188.243.168.56,189.114.229.185] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500034; rev:4467;)
alert ip [189.169.197.102,189.224.143.228,189.28.12.34,189.39.120.230,189.55.139.237,190.107.225.54,190.107.81.2,190.110.88.164,190.110.89.82,190.110.90.118,190.110.91.217,190.110.94.208,190.110.94.97,190.116.182.154,190.174.203.127,190.196.156.134,190.197.53.146,190.205.38.222,190.210.244.236,190.215.115.50,190.45.3.201,190.48.135.240,190.85.6.90,190.97.205.89,190.98.207.226,191.101.235.232,191.96.112.105,191.96.112.106,191.96.112.107,191.96.112.111] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500036; rev:4467;)
alert ip [191.96.112.112,191.96.249.114,191.96.249.145,191.96.249.156,191.96.249.38,191.96.249.82,192.129.162.2,192.241.225.16,192.248.87.22,193.104.205.177,193.111.63.192,193.201.224.208,193.201.224.212,193.201.224.214,193.201.224.216,193.201.224.218,193.201.224.232,193.34.144.30,193.40.7.6,193.93.217.142,194.105.205.42,194.213.34.106,194.2.209.2,194.33.76.162,195.154.255.158,195.154.34.127,195.154.37.186,195.154.55.131,195.171.242.187,195.22.126.177] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500038; rev:4467;)
alert ip [195.225.224.38,195.62.53.126,196.52.32.17,197.231.221.211,198.12.152.136,198.167.136.101,198.199.112.44,198.199.113.122,198.211.121.75,198.24.186.34,198.255.146.211,198.98.50.113,198.98.51.117,198.98.57.188,198.98.57.32,198.98.59.151,198.98.60.112,198.98.60.239,198.98.60.72,198.98.61.180,198.98.61.33,199.168.100.164,199.195.248.31,199.195.249.132,199.195.250.64,199.27.250.119,199.76.14.51,200.17.252.12,200.56.109.119,200.68.66.165] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500040; rev:4467;)
alert ip [201.144.84.82,201.178.158.127,201.178.184.127,201.193.197.106,201.232.89.209,201.249.207.212,201.48.226.19,202.107.104.119,202.108.199.14,202.129.207.109,202.131.237.149,202.201.64.102,202.29.153.142,202.55.93.98,202.73.50.214,202.80.184.2,202.85.222.225,203.126.140.172,203.128.73.185,203.174.85.138,203.195.160.105,203.215.172.170,203.254.127.19,203.80.94.137,203.86.69.132,204.152.209.14,204.188.251.130,205.185.113.181,207.138.132.44,207.195.19.153] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500042; rev:4467;)
alert ip [207.81.165.45,208.66.77.245,208.98.22.130,209.10.82.200,209.15.218.187,209.188.19.226,209.213.170.114,209.239.114.231,209.239.123.90,209.243.10.198,209.92.176.105,209.92.176.114,210.140.10.72,210.212.210.86,210.245.32.72,210.84.44.200,210.94.133.8,211.110.139.215,211.168.232.5,211.195.14.39,211.215.174.144,211.216.123.97,211.226.176.47,211.249.35.203,211.249.35.205,211.57.201.184,211.64.35.129,212.109.221.169,212.129.13.232,212.129.59.195] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500044; rev:4467;)
alert ip [212.143.128.139,212.159.139.204,212.237.37.123,212.237.40.247,212.237.40.48,212.237.41.114,212.237.42.218,212.237.42.252,212.237.42.61,212.237.43.138,212.237.43.44,212.237.44.26,212.237.45.105,212.237.45.188,212.237.45.212,212.237.45.84,212.237.46.210,212.47.243.174,212.47.250.7,212.51.189.201,212.83.136.196,212.83.141.81,212.83.147.105,212.85.202.67,213.113.215.115,213.136.81.74,213.136.94.221,213.149.105.28,213.32.69.137,213.74.201.146] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500046; rev:4467;)
alert ip [213.74.55.250,213.78.109.14,216.168.110.244,216.223.112.22,216.245.209.78,216.98.212.11,217.111.170.195,217.170.205.103,217.23.138.22,217.23.15.165,217.46.196.74,217.57.147.180,217.61.18.106,217.65.2.116,218.103.98.209,218.106.244.93,218.108.206.56,218.148.4.24,218.15.163.100,218.156.193.236,218.2.15.138,218.28.55.134,218.29.188.109,218.32.45.19,218.52.219.225,218.5.76.147,218.63.248.173,218.79.14.243,218.9.118.187,219.116.11.89] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500048; rev:4467;)
alert ip [219.159.249.219,219.221.10.99,219.239.227.252,219.239.227.253,220.130.148.106,220.149.235.114,220.72.146.117,220.85.152.96,221.135.104.112,221.145.110.21,221.148.106.180,221.163.191.92,221.192.4.18,222.107.38.1,222.161.37.110,222.220.93.11,222.237.36.38,222.38.230.2,222.73.12.22,2.228.167.211,222.84.159.196,222.91.125.174,222.99.52.246,223.112.4.242,223.112.77.186,223.112.87.85,223.166.92.4,223.30.251.140,223.68.134.29,2.24.131.203] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 26"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500050; rev:4467;)
alert ip [23.129.64.12,23.30.57.83,24.119.126.64,24.46.10.22,24.80.229.169,24.87.106.109,2.50.47.6,27.118.21.218,27.16.159.23,27.19.1.251,27.210.14.232,27.219.169.241,27.255.65.189,27.255.79.21,27.255.79.7,27.54.162.253,27.64.38.194,27.73.14.63,27.73.87.164,31.172.247.106,31.172.80.188,31.173.128.149,31.207.47.53,31.37.37.187,35.162.178.210,35.190.149.252,35.193.213.56,35.193.231.245,35.199.187.166,36.67.37.95] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 27"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500052; rev:4467;)
alert ip [36.7.87.34,37.221.242.40,37.49.224.119,37.49.225.93,37.57.17.101,39.108.169.46,40.113.22.5,40.121.158.5,40.121.221.115,40.69.164.199,40.71.206.237,40.71.222.21,40.71.82.183,40.83.253.82,40.83.255.188,40.86.186.117,41.190.93.225,41.210.160.3,41.76.226.88,41.77.222.57,41.78.78.66,42.112.26.24,42.115.138.8,42.159.204.117,42.159.249.108,42.159.250.5,42.55.73.197,42.62.73.85,42.93.81.115,42.94.140.79] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 28"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500054; rev:4467;)
alert ip [45.116.80.242,45.249.247.80,45.251.43.189,45.32.236.123,45.32.39.134,45.32.47.58,45.32.60.87,45.55.186.166,45.55.216.145,45.55.4.137,45.56.30.99,45.63.104.148,45.63.35.50,45.76.104.223,45.76.186.62,45.76.198.131,45.76.216.217,45.76.218.238,45.76.220.58,45.76.221.116,45.76.223.152,45.76.53.82,45.79.200.100,46.101.9.80,46.148.20.25,46.164.186.33,46.165.223.217,46.166.185.14,46.17.44.94,46.183.217.165] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 29"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500056; rev:4467;)
alert ip [46.18.3.47,46.188.19.235,46.39.222.2,46.41.134.10,46.4.71.142,46.6.48.15,47.154.229.1,47.22.51.154,47.90.201.99,47.90.202.171,47.90.204.225,47.92.158.26,47.93.223.84,49.116.146.210,49.176.210.112,49.177.224.46,49.207.182.120,49.236.203.74,49.248.152.178,49.51.37.225,50.115.166.21,50.115.166.22,50.116.55.19,50.117.38.106,50.117.86.160,50.118.255.159,50.19.160.96,50.226.124.68,50.247.173.145,50.248.163.25] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 30"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500058; rev:4467;)
alert ip [50.62.56.171,5.101.40.37,5.101.40.38,5.101.40.62,5.102.224.212,51.15.141.220,51.15.39.26,51.15.64.212,51.254.101.200,51.254.34.30,51.255.202.66,5.135.21.155,5.135.212.153,5.188.10.156,5.188.10.175,5.188.10.176,5.188.10.178,5.188.10.179,5.188.10.180,5.188.10.182,5.189.153.129,52.124.71.138,52.144.39.97,52.165.220.242,52.166.112.31,52.168.179.155,52.168.180.139,52.187.131.166,5.226.174.124,5.249.146.145] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 31"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500060; rev:4467;)
alert ip [52.64.87.237,52.88.81.95,5.39.217.25,54.245.26.231,5.79.105.11,5.8.18.184,5.8.18.190,58.187.120.180,58.218.213.65,58.221.249.102,58.227.192.158,58.241.120.6,58.242.74.231,58.246.118.252,58.249.54.22,58.30.96.130,58.30.96.133,58.30.96.143,58.46.245.50,58.62.144.229,59.12.201.230,59.13.69.5,59.15.95.50,59.16.74.234,59.175.153.94,59.19.177.128,59.27.218.55,59.49.46.60,59.56.69.126,60.12.229.225] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 32"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500062; rev:4467;)
alert ip [60.124.22.115,60.13.74.216,60.176.158.242,60.206.137.145,60.208.139.180,60.222.116.99,61.147.68.166,61.161.143.179,61.164.46.188,61.176.218.19,61.197.164.161,61.216.155.200,61.216.38.102,61.219.149.59,61.240.159.244,61.8.249.89,62.152.32.179,62.164.145.253,62.210.130.150,62.210.15.114,62.210.169.48,62.210.97.105,62.219.209.70,62.64.154.18,62.76.177.98,62.76.185.15,62.76.187.122,62.76.191.87,62.76.42.249,62.76.42.62] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 33"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500064; rev:4467;)
alert ip [62.76.42.99,62.76.44.35,63.135.10.242,64.113.32.29,64.137.192.185,64.50.176.226,64.59.144.120,64.66.226.188,64.71.135.233,65.130.73.219,66.201.100.124,66.35.51.195,66.35.51.198,66.58.155.50,66.58.199.149,66.76.143.225,66.96.203.242,67.205.138.240,67.205.185.191,69.131.92.126,71.230.124.219,72.34.55.130,72.35.252.25,73.207.67.124,73.223.158.230,73.231.34.71,73.235.81.87,73.32.240.93,74.208.155.102,74.208.45.40] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 34"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500066; rev:4467;)
alert ip [74.52.53.204,76.164.197.48,76.191.17.120,76.74.219.170,76.8.60.134,77.105.1.80,77.123.76.69,77.242.132.150,77.72.82.171,77.72.82.199,77.72.83.249,77.72.85.100,77.81.226.157,78.113.206.194,78.129.10.146,78.138.91.6,78.146.59.79,78.188.21.107,78.195.178.119,78.203.141.125,78.203.248.197,78.211.73.147,78.224.40.128,78.245.236.138,78.43.104.193,78.47.64.211,79.106.161.36,79.137.39.158,79.143.191.24,79.148.105.88] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 35"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500068; rev:4467;)
alert ip [79.46.205.166,80.11.28.58,80.14.151.90,80.211.226.174,80.211.231.211,80.211.232.174,80.216.42.120,80.243.184.26,80.26.255.232,80.77.43.49,80.82.64.203,80.98.98.181,81.137.199.29,81.143.231.26,81.167.233.182,81.169.143.207,81.171.24.61,81.171.58.49,81.171.85.84,81.17.30.208,81.17.31.250,81.57.126.72,81.95.140.244,82.102.216.128,82.127.48.23,82.185.231.221,82.193.124.36,82.202.245.51,82.211.49.197,82.213.2.18] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 36"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500070; rev:4467;)
alert ip [82.228.240.199,82.246.170.196,82.6.131.182,82.98.139.229,83.209.114.167,83.220.169.203,83.246.164.83,84.105.201.12,84.107.154.75,84.200.7.180,84.237.16.110,84.55.161.158,85.195.226.180,85.195.48.166,85.230.149.52,85.247.95.85,85.90.210.87,86.109.170.96,86.164.122.219,86.57.164.109,86.57.168.86,86.88.141.158,87.106.71.197,87.126.129.215,87.85.170.35,88.127.227.155,88.147.17.251,88.212.206.44,88.99.38.116,89.108.109.46] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 37"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500072; rev:4467;)
alert ip [89.108.87.179,89.212.50.176,89.216.97.113,89.225.201.101,89.239.24.62,89.250.84.2,89.251.98.4,89.38.98.6,89.38.98.66,89.87.178.129,90.137.13.61,90.176.140.1,90.84.45.108,91.121.117.6,91.121.14.122,91.134.133.251,91.134.214.132,91.197.232.103,91.197.232.109,92.113.108.27,92.177.78.25,92.220.16.32,92.222.77.85,92.87.236.139,92.87.236.17,92.87.236.189,93.103.212.84,93.170.190.94,93.171.247.91,93.174.89.85] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 38"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500074; rev:4467;)
alert ip [93.174.93.10,93.174.93.71,93.174.94.253,93.190.140.112,93.212.109.60,93.42.185.41,94.102.51.26,94.177.207.42,94.177.217.169,94.177.218.163,94.177.244.134,94.200.147.213,94.231.4.132,94.231.82.19,94.23.210.41,94.23.59.133,94.74.81.29,95.110.224.97,95.169.50.213,95.179.32.4,95.213.202.178,95.215.62.242,95.240.135.79,95.85.25.122,96.22.196.161,96.231.43.95,96.239.59.131,96.33.76.87,98.110.245.232,98.160.239.31] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 39"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500076; rev:4467;)

73
code/chef/templates/centos/drop.rules.erb Executable file
View file

@ -0,0 +1,73 @@
#
# $Id: emerging-drop.rules $
# Emerging Threats Spamhaus DROP List rules.
#
# Rules to block Spamhaus DROP listed networks (www.spamhaus.org)
#
# More information available at www.emergingthreats.net
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# VERSION 2619
# Generated 2017-09-17 00:05:01 EDT
alert ip [5.134.128.0/19,5.157.0.0/18,14.4.0.0/14,23.226.48.0/20,23.246.128.0/18,23.251.224.0/19,24.51.0.0/19,24.233.0.0/19,27.126.160.0/20,31.11.43.0/24,31.184.238.0/24,31.222.200.0/21,36.0.8.0/21,36.37.48.0/20,36.93.0.0/16,36.116.0.0/16,36.119.0.0/16,36.255.212.0/22,37.18.42.0/24,37.139.49.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 1"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400000; rev:2619;)
alert ip [42.1.56.0/22,42.1.128.0/17,42.52.0.0/14,42.83.80.0/22,42.96.0.0/18,42.123.36.0/22,42.128.0.0/12,42.160.0.0/12,42.194.8.0/22,42.194.12.0/22,42.194.128.0/17,42.208.0.0/12,43.229.52.0/22,43.236.0.0/16,43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,43.252.180.0/22,45.4.128.0/22,45.4.136.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; rev:2619;)
alert ip [46.29.248.0/22,46.29.248.0/21,46.151.48.0/21,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,46.243.173.0/24,49.8.0.0/14,49.238.64.0/18,59.254.0.0/15,60.233.0.0/16,61.11.224.0/19,61.13.128.0/17,61.14.224.0/22,61.45.251.0/24,66.98.112.0/20,66.231.64.0/20,67.213.112.0/20,67.213.136.0/21,67.219.208.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 3"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400002; rev:2619;)
alert ip [79.110.17.0/24,79.110.18.0/24,79.110.19.0/24,79.110.25.0/24,79.173.104.0/21,83.175.0.0/18,84.238.160.0/22,85.93.5.0/24,85.121.39.0/24,86.55.40.0/23,86.55.42.0/23,91.194.254.0/23,91.200.12.0/22,91.200.248.0/22,91.207.4.0/22,91.209.12.0/24,91.212.104.0/24,91.212.124.0/24,91.213.126.0/24,91.217.10.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 4"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400003; rev:2619;)
alert ip [91.230.252.0/23,91.234.36.0/24,91.235.2.0/24,91.236.74.0/23,91.238.82.0/24,91.240.165.0/24,93.179.89.0/24,93.179.90.0/24,93.179.91.0/24,95.216.0.0/15,101.192.0.0/14,101.202.0.0/16,101.203.128.0/19,101.248.0.0/15,101.252.0.0/15,103.2.44.0/22,103.16.76.0/24,103.23.8.0/22,103.36.64.0/22,103.57.248.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 5"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400004; rev:2619;)
alert ip [103.197.8.0/22,103.205.84.0/22,103.207.160.0/22,103.210.12.0/22,103.215.80.0/22,103.227.4.0/22,103.228.8.0/22,103.229.36.0/22,103.229.40.0/22,103.230.144.0/22,103.231.84.0/22,103.232.136.0/22,103.232.172.0/22,103.236.32.0/22,103.239.56.0/22,104.36.184.0/22,104.153.96.0/21,104.153.112.0/21,104.153.244.0/22,104.160.224.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 6"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400005; rev:2619;)
alert ip [104.245.248.0/21,104.255.56.0/21,108.166.224.0/19,110.172.64.0/18,114.118.0.0/17,115.166.136.0/22,116.78.0.0/15,116.119.0.0/17,116.128.0.0/10,116.144.0.0/15,116.146.0.0/15,116.197.156.0/22,116.206.16.0/22,117.58.0.0/17,117.120.64.0/18,119.42.52.0/22,119.58.0.0/16,119.232.0.0/16,120.48.0.0/15,121.46.124.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 7"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400006; rev:2619;)
alert ip [124.70.0.0/15,124.157.0.0/18,124.242.0.0/16,125.31.192.0/18,125.58.0.0/18,125.169.0.0/16,128.13.0.0/16,128.85.0.0/16,128.94.0.0/16,128.168.0.0/16,128.188.0.0/16,130.148.0.0/16,130.196.0.0/16,130.222.0.0/16,131.72.208.0/22,131.108.16.0/22,131.108.232.0/22,131.200.0.0/16,134.18.0.0/16,134.22.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 8"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400007; rev:2619;)
alert ip [134.209.0.0/16,136.230.0.0/16,137.19.0.0/16,137.33.0.0/16,137.55.0.0/16,137.76.0.0/16,137.105.0.0/16,137.171.0.0/16,137.218.0.0/16,138.31.0.0/16,138.36.92.0/22,138.36.136.0/22,138.36.148.0/22,138.43.0.0/16,138.52.0.0/16,138.59.4.0/22,138.59.204.0/22,138.94.120.0/22,138.94.144.0/22,138.94.216.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 9"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400008; rev:2619;)
alert ip [138.216.0.0/16,138.228.0.0/16,138.249.0.0/16,139.45.0.0/16,139.136.0.0/16,139.188.0.0/16,140.143.128.0/17,140.167.0.0/16,141.94.0.0/15,141.101.132.0/24,141.101.201.0/24,141.136.22.0/24,141.136.27.0/24,141.178.0.0/16,141.253.0.0/16,142.4.160.0/19,142.102.0.0/16,143.0.236.0/22,143.49.0.0/16,143.64.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 10"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400009; rev:2619;)
alert ip [147.7.0.0/16,147.16.0.0/14,147.119.0.0/16,148.111.0.0/16,148.148.0.0/16,148.154.0.0/16,148.178.0.0/16,148.185.0.0/16,148.248.0.0/16,149.109.0.0/16,149.114.0.0/16,149.118.0.0/16,149.143.64.0/18,150.10.0.0/16,150.22.128.0/17,150.25.0.0/16,150.40.0.0/16,150.107.106.0/23,150.107.220.0/22,150.121.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 11"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400010; rev:2619;)
alert ip [150.242.36.0/22,150.242.100.0/22,150.242.120.0/22,150.242.144.0/22,151.123.0.0/16,151.192.0.0/16,151.212.0.0/16,151.237.176.0/20,151.237.184.0/22,152.109.0.0/16,152.136.0.0/16,152.147.0.0/16,153.14.0.0/16,153.52.0.0/14,153.93.0.0/16,155.11.0.0/16,155.40.0.0/16,155.66.0.0/16,155.73.0.0/16,155.108.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 12"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400011; rev:2619;)
alert ip [157.195.0.0/16,157.231.0.0/16,157.232.0.0/16,158.54.0.0/16,158.90.0.0/17,158.249.0.0/16,159.65.0.0/16,159.80.0.0/16,159.85.0.0/16,159.111.0.0/16,159.151.0.0/16,159.174.0.0/16,159.219.0.0/16,159.223.0.0/16,159.229.0.0/16,160.14.0.0/16,160.21.0.0/16,160.117.0.0/16,160.180.0.0/16,160.181.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 13"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400012; rev:2619;)
alert ip [161.0.68.0/22,161.66.0.0/16,161.70.0.0/16,161.71.0.0/16,161.189.0.0/16,161.232.0.0/16,162.208.124.0/22,162.212.188.0/22,162.213.128.0/22,162.213.232.0/22,162.219.32.0/21,162.222.148.0/22,162.245.124.0/22,162.254.72.0/21,163.47.19.0/24,163.50.0.0/16,163.53.247.0/24,163.59.0.0/16,163.250.0.0/16,163.254.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 14"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400013; rev:2619;)
alert ip [165.192.0.0/16,165.205.0.0/16,165.209.0.0/16,166.117.0.0/16,167.74.0.0/18,167.87.0.0/16,167.97.0.0/16,167.103.0.0/16,167.158.0.0/16,167.162.0.0/16,167.175.0.0/16,167.224.0.0/19,168.64.0.0/16,168.90.108.0/22,168.129.0.0/16,168.181.52.0/22,170.67.0.0/16,170.113.0.0/16,170.114.0.0/16,170.120.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 15"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400014; rev:2619;)
alert ip [172.96.16.0/22,172.103.40.0/21,172.103.64.0/18,173.228.160.0/19,173.246.160.0/19,175.103.64.0/18,176.61.136.0/22,176.61.136.0/21,176.65.128.0/19,176.97.116.0/22,177.36.16.0/20,177.74.160.0/20,177.91.0.0/22,177.234.136.0/21,178.16.80.0/20,178.216.48.0/21,179.42.64.0/19,180.178.192.0/18,180.236.0.0/14,181.118.32.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 16"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400015; rev:2619;)
alert ip [185.35.136.0/22,185.46.84.0/22,185.50.250.0/24,185.50.251.0/24,185.64.20.0/22,185.68.156.0/22,185.72.68.0/22,185.93.185.0/24,185.93.187.0/24,185.103.72.0/22,185.106.94.0/24,185.127.24.0/22,185.129.148.0/23,185.132.4.0/22,185.133.20.0/22,185.134.20.0/22,185.135.184.0/22,185.137.219.0/24,185.141.188.0/22,185.146.20.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 17"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400016; rev:2619;)
alert ip [185.149.112.0/22,185.150.84.0/22,185.151.48.0/22,185.151.60.0/22,185.152.36.0/22,185.152.248.0/22,185.154.20.0/22,185.155.52.0/22,185.156.88.0/21,185.156.92.0/22,185.159.36.0/22,185.159.37.0/24,185.159.68.0/22,185.166.216.0/22,185.167.116.0/22,185.171.120.0/22,185.173.44.0/22,185.175.140.0/22,185.180.124.0/22,185.184.192.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 18"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400017; rev:2619;)
alert ip [185.198.212.0/22,185.202.88.0/22,185.204.236.0/22,185.205.68.0/22,185.208.128.0/22,186.1.128.0/19,186.65.112.0/20,186.96.96.0/19,188.72.96.0/24,188.72.126.0/24,188.72.127.0/24,188.172.160.0/19,188.239.128.0/18,188.247.135.0/24,188.247.230.0/24,189.213.128.0/17,190.2.208.0/21,190.9.48.0/21,190.99.80.0/21,190.123.208.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 19"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400018; rev:2619;)
alert ip [192.40.29.0/24,192.43.153.0/24,192.43.154.0/23,192.43.156.0/22,192.43.160.0/24,192.43.175.0/24,192.43.176.0/21,192.43.184.0/24,192.46.192.0/18,192.54.110.0/24,192.67.16.0/24,192.67.160.0/22,192.86.85.0/24,192.88.74.0/24,192.100.142.0/24,192.101.44.0/24,192.101.181.0/24,192.101.200.0/21,192.101.240.0/21,192.101.248.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 20"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400019; rev:2619;)
alert ip [192.158.51.0/24,192.160.44.0/24,192.190.49.0/24,192.190.97.0/24,192.195.150.0/24,192.197.87.0/24,192.203.252.0/24,192.206.114.0/24,192.206.183.0/24,192.219.120.0/21,192.219.128.0/18,192.219.192.0/20,192.219.208.0/21,192.225.96.0/20,192.226.16.0/20,192.229.32.0/19,192.231.66.0/24,192.234.189.0/24,192.245.101.0/24,193.9.158.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 21"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400020; rev:2619;)
alert ip [193.177.64.0/18,193.243.0.0/17,194.1.152.0/24,194.29.185.0/24,195.182.57.0/24,195.190.13.0/24,195.191.56.0/23,195.191.102.0/23,195.225.176.0/22,196.1.109.0/24,196.42.128.0/17,196.61.240.0/20,196.63.0.0/16,196.164.0.0/15,196.193.0.0/16,196.196.0.0/16,196.197.0.0/16,196.198.0.0/16,196.199.0.0/16,196.240.0.0/15] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 22"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400021; rev:2619;)
alert ip [198.13.0.0/20,198.14.128.0/19,198.14.160.0/19,198.20.16.0/20,198.44.192.0/20,198.45.32.0/20,198.45.64.0/19,198.56.64.0/18,198.57.64.0/20,198.62.70.0/24,198.62.76.0/24,198.96.224.0/20,198.99.117.0/24,198.102.222.0/24,198.148.212.0/24,198.151.16.0/20,198.151.64.0/18,198.151.152.0/22,198.160.205.0/24,198.169.201.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 23"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400022; rev:2619;)
alert ip [198.179.22.0/24,198.181.64.0/19,198.181.96.0/20,198.183.32.0/19,198.184.193.0/24,198.184.208.0/24,198.186.25.0/24,198.186.208.0/24,198.187.64.0/18,198.187.192.0/24,198.190.173.0/24,198.199.212.0/24,198.202.237.0/24,198.204.0.0/21,198.206.140.0/24,198.212.132.0/24,199.5.152.0/23,199.5.229.0/24,199.10.64.0/24,199.26.137.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 24"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400023; rev:2619;)
alert ip [199.58.248.0/21,199.60.102.0/24,199.71.56.0/21,199.71.192.0/20,199.84.55.0/24,199.84.56.0/22,199.84.60.0/24,199.84.64.0/19,199.87.208.0/21,199.88.32.0/20,199.88.48.0/22,199.89.16.0/20,199.89.198.0/24,199.120.163.0/24,199.165.32.0/19,199.166.200.0/22,199.184.82.0/24,199.185.192.0/20,199.196.192.0/19,199.198.160.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 25"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400024; rev:2619;)
alert ip [199.223.0.0/20,199.230.64.0/19,199.230.96.0/21,199.233.85.0/24,199.233.96.0/24,199.241.64.0/19,199.244.56.0/21,199.245.138.0/24,199.246.137.0/24,199.246.213.0/24,199.246.215.0/24,199.248.64.0/18,199.249.64.0/19,199.253.32.0/20,199.253.48.0/21,199.253.224.0/20,199.254.32.0/20,200.0.60.0/23,200.3.128.0/20,200.22.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 26"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400025; rev:2619;)
alert ip [202.20.32.0/19,202.21.64.0/19,202.27.96.0/23,202.27.98.0/24,202.27.99.0/24,202.27.100.0/22,202.27.120.0/22,202.27.161.0/24,202.27.162.0/23,202.27.164.0/22,202.27.168.0/24,202.39.112.0/20,202.40.32.0/19,202.40.64.0/18,202.68.0.0/18,202.86.0.0/22,202.148.32.0/20,202.148.176.0/20,202.183.0.0/19,202.189.80.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 27"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400026; rev:2619;)
alert ip [203.34.252.0/23,203.86.252.0/22,203.148.80.0/22,203.149.92.0/22,203.169.0.0/22,203.189.112.0/22,203.191.64.0/18,204.19.38.0/23,204.44.32.0/20,204.44.192.0/20,204.44.224.0/20,204.48.16.0/20,204.52.255.0/24,204.57.16.0/20,204.75.147.0/24,204.75.228.0/24,204.80.198.0/24,204.86.16.0/20,204.87.199.0/24,204.89.224.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 28"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400027; rev:2619;)
alert ip [204.128.180.0/24,204.130.16.0/20,204.130.167.0/24,204.147.64.0/21,204.187.155.0/24,204.187.156.0/22,204.187.160.0/19,204.187.192.0/19,204.187.224.0/20,204.187.240.0/21,204.187.248.0/22,204.187.252.0/23,204.187.254.0/24,204.194.64.0/21,204.194.184.0/21,204.225.16.0/20,204.225.159.0/24,204.225.210.0/24,204.232.0.0/18,204.238.137.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 29"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400028; rev:2619;)
alert ip [205.144.176.0/20,205.148.128.0/18,205.148.192.0/18,205.151.128.0/19,205.159.45.0/24,205.159.174.0/24,205.159.180.0/24,205.166.77.0/24,205.166.84.0/24,205.166.130.0/24,205.166.168.0/24,205.166.211.0/24,205.172.176.0/22,205.172.244.0/22,205.175.160.0/19,205.189.71.0/24,205.189.72.0/23,205.203.0.0/19,205.203.224.0/19,205.207.134.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 30"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400029; rev:2619;)
alert ip [205.214.128.0/19,205.233.224.0/20,205.236.185.0/24,205.236.189.0/24,205.237.88.0/21,206.41.160.0/19,206.51.29.0/24,206.81.0.0/19,206.130.4.0/23,206.130.188.0/24,206.143.128.0/17,206.189.0.0/16,206.195.224.0/19,206.197.28.0/24,206.197.29.0/24,206.197.77.0/24,206.197.165.0/24,206.203.64.0/18,206.209.80.0/20,206.224.160.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 31"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400030; rev:2619;)
alert ip [207.32.208.0/20,207.45.224.0/20,207.110.64.0/18,207.110.96.0/19,207.110.128.0/18,207.177.128.0/18,207.178.64.0/19,207.183.192.0/19,207.226.192.0/20,207.234.0.0/17,208.93.4.0/22,208.117.88.0/22,208.117.92.0/24,209.51.32.0/20,209.54.160.0/19,209.66.128.0/19,209.95.192.0/19,209.97.128.0/18,209.99.128.0/18,209.145.0.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 32"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400031; rev:2619;)
alert ip [209.182.64.0/19,209.229.0.0/16,209.242.192.0/19,212.92.127.0/24,216.47.96.0/20,216.152.240.0/20,216.183.208.0/20,220.154.0.0/16,221.132.192.0/18,223.0.0.0/15,223.169.0.0/16,223.173.0.0/16,223.201.0.0/16,223.254.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 33"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400032; rev:2619;)

35
code/chef/templates/centos/dshield.rules.erb Executable file
View file

@ -0,0 +1,35 @@
#
# $Id: emerging-dshield.rules $
# Emerging Threats Dshield rules.
#
# Rules to block Dshield identified Top Attackers (www.dshield.org)
#
# More information available at www.emergingthreats.net
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2014, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
alert ip [61.174.51.0/24,94.102.49.0/24,185.5.174.0/24,116.10.191.0/24,218.77.79.0/24,74.82.47.0/24,184.105.247.0/24,93.180.5.0/24,93.174.93.0/24,80.82.70.0/24,184.105.139.0/24,198.20.69.0/24,124.232.142.0/24,71.6.167.0/24,66.240.192.0/24,71.6.165.0/24,198.20.99.0/24,190.139.61.0/24,66.240.236.0/24,162.253.66.0/24] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,feed.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:3403;)

198
code/chef/templates/centos/emerging-dns.rules.erb Executable file
View file

@ -0,0 +1,198 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3-enhanced.
#alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008446; classtype:bad-unknown; sid:2008446; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; threshold: type both, track by_src, count 50, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008470; classtype:bad-unknown; sid:2008470; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src,count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008447; classtype:bad-unknown; sid:2008447; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src, count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008475; classtype:bad-unknown; sid:2008475; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Format error"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x81/"; reference:url,doc.emergingthreats.net/2001116; classtype:not-suspicious; sid:2001116; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Name Error"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x83/"; reference:url,doc.emergingthreats.net/2001117; classtype:not-suspicious; sid:2001117; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Not Implemented"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x84/"; reference:url,doc.emergingthreats.net/2001118; classtype:not-suspicious; sid:2001118; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Refused"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x85/"; reference:url,doc.emergingthreats.net/2001119; classtype:not-suspicious; sid:2001119; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100258; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100259; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:2100261; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103153; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:2101435; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:2100257; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2100255; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:2100253; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:2100254; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS UDP inverse query overflow"; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103154; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:nessus,10728; classtype:attempted-recon; sid:2100256; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:2100252; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:nessus,10028; classtype:attempted-recon; sid:2101616; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2101948; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011407; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|cn|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011408; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|cc|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011409; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .cz.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cz|02|cc|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.kr Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|kr|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011411; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|localhost"; fast_pattern; nocase; classtype:bad-unknown; sid:2011802; rev:3; metadata:created_at 2010_10_12, updated_at 2010_10_12;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS Hiloti DNS CnC Channel Successful Install Message"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|empty"; nocase; distance:0; content:"|0C|explorer_exe"; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:bad-unknown; sid:2011911; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for a Suspicious Malware Related Numerical .in Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|in|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02in\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012115; rev:6; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query to a .tk domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|tk|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2012811; rev:2; metadata:created_at 2011_05_15, updated_at 2011_05_15;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query to a Suspicious *.vv.cc domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|vv|02|cc|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2012826; rev:1; metadata:created_at 2011_05_19, updated_at 2011_05_19;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.ae.am domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ae|02|am"; fast_pattern; classtype:bad-unknown; sid:2012900; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for a Suspicious *.noc.su domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|noc|02|su"; fast_pattern:only; classtype:bad-unknown; sid:2012901; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.be.ma domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|be|02|ma"; fast_pattern; distance:0; classtype:bad-unknown; sid:2012902; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.qc.cx domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|qc|02|cx"; fast_pattern; classtype:bad-unknown; sid:2012903; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.co.tv domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|tv"; fast_pattern; classtype:bad-unknown; sid:2012956; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Illegal Drug Sales Site (SilkRoad)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ianxz6zefk72ulzz|05|onion"; classtype:policy-violation; sid:2013016; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.be Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|be"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013124; rev:3; metadata:created_at 2011_06_28, updated_at 2011_06_28;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.cu.cc domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cu|02|cc"; fast_pattern; classtype:bad-unknown; sid:2013172; rev:2; metadata:created_at 2011_07_02, updated_at 2011_07_02;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .net.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|net|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013847; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .eu.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|eu|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013848; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .int.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|int|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013849; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .edu.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|edu|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013850; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .us.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|us|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013851; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ca.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ca|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013852; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .bg.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|bg|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013853; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ru.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013854; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .pl.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|pl|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013855; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .cz.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cz|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013856; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .de.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|de|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013857; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .at.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|at|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013858; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ch.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ch|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013859; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .sg.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|sg|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013860; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .nl.ai Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|nl|02|ai"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013861; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .xe.cx Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|xe|02|cx"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013862; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) to google.com.br possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; content:"|06|google|03|com|02|br|00|"; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; classtype:bad-unknown; sid:2013894; rev:5; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .noip.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|noip|02|cn|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013970; rev:1; metadata:created_at 2011_11_28, updated_at 2011_11_28;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for .su TLD (Soviet Union) Often Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|su|00|"; fast_pattern; distance:0; nocase; reference:url,www.abuse.ch/?p=3581; classtype:bad-unknown; sid:2014169; rev:1; metadata:created_at 2012_01_31, updated_at 2012_01_31;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for Suspicious .ch.vu Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ch|02|vu"; fast_pattern; nocase; distance:0; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:2014285; rev:4; metadata:created_at 2012_02_27, updated_at 2012_02_27;)
alert udp $HOME_NET !9987 -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set"; content:!"7PYqwfzt"; depth:8; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,&,16,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014701; rev:12; metadata:created_at 2012_05_03, updated_at 2016_07_12;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set"; content:!"7PYqwfzt"; depth:8; byte_test:1,&,64,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014702; rev:9; metadata:created_at 2012_05_03, updated_at 2016_07_12;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set"; content:!"7PYqwfzt"; depth:8; byte_test:1,&,64,3; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014703; rev:9; metadata:created_at 2012_05_03, updated_at 2016_07_12;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query for a Suspicious *.upas.su domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|upas|02|su|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2015550; rev:1; metadata:created_at 2012_07_31, updated_at 2012_07_31;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111"; content:"|00 01 00 01|"; content:"|00 04 94 51 6f 6f|"; distance:4; within:6; classtype:trojan-activity; sid:2016413; rev:4; metadata:created_at 2013_02_14, updated_at 2013_02_14;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Dr. Web"; content:"|00 01 00 01|"; content:"|00 04 5b e9 f4 6a|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016418; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Zinkhole.org"; content:"|00 01 00 01|"; content:"|00 04 b0 1f 3e 4c|"; distance:4; within:6; classtype:trojan-activity; sid:2016419; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - German Company"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 a7|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016420; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 1and1 Internet AG"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 d2|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016421; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (1)"; content:"|00 01 00 01|"; content:"|00 04 c6 3d e3 06|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016422; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (2)"; content:"|00 01 00 01|"; content:"|00 04 32 3e 0c 67|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016423; rev:6; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.net"; content:"|0a|micorsofts|03|net|00|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016569; rev:3; metadata:created_at 2013_03_13, updated_at 2013_03_13;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.com"; content:"|0a|micorsofts|03|com|00|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016570; rev:2; metadata:created_at 2013_03_13, updated_at 2013_03_13;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain hotmal1.com"; content:"|07|hotmal1|03|com|00|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016571; rev:1; metadata:created_at 2013_03_13, updated_at 2013_03_13;)
alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 106.187.96.49 blacklistthisdomain.com"; content:"|00 01 00 01|"; content:"|00 04 6a bb 60 31|"; distance:4; within:6; classtype:trojan-activity; sid:2016591; rev:6; metadata:created_at 2013_03_18, updated_at 2013_03_18;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query to a *.pw domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|pw|00|"; fast_pattern; nocase; distance:0; content:!"|01|u|02|pw|00|"; nocase; classtype:bad-unknown; sid:2016778; rev:4; metadata:created_at 2013_04_19, updated_at 2013_04_19;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DNS DNS Query for vpnoverdns - indicates DNS tunnelling"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|tun|10|vpnoverdns|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,osint.bambenekconsulting.com/manual/vpnoverdns.txt; classtype:bad-unknown; sid:2018438; rev:2; metadata:created_at 2014_05_01, updated_at 2014_05_01;)
alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole FBI Zeus P2P 1 - 142.0.36.234"; content:"|00 01 00 01|"; content:"|00 04 8e 00 24 ea|"; distance:4; within:6; classtype:trojan-activity; sid:2018517; rev:1; metadata:created_at 2014_06_03, updated_at 2014_06_03;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query to a *.top domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|top|00|"; fast_pattern; nocase; distance:0; threshold:type limit, track by_src, count 1, seconds 30; reference:url,www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2023883; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_07, updated_at 2017_02_07;)

254
code/chef/templates/centos/emerging-dos.rules.erb Executable file
View file

@ -0,0 +1,254 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3-enhanced.
#alert udp any any -> any 53 (msg:"ET DOS DNS BIND 9 Dynamic Update DoS attempt"; byte_test:1,&,40,2; byte_test:1,>,0,5; byte_test:1,>,0,1; content:"|00 00 06|"; offset:8; content:"|c0 0c 00 ff|"; distance:2; reference:cve,2009-0696; reference:url,doc.emergingthreats.net/2009701; classtype:attempted-dos; sid:2009701; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET [22,23,80,443,10000] (msg:"ET DOS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets)"; flow:to_server; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; depth:40; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; distance:300; isdataat:300,relative; threshold: type threshold, track by_src, count 60, seconds 80; reference:url,www.securityfocus.com/bid/34429/info; reference:url,www.securityfocus.com/bid/34429/exploit; reference:url,www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html; reference:cve,2009-1157; reference:url,doc.emergingthreats.net/2010624; classtype:attempted-dos; sid:2010624; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DOS Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; flow:established,to_server; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010817; classtype:attempted-dos; sid:2010817; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"ET DOS Cisco 514 UDP flood DoS"; content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000010; classtype:attempted-dos; sid:2000010; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET DOS Catalyst memory leak attack"; flow: to_server,established; content:"|41 41 41 0a|"; depth: 20; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000011; classtype:attempted-dos; sid:2000011; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Cisco Router HTTP DoS"; flow:to_server,established; content:"/%%"; http_uri; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype:attempted-dos; sid:2000006; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/screens/frameset.html"; fast_pattern; http_uri; nocase; content:"Authorization|3A 20|Basic"; nocase; content:!"|0a|"; distance:2; within:118; isdataat:120,relative; pcre:"/^Authorization\x3A Basic.{120}/Hmi"; reference:url,www.securityfocus.com/bid/35805; reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml; reference:cve,2009-1164; reference:url,doc.emergingthreats.net/2010674; classtype:attempted-dos; sid:2010674; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6014 (msg:"ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt"; flow:established,to_server; content:"|00 05 03 31 41|"; reference:url,www.securityfocus.com/bid/38018; reference:url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html; reference:url,doc.emergingthreats.net/2010755; classtype:attempted-dos; sid:2010755; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"ET DOS FreeBSD NFS RPC Kernel Panic"; flow:to_server,established; content:"|00 01 86 a5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 00 00 00 00 00|"; offset:0; depth:6; reference:cve,2006-0900; reference:bugtraq,19017; reference:url,doc.emergingthreats.net/bin/view/Main/2002853; classtype:attempted-dos; sid:2002853; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 1755 (msg:"ET DOS Microsoft Streaming Server Malformed Request"; flow:established,to_server; content:"MSB "; depth:4; content:"|06 01 07 00 24 00 00 40 00 00 00 00 00 00 01 00 00 00|"; distance:0; within:18; reference:bugtraq,1282; reference:url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002843; classtype:attempted-dos; sid:2002843; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS ICMP Path MTU lowered below acceptable threshold"; itype: 3; icode: 4; byte_test:2,<,576,6; byte_test:2,!=,0,7; reference:cve,CAN-2004-1060; reference:url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,doc.emergingthreats.net/bin/view/Main/2001882; classtype:denial-of-service; sid:2001882; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt"; flow: established,to_server; content:"|10 00 00 10 cc|"; depth:5; reference:bugtraq,11265; reference:url,doc.emergingthreats.net/bin/view/Main/2001366; classtype:attempted-dos; sid:2001366; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET DOS NetrWkstaUserEnum Request with large Preferred Max Len"; flow:established,to_server; content:"|ff|SMB"; content:"|10 00 00 00|"; distance:0; content:"|02 00|"; distance:14; within:2; byte_jump:4,12,relative,little,multiplier 2; content:"|00 00 00 00 00 00 00 00|"; distance:12; within:8; byte_test:4,>,2,0,relative; reference:cve,2006-6723; reference:url,doc.emergingthreats.net/bin/view/Main/2003236; classtype:attempted-dos; sid:2003236; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DOS Excessive SMTP MAIL-FROM DDoS"; flow: to_server, established; content:"MAIL FROM|3a|"; nocase; window: 0; id:0; threshold: type limit, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2001795; classtype:denial-of-service; sid:2001795; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL GeomFromWKB() function Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"geometrycollectionfromwkb"; distance:0; nocase; pcre:"/SELECT.+geometrycollectionfromwkb/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010491; classtype:attempted-dos; sid:2010491; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL SELECT WHERE to User Variable Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"WHERE"; distance:0; nocase; content:"SELECT"; nocase; content:"INTO"; distance:0; nocase; content:"|60|"; within:50; content:"|60|"; pcre:"/SELECT.+WHERE.+SELECT.+\x60/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297-2.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010492; classtype:attempted-dos; sid:2010492; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MySQL ALTER DATABASE Denial Of Service Attempt"; flow:established,to_server; content:"ALTER "; nocase; content:"DATABASE"; nocase; within:12; content:"|22|."; distance:0; content:"UPGRADE "; nocase; distance:0; content:"DATA"; nocase; within:8; pcre:"/ALTER.+DATABASE.+\x22\x2E(\x22|\x2E\x22|\x2E\x2E\x2F\x22).+UPGRADE.+DATA/si"; reference:url,securitytracker.com/alerts/2010/Jun/1024160.html; reference:url,dev.mysql.com/doc/refman/5.1/en/alter-database.html; reference:cve,2010-2008; reference:url,doc.emergingthreats.net/2011761; classtype:attempted-dos; sid:2011761; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Netgear DG632 Web Management Denial Of Service Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/firmwarecfg"; http_uri; nocase; reference:url, securitytracker.com/alerts/2009/Jun/1022403.html; reference:cve,2009-2256; reference:url,doc.emergingthreats.net/2010554; classtype:attempted-dos; sid:2010554; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Large amount of TCP ZeroWindow - Possible Nkiller2 DDos attack"; flags:A; window:0; threshold: type both, track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009414; classtype:attempted-dos; sid:2009414; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 request)"; dsize:1; content:"|17|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010486; classtype:attempted-dos; sid:2010486; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply)"; dsize:4; content:"|97 00 00 00|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010487; classtype:attempted-dos; sid:2010487; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt"; content:"|00 01 01|"; depth:3; content:"NETASCII"; reference:url,www.exploit-db.com/exploits/12683/; reference:url,doc.emergingthreats.net/2011673; classtype:attempted-dos; sid:2011673; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET DOS SolarWinds TFTP Server Long Write Request Denial Of Service Attempt"; content:"|00 02|"; depth:2; isdataat:1000,relative; content:!"|0A|"; within:1000; content:"NETASCII"; distance:1000; reference:url,www.exploit-db.com/exploits/13836/; reference:url,doc.emergingthreats.net/2011674; classtype:attempted-dos; sid:2011674; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg:"ET DOS Possible VNC ClientCutText Message Denial of Service/Memory Corruption Attempt"; flow:established,to_server; content:"|06|"; depth:1; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.fortiguard.com/encyclopedia/vulnerability/vnc.server.clientcuttext.message.memory.corruption.html; reference:url,doc.emergingthreats.net/2011732; classtype:attempted-dos; sid:2011732; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:2100272; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:2100268; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp any any -> $HOME_NET 3000 (msg:"ET DOS ntop Basic-Auth DOS inbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; distance:0; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; distance:0; within:20; content:"=="; distance:0; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011511; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert tcp $HOME_NET any -> any 3000 (msg:"ET DOS ntop Basic-Auth DOS outbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; distance:0; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; distance:0; within:20; content:"=="; distance:0; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011512; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound"; flow:established,to_server; content:"User-agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| ru|3b| rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011821; rev:3; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected inbound"; flow:established,to_server; content:"User-agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| ru|3b| rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011822; rev:3; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound 2"; flow:established,to_server; content:"User-agent|3a| Opera/9.02 (Windows NT 5.1|3b| U|3b| ru)"; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011823; rev:3; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected inbound 2"; flow:established,to_server; content:"User-agent|3a| Opera/9.02 (Windows NT 5.1|3b| U|3b| ru)"; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011824; rev:4; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS"; flow:to_server,established; content:"hihihihihihihihihihihihihihihihi"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012048; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Inbound Low Orbit Ion Cannon LOIC DDOS Tool desu string"; flow:to_server,established; content:"desudesudesu"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012049; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS desu string"; flow:to_server,established; content:"desudesudesu"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012050; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
alert http $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli Endpoint Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; http_method; isdataat:261; content:!"|0A|"; depth:261; reference:url, zerodayinitiative.com/advisories/ZDI-11-169/; classtype:denial-of-service; sid:2012938; rev:2; metadata:created_at 2011_06_07, updated_at 2011_06_07;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"22C83263-E4B8-4233-82CD-FB047C6BF13E"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22C83263-E4B8-4233-82CD-FB047C6BF13E/si"; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:web-application-attack; sid:2013462; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"SkypePNRLib.PNR"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:attempted-user; sid:2013463; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS LOIC Javascript DDoS Outbound"; flow:established,to_server; content:"GET"; http_method; content:"/?id="; fast_pattern; http_uri; depth:5; content:"&msg="; http_uri; distance:13; within:5; pcre:"/^\/\?id=[0-9]{13}&msg=/U"; threshold: type both, track by_src, count 5, seconds 60; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014141; rev:5; metadata:created_at 2012_01_23, updated_at 2012_01_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA"; flow:established,to_server; content:"User-Agent|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; fast_pattern:only; threshold: type both, track by_src, count 225, seconds 60; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:attempted-dos; sid:2014153; rev:5; metadata:created_at 2012_01_27, updated_at 2012_01_27;)
alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; sid:2014384; rev:8; metadata:created_at 2012_03_13, updated_at 2012_03_13;)
alert tcp $HOME_NET 3389 -> any any (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn/Ack Outbound Flowbit Set"; flow:from_server; flags:SA; flowbits:isnotset,ms.rdp.synack; flowbits:set,ms.rdp.synack; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014385; rev:5; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Session Established Flowbit Set"; flow:to_server,established; flowbits:isset,ms.rdp.synack; flowbits:unset,ms.rdp.synack; flowbits:set,ms.rdp.established; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014386; rev:2; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt Negative INT"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_test:1,&,0x80,1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014430; rev:13; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_jump:1,0,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014431; rev:15; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014662; rev:1; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Negative Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,&,0x80,-1,relative,big; reference:url, www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014663; rev:1; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
#alert icmp any any -> any any (msg:"ET DOS Microsoft Windows 7 ICMPv6 Router Advertisement Flood"; itype:134; icode:0; byte_test:1,&,0x08,2; content:"|03|"; offset:20; depth:1; byte_test:1,&,0x40,2,relative; byte_test:1,&,0x80,2,relative; threshold:type threshold, track by_src, count 10, seconds 1; reference:url,www.samsclass.info/ipv6/proj/proj8x-124-flood-router.htm; classtype:attempted-dos; sid:2014996; rev:3; metadata:created_at 2012_07_02, updated_at 2012_07_02;)
alert udp any any -> $HOME_NET 53 (msg:"ET DOS DNS Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type both, track by_dst, seconds 60, count 5; classtype:bad-unknown; sid:2016016; rev:8; metadata:created_at 2012_12_11, updated_at 2012_12_11;)
#alert udp $HOME_NET 53 -> any any (msg:"ET DOS DNS Amplification Attack Outbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:7; metadata:created_at 2012_12_11, updated_at 2012_12_11;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS LOIC POST"; flow:established,to_server; content:"POST"; http_method; content:"13"; depth:2; http_client_body; content:"=MSG"; fast_pattern; http_client_body; distance:11; within:4; pcre:"/^13\d{11}/P"; threshold:type limit, track by_src, count 1, seconds 300; classtype:web-application-attack; sid:2016030; rev:4; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS LOIC GET"; flow:established,to_server; content:"GET"; http_method; content:"/?msg=MSG"; http_uri; threshold:type limit, track by_src, count 1, seconds 300; classtype:web-application-attack; sid:2016031; rev:3; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5958 ST DeviceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern:only; reference:cve,CVE_2012-5958; reference:cve,CVE-2012-5962; classtype:attempted-dos; sid:2016322; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5963 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*uuid\x3a[^\r\n\x3a]{181}/Ri"; reference:cve,CVE-2012-5963; classtype:attempted-dos; sid:2016323; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5964 ST URN ServiceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*urn\x3aservice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|service"; nocase; fast_pattern:only; reference:cve,CVE-2012-5964; classtype:attempted-dos; sid:2016324; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5965 ST URN DeviceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*urn\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|device"; nocase; fast_pattern:only; reference:cve,CVE-2012-5965; classtype:attempted-dos; sid:2016325; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5961 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{1,180}\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern:only; reference:cve,CVE-2012-5961; classtype:attempted-dos; sid:2016326; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Miniupnpd M-SEARCH Buffer Overflow CVE-2013-0229"; content:"M-SEARCH"; depth:8; isdataat:1492,relative; content:!"|0d 0a|"; distance:1490; within:2; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0229; classtype:attempted-dos; sid:2016363; rev:2; metadata:created_at 2013_02_06, updated_at 2013_02_06;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS CVE-2013-0230 Miniupnpd SoapAction MethodName Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a|SOAPAction|3a|"; nocase; distance:0; pcre:"/^[^\r\n]+#[^\x22\r\n]{2049}/R"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0230; classtype:attempted-dos; sid:2016364; rev:1; metadata:created_at 2013_02_06, updated_at 2013_02_06;)
#alert http any any -> $HOME_NET 3128 (msg:"ET DOS Squid-3.3.5 DoS"; flow:established,to_server; content:"Host|3a| "; http_header; pcre:"/^Host\x3a[^\x3a\r\n]+?\x3a[^\r\n]{6}/Hmi"; classtype:attempted-dos; sid:2017154; rev:2; metadata:created_at 2013_07_16, updated_at 2013_07_16;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Inbound"; flow:established,to_server; content:"POST"; http_method; content:"Mozilla/4.0 (compatible|3B| Synapse)"; fast_pattern:24,9; http_user_agent; content:"login="; http_client_body; depth:6; content:"$pass="; http_client_body; within:50; threshold: type both, count 5, seconds 60, track by_src; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:attempted-dos; sid:2017722; rev:3; metadata:created_at 2013_11_14, updated_at 2013_11_14;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02"; content:"|00 02 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017918; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03"; content:"|00 03 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017919; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017920; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017921; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017965; rev:3; metadata:created_at 2014_01_13, updated_at 2014_01_13;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017966; rev:3; metadata:created_at 2014_01_13, updated_at 2014_01_13;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Inbound GoldenEye DoS attack"; flow:established,to_server; content:"/?"; fast_pattern; http_uri; depth:2; content:"="; http_uri; distance:3; within:11; pcre:"/^\/\?[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20}(?:&[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20})*?$/U"; content:"Keep|2d|Alive|3a|"; http_header; content:"Connection|3a| keep|2d|alive"; http_header; content:"Cache|2d|Control|3a|"; http_header; pcre:"/^Cache-Control\x3a\x20(?:max-age=0|no-cache)\r?$/Hm"; content:"Accept|2d|Encoding|3a|"; http_header; threshold: type both, track by_src, count 100, seconds 300; reference:url,github.com/jseidl/GoldenEye; classtype:denial-of-service; sid:2018208; rev:2; metadata:created_at 2014_03_04, updated_at 2014_03_04;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Possible WordPress Pingback DDoS in Progress (Inbound)"; flow:established,to_server; content:"/xmlrpc.php"; http_uri; nocase; content:"pingback.ping"; nocase; http_client_body; fast_pattern; threshold:type both, track by_src, count 5, seconds 90; classtype:attempted-dos; sid:2018277; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2014_03_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS HOIC with booster outbound"; flow:to_server,established; content:"GET"; http_method; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; content:"If-Modified-Since|3a 20 20|"; http_raw_header; content:"Keep-Alive|3a 20 20|"; http_raw_header; content:"Connection|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; http_raw_header; threshold: type both, count 1, seconds 60, track by_src; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018977; rev:3; metadata:created_at 2014_08_21, updated_at 2014_08_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS HOIC with booster inbound"; flow:to_server,established; content:"GET"; http_method; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; content:"If-Modified-Since|3a 20 20|"; http_raw_header; content:"Keep-Alive|3a 20 20|"; http_raw_header; content:"Connection|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; http_raw_header; threshold: type both, count 1, seconds 60, track by_dst; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018978; rev:2; metadata:created_at 2014_08_21, updated_at 2014_08_21;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019010; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019011; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019012; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019013; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019014; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019015; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019016; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019017; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019018; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019019; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019020; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019021; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any any (msg:"ET DOS Likely NTP DDoS In Progress Multiple UNSETTRAP Mode 6 Responses"; content:"|df 00 00 04 00|"; offset:1; depth:5; byte_test:1,!&,128,0; byte_test:1,!&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,!&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019022; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Possible SSDP Amplification Scan in Progress"; content:"M-SEARCH * HTTP/1.1"; content:"ST|3a 20|ssdp|3a|all|0d 0a|"; nocase; distance:0; fast_pattern; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/29/weekly-metasploit-update; classtype:attempted-dos; sid:2019102; rev:1; metadata:created_at 2014_09_02, updated_at 2014_09_02;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019346; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS HTTP GET AAAAAAAA Likely FireFlood"; flow:to_server,established; content:"GET AAAAAAAA HTTP/1.1"; content:!"Referer|3a|"; distance:0; content:!"Accept"; distance:0; content:!"|0d 0a|"; distance:0; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019347; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonMafiaIC DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.0|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019348; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonGhost DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.1|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019349; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely GoodBye 5.2 DDoS tool"; flow:to_server,established; dsize:<50; content:"|20|HTTP/1.1Host|3a 20|"; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019350; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
#alert tcp $EXTERNAL_NET 10000: -> $HOME_NET 0:1023 (msg:"ET DOS Potential Tsunami SYN Flood Denial Of Service Attempt"; flags:S; flow:to_server; dsize:>900; threshold: type both, count 20, seconds 120, track by_src; reference:url,security.radware.com/uploadedFiles/Resources_and_Content/Threat/TsunamiSYNFloodAttack.pdf; classtype:attempted-dos; sid:2019404; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
alert udp $HOME_NET 1434 -> $EXTERNAL_NET any (msg:"ET DOS MC-SQLR Response Outbound Possible DDoS Participation"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_src,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020305; rev:4; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
alert udp $EXTERNAL_NET 1434 -> $HOME_NET any (msg:"ET DOS MC-SQLR Response Inbound Possible DDoS Target"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_dst,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020306; rev:3; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Bittorrent User-Agent inbound - possible DDOS"; flow:established,to_server; content:"User-Agent|3a| Bittorrent"; http_header; threshold: type both, count 1, seconds 60, track by_src; reference:url,torrentfreak.com/zombie-pirate-bay-tracker-fuels-chinese-ddos-attacks-150124/; classtype:attempted-dos; sid:2020702; rev:2; metadata:created_at 2015_03_18, updated_at 2015_03_18;)
alert udp $HOME_NET 5093 -> $EXTERNAL_NET any (msg:"ET DOS Possible Sentinal LM Application attack in progress Outbound (Response)"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021170; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
alert udp $EXTERNAL_NET 5093 -> $HOME_NET any (msg:"ET DOS Possible Sentinal LM Amplification attack (Response) Inbound"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021171; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"ET DOS Possible Sentinal LM Amplification attack (Request) Inbound"; dsize:6; content:"|7a 00 00 00 00 00|"; threshold: type both,track by_dst,count 10,seconds 60; classtype:attempted-dos; sid:2021172; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Linux/Tsunami DOS User-Agent (x00_-gawa.sa.pilipinas.2015) INBOUND"; flow:to_server,established; content:"x00_-gawa.sa.pilipinas.2015"; http_user_agent; reference:url,vms.drweb.com/virus/?i=4656268; classtype:attempted-dos; sid:2022760; rev:2; metadata:created_at 2016_04_26, updated_at 2016_04_26;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Inbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023053; rev:2; metadata:attack_target Server, deployment Datacenter, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)
alert udp $HOME_NET 53 -> $EXTERNAL_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Outbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023054; rev:2; metadata:attack_target Server, deployment Datacenter, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)
alert tcp any any -> $HOME_NET 445 (msg:"ET DOS Microsoft Windows LSASS Remote Memory Corruption (CVE-2017-0004)"; flow:established,to_server; content:"|FF|SMB|73|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; byte_test:1,&,0x08,6,relative; byte_test:1,&,0x10,5,relative; byte_test:1,&,0x04,5,relative; byte_test:1,&,0x02,5,relative; byte_test:1,&,0x01,5,relative; content:"|ff 00|"; distance:28; within:2; content:"|84|"; distance:25; within:1; content:"NTLMSSP"; fast_pattern; within:64; reference:url,github.com/lgandx/PoC/tree/master/LSASS; reference:url,support.microsoft.com/en-us/kb/3216771; reference:url,support.microsoft.com/en-us/kb/3199173; reference:cve,2017-0004; reference:url,technet.microsoft.com/library/security/MS17-004; classtype:attempted-dos; sid:2023497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Major, created_at 2016_11_11, performance_impact Low, updated_at 2017_01_12;)
alert tcp any 445 -> $HOME_NET any (msg:"ET DOS Excessive Large Tree Connect Response"; flow:from_server,established; byte_test: 3,>,1000,1; content: "|fe 53 4d 42 40 00|"; offset: 4; depth: 6; content: "|03 00|"; offset: 16; depth:2; reference:url,isc.sans.edu/forums/diary/Windows+SMBv3+Denial+of+Service+Proof+of+Concept+0+Day+Exploit/22029/; classtype:attempted-dos; sid:2023831; rev:2; metadata:affected_product SMBv3, attack_target Client_and_Server, deployment Datacenter, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)
alert tcp any 445 -> $HOME_NET any (msg:"ET DOS SMB Tree_Connect Stack Overflow Attempt (CVE-2017-0016)"; flow:from_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|03 00|"; distance:8; within:2; byte_test:1,&,1,2,relative; byte_jump:2,8,little,from_beginning; byte_jump:2,4,relative,little; isdataat:1000,relative; content:!"|FE|SMB"; within:1000; reference:cve,2017-0016; classtype:attempted-dos; sid:2023832; rev:3; metadata:affected_product SMBv3, attack_target Client_and_Server, deployment Datacenter, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_07;)
#alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS Possible SMBLoris NBSS Length Mem Exhaustion Vuln Inbound"; flow:established,to_server; content:"|00 01|"; depth:2; threshold:type both,track by_dst,count 3, seconds 90; metadata: former_category DOS; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024510; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Internal, signature_severity Major, created_at 2017_08_02, performance_impact Significant, updated_at 2017_08_02;)
alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS SMBLoris NBSS Length Mem Exhaustion Attempt (PoC Based)"; flow:established,to_server; content:"|00 01 ff ff|"; depth:4; threshold:type both,track by_dst,count 30, seconds 300; metadata: former_category DOS; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024511; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Internal, signature_severity Major, created_at 2017_08_02, performance_impact Significant, updated_at 2017_08_03;)
alert udp $EXTERNAL_NET 389 -> $HOME_NET 389 (msg:"ET DOS CLDAP Amplification Reflection (PoC based)"; dsize:52; content:"|30 84 00 00 00 2d 02 01 01 63 84 00 00 00 24 04 00 0a 01 00|"; fast_pattern; threshold:type both, count 100, seconds 60, track by_src; metadata: former_category DOS; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024584; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, deployment Perimeter, signature_severity Major, created_at 2017_08_16, performance_impact Significant, updated_at 2017_08_16;)
alert udp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"ET DOS Potential CLDAP Amplification Reflection"; content:"objectclass0"; fast_pattern; threshold:type both, count 200, seconds 60, track by_src; metadata: former_category DOS; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2017_08_16, performance_impact Significant, updated_at 2017_08_16;)

1201
code/chef/templates/centos/emerging-exploit.rules.erb Executable file
View file

File diff suppressed because it is too large Load diff

409
code/chef/templates/centos/emerging-shellcode.rules.erb Executable file
View file

@ -0,0 +1,409 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3-enhanced.
#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode"; flow:established; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009246; classtype:shellcode-detect; sid:2009246; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode (UDP)"; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009285; classtype:shellcode-detect; sid:2009285; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode"; flow:established; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009247; classtype:shellcode-detect; sid:2009247; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode (UDP)"; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009284; classtype:shellcode-detect; sid:2009284; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode"; flow:established; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009248; classtype:shellcode-detect; sid:2009248; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode (UDP)"; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009283; classtype:shellcode-detect; sid:2009283; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode"; flow:established; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009249; classtype:shellcode-detect; sid:2009249; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode (UDP)"; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009282; classtype:shellcode-detect; sid:2009282; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode"; flow:established; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009250; classtype:shellcode-detect; sid:2009250; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode (UDP)"; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009281; classtype:shellcode-detect; sid:2009281; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode"; flow:established; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009251; classtype:shellcode-detect; sid:2009251; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode (UDP)"; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009280; classtype:shellcode-detect; sid:2009280; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009252; classtype:shellcode-detect; sid:2009252; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009279; classtype:shellcode-detect; sid:2009279; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009253; classtype:shellcode-detect; sid:2009253; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009278; classtype:shellcode-detect; sid:2009278; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode"; flow:established; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009254; classtype:shellcode-detect; sid:2009254; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode (UDP)"; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009277; classtype:shellcode-detect; sid:2009277; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode"; flow:established; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009255; classtype:shellcode-detect; sid:2009255; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode (UDP)"; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009276; classtype:shellcode-detect; sid:2009276; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode"; flow:established; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009256; classtype:shellcode-detect; sid:2009256; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode (UDP)"; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009275; classtype:shellcode-detect; sid:2009275; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode"; flow:established; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009257; classtype:shellcode-detect; sid:2009257; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode (UDP)"; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009274; classtype:shellcode-detect; sid:2009274; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode"; flow:established; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009258; classtype:shellcode-detect; sid:2009258; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode (UDP)"; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009273; classtype:shellcode-detect; sid:2009273; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Furth Shellcode"; flow:established; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009259; classtype:shellcode-detect; sid:2009259; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Furth Shellcode (UDP)"; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009272; classtype:shellcode-detect; sid:2009272; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode"; flow:established; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009260; classtype:shellcode-detect; sid:2009260; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode (UDP)"; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009271; classtype:shellcode-detect; sid:2009271; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode"; flow:established; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009261; classtype:shellcode-detect; sid:2009261; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode (UDP)"; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009270; classtype:shellcode-detect; sid:2009270; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode"; flow:established; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009262; classtype:shellcode-detect; sid:2009262; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode (UDP)"; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009269; classtype:shellcode-detect; sid:2009269; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode"; flow:established; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009263; classtype:shellcode-detect; sid:2009263; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode (UDP)"; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009268; classtype:shellcode-detect; sid:2009268; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode"; flow:established; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009264; classtype:shellcode-detect; sid:2009264; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode (UDP)"; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009267; classtype:shellcode-detect; sid:2009267; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode"; flow:established; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009265; classtype:shellcode-detect; sid:2009265; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode (UDP)"; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009266; classtype:shellcode-detect; sid:2009266; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:2; content:!"|0A|"; within:2; content:!"|20|"; within:2; pcre:"/(%U([0-9a-f]{2})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003173; classtype:trojan-activity; sid:2003173; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:4; content:!"|0A|"; within:4; content:!"|20|"; within:4; pcre:"/(%U([0-9a-f]{4})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003174; classtype:trojan-activity; sid:2003174; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexFnstenvMov/Sub Encoder"; flow:established; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002903; classtype:shellcode-detect; sid:2002903; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Alpha2 GetEIPs Encoder"; flow:established; content:"|EB 03 59 EB 05 E8 F8 FF FF FF|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002904; classtype:shellcode-detect; sid:2002904; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Countdown Encoder"; flow:established; content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002905; classtype:shellcode-detect; sid:2002905; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexAlphaNum Encoder"; flow:established; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; content:"JJJJJ"; distance: 2; within: 5; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM"; distance: 2; within: 55; reference:url,doc.emergingthreats.net/bin/view/Main/2002906; classtype:shellcode-detect; sid:2002906; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 PexCall Encoder"; flow:established; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|82 EE FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002907; classtype:shellcode-detect; sid:2002907; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 JmpCallAdditive Encoder"; flow:established; content:"|FC BB|"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; distance: 4; within: 19; reference:url,doc.emergingthreats.net/bin/view/Main/2002908; classtype:shellcode-detect; sid:2002908; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010383; classtype:shellcode-detect; sid:2010383; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 2)"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74 45 d3|"; reference:url,doc.emergingthreats.net/2010385; classtype:shellcode-detect; sid:2010385; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 3)"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45 6a 69 63|"; reference:url,doc.emergingthreats.net/2010386; classtype:shellcode-detect; sid:2010386; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 4)"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a 2a cc a5|"; reference:url,doc.emergingthreats.net/2010387; classtype:shellcode-detect; sid:2010387; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 5)"; content:"|17 1c 1a 19 fb 77 80 ce|"; reference:url,doc.emergingthreats.net/2010388; classtype:shellcode-detect; sid:2010388; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 1)"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010389; classtype:shellcode-detect; sid:2010389; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010390; classtype:shellcode-detect; sid:2010390; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 1)"; content:"|6a 61 58 99 52 68 10 02|"; reference:url,doc.emergingthreats.net/2010391; classtype:shellcode-detect; sid:2010391; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 2)"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a 68 58 cd|"; reference:url,doc.emergingthreats.net/2010392; classtype:shellcode-detect; sid:2010392; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 3)"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a 5a 58 51|"; reference:url,doc.emergingthreats.net/2010393; classtype:shellcode-detect; sid:2010393; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 4)"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3|"; reference:url,doc.emergingthreats.net/2010394; classtype:shellcode-detect; sid:2010394; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 5)"; content:"|50 54 53 53 b0 3b cd 80|"; reference:url,doc.emergingthreats.net/2010395; classtype:shellcode-detect; sid:2010395; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49 51 5a 56|"; reference:url,doc.emergingthreats.net/2010396; classtype:shellcode-detect; sid:2010396; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2)"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33 30 42 43|"; reference:url,doc.emergingthreats.net/2010397; classtype:shellcode-detect; sid:2010397; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010398; classtype:shellcode-detect; sid:2010398; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4)"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36 41|"; reference:url,doc.emergingthreats.net/2010399; classtype:shellcode-detect; sid:2010399; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5)"; content:"|41 4e 44 35 44 34 44|"; reference:url,doc.emergingthreats.net/2010400; classtype:shellcode-detect; sid:2010400; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1)"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010401; classtype:shellcode-detect; sid:2010401; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010402; classtype:shellcode-detect; sid:2010402; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (JmpCallAdditive Encoded)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010403; classtype:shellcode-detect; sid:2010403; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49 49 49 49|"; reference:url,doc.emergingthreats.net/2010404; classtype:shellcode-detect; sid:2010404; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 2)"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|"; reference:url,doc.emergingthreats.net/2010405; classtype:shellcode-detect; sid:2010405; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 3)"; content:"|49 72 4e 4e 69 6b 53|"; reference:url,doc.emergingthreats.net/2010406; classtype:shellcode-detect; sid:2010406; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1)"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010407; classtype:shellcode-detect; sid:2010407; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 1)"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa 6b 63 5b 9d|"; reference:url,doc.emergingthreats.net/2010409; classtype:shellcode-detect; sid:2010409; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 2)"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c 96 7d 79 7e|"; reference:url,doc.emergingthreats.net/2010410; classtype:shellcode-detect; sid:2010410; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 3)"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50 54 b2 df 6d|"; reference:url,doc.emergingthreats.net/2010411; classtype:shellcode-detect; sid:2010411; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 4)"; content:"|57 44 55 4a 5b 62|"; reference:url,doc.emergingthreats.net/2010412; classtype:shellcode-detect; sid:2010412; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 1)"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010413; classtype:shellcode-detect; sid:2010413; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010414; classtype:shellcode-detect; sid:2010414; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 1)"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50|"; reference:url,doc.emergingthreats.net/2010415; classtype:shellcode-detect; sid:2010415; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 2)"; content:"|6a 61 58 99 52 42 52 42 52 68|"; reference:url,doc.emergingthreats.net/2010416; classtype:shellcode-detect; sid:2010416; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 3)"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59 b0 5a 51 57|"; reference:url,doc.emergingthreats.net/2010417; classtype:shellcode-detect; sid:2010417; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1)"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f 49 38 41 4e|"; reference:url,doc.emergingthreats.net/2010418; classtype:shellcode-detect; sid:2010418; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2)"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56 4a 35 4d 4c|"; reference:url,doc.emergingthreats.net/2010419; classtype:shellcode-detect; sid:2010419; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010420; classtype:shellcode-detect; sid:2010420; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1)"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010421; classtype:shellcode-detect; sid:2010421; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010423; classtype:shellcode-detect; sid:2010423; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 1)"; content:"|49 49 49 49 49 49 49 51 5a 6a|"; reference:url,doc.emergingthreats.net/2010424; classtype:shellcode-detect; sid:2010424; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 2)"; content:"|58 50 30 42 31 41 42 6b 42 41|"; reference:url,doc.emergingthreats.net/2010425; classtype:shellcode-detect; sid:2010425; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 3)"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|"; reference:url,doc.emergingthreats.net/2010426; classtype:shellcode-detect; sid:2010426; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010427; classtype:shellcode-detect; sid:2010427; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010428; classtype:shellcode-detect; sid:2010428; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 1)"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20 10 82 10 20 68|"; reference:url,doc.emergingthreats.net/2010429; classtype:shellcode-detect; sid:2010429; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20 6a 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010430; classtype:shellcode-detect; sid:2010430; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 3)"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20 1e 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010431; classtype:shellcode-detect; sid:2010431; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 4)"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf f0 d0 23 bf f8|"; reference:url,doc.emergingthreats.net/2010432; classtype:shellcode-detect; sid:2010432; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 1)"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10 20 02 82 10 20 61|"; reference:url,doc.emergingthreats.net/2010433; classtype:shellcode-detect; sid:2010433; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2 60 01 82 10 20 5a|"; reference:url,doc.emergingthreats.net/2010434; classtype:shellcode-detect; sid:2010434; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 3)"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f c0|"; reference:url,doc.emergingthreats.net/2010437; classtype:shellcode-detect; sid:2010437; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010435; classtype:shellcode-detect; sid:2010435; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010436; classtype:shellcode-detect; sid:2010436; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; classtype:shellcode-detect; sid:2100640; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:2100641; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:2100642; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:2100643; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:2100652; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:2100638; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:2100639; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:2100644; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:2100645; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:2100646; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:2100647; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2102313; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2102312; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2102314; rev:4; metadata:created_at 2010_09_23, updated_at 2016_09_09;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2100653; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern:only; classtype:shellcode-detect; sid:2101424; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:2100648; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; metadata: former_category SHELLCODE; classtype:shellcode-detect; sid:2101390; rev:6; metadata:created_at 2010_09_23, updated_at 2017_09_08;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:2100649; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:2100650; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; metadata: former_category SHELLCODE; reference:arachnids,291; classtype:shellcode-detect; sid:2100651; rev:9; metadata:created_at 2010_09_23, updated_at 2017_09_08;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101324; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101326; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern:only; classtype:shellcode-detect; sid:2100691; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray"; flow:established,to_client; content:"unescape"; nocase; content:"%u"; nocase; distance:0; content:"%u"; nocase; within:6; pcre:"/unescape.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}/smi"; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; classtype:shellcode-detect; sid:2011346; rev:7; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected"; flow:established; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; content:!"MZ"; content:!"This program cannot be run in DOS mode"; content:!"Windows Program"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011803; rev:5; metadata:created_at 2010_10_12, updated_at 2010_10_12;)
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UDP x86 JMP to CALL Shellcode Detected"; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011804; rev:2; metadata:created_at 2010_10_12, updated_at 2010_10_12;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012087; rev:2; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 8F|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012088; rev:3; metadata:created_at 2010_12_23, updated_at 2016_09_16;)
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 8F|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012089; rev:2; metadata:created_at 2010_12_23, updated_at 2017_09_08;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F 1A|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012090; rev:2; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F 1A|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012091; rev:3; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F A9|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012092; rev:2; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F A9|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012093; rev:3; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:3; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:4; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90%90"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:4; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Usage of Actionscript ByteArray writeByte Function to Build Shellcode"; flow:established,to_client; content:"writeByte(0x"; nocase; pcre:"/writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}/smi"; reference:url,blog.fireeye.com/research/2009/07/actionscript_heap_spray.html; classtype:shellcode-detect; sid:2012120; rev:2; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:3; metadata:created_at 2011_01_17, updated_at 2011_01_17;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:4; metadata:created_at 2011_01_17, updated_at 2011_01_17;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012252; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0a%0a%0a%0a Heap Spray String"; flow:established,to_client; content:"%0a%0a%0a%0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012253; rev:2; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0a0a%u0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012254; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0a%u0a%u0a%u0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012255; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0c0c0c0c Heap Spray String"; flow:established,to_client; content:"0c0c0c0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012256; rev:2; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String"; flow:established,to_client; content:"%0c%0c%0c%0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012257; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0c0c%u0c0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012258; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0c%u0c%u0c%u0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012259; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE UTF-8/16 Encoded Shellcode"; flow:established,to_client; content:"|5C|u"; nocase; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; pcre:"/\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012510; rev:2; metadata:created_at 2011_03_16, updated_at 2011_03_16;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable %u Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"%u"; nocase; within:3; content:"%u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x25u[a-f,0-9]{2,4}\x25u[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012534; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable Unicode Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"|5C|u"; nocase; within:3; content:"|5C|u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012535; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt"; flow:established,to_client; content:"|22|u|22 20|+|20 22|0|22 20|+|20 22|"; content:"|22 20|+|20 22|"; distance:1; within:5; pcre:"/\x220\x22\x20\x2B\x20\x22[a-d]\x22\x20\x2B\x20\x22/smi"; classtype:shellcode-detect; sid:2012925; rev:2; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0a0a0a0a Heap Spray Attempt"; flow:established,to_client; content:"0x0a0a0a0a"; nocase; classtype:shellcode-detect; sid:2012962; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt"; flow:established,to_client; content:"0x0b0b0b0b"; nocase; classtype:shellcode-detect; sid:2012963; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0c0c0c0c Heap Spray Attempt"; flow:established,to_client; content:"0x0c0c0c0c"; nocase; classtype:shellcode-detect; sid:2012964; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0d0d0d0d Heap Spray Attempt"; flow:established,to_client; content:"0x0d0d0d0d"; nocase; classtype:shellcode-detect; sid:2012965; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt"; flow:established,to_client; content:"%0d%0d%0d%0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012966; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d%u0d%u0d%u0d UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u0d%u0d%u0d%u0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012967; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d0d%u0d0d UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u0d0d%u0d0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012968; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Vertical Slash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|7C|u0"; nocase; content:"|7C|u0"; distance:1; within:4; pcre:"/\x7Cu0[a-d](\x7Cu0|0)[a-d]/\x7Cu0[a-d](\x7Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012969; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|5C|u0"; nocase; content:"|5C|u0"; distance:1; within:4; pcre:"/\x5Cu0[a-d](\x5Cu0|0)[a-d]/\x5Cu0[a-d](\x5Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012970; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt"; flow:established,to_client; content:"%41%41%41%41"; fast_pattern:only; classtype:shellcode-detect; sid:2013145; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u41%u41%u41%u41"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013146; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u4141%u4141"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013147; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE JavaScript Redefinition of a HeapLib Object - Likely Malicious Heap Spray Attempt"; flow:established,to_client; content:"heap|2E|"; nocase; fast_pattern:only; pcre:"/var\x20[^\n\r]*\x3D[^\n\r]*heap\x2E/smi"; classtype:shellcode-detect; sid:2013148; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; file_data; content:"|5C|x0b|5C|x0b|5C|x0b|5C|x0b"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013268; rev:4; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013269; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C|x0d|5C|x0d|5C|x0d|5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013270; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C|x90|5C|x90|5C|x90|5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013271; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Hex Obfuscated Content"; flow:established,to_client; content:"unescape|28|"; fast_pattern; content:"|5C|x"; distance:1; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; pcre:"/unescape\x28(\x22|\x27)\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/smi"; classtype:shellcode-detect; sid:2013272; rev:3; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013273; rev:2; metadata:created_at 2011_07_14, updated_at 2017_09_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013274; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013275; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013276; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013277; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013278; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C 5C|x41|5C 5C|x41|5C 5C|x41|5C 5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013279; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; pcre:"/u0[a-d]u0[a-d]u0[a-d]u0[a-d]/smi"; classtype:shellcode-detect; sid:2013319; rev:2; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:3; within:2; pcre:"/u0[a-d]0[a-d]u0[a-d]0[a-d]/smi"; classtype:shellcode-detect; sid:2013320; rev:2; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c|5C|0c"; nocase; distance:0; classtype:bad-unknown; sid:2016714; rev:2; metadata:created_at 2013_04_03, updated_at 2013_04_03;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c0c"; nocase; distance:0; metadata: former_category SHELLCODE; classtype:bad-unknown; sid:2016715; rev:2; metadata:created_at 2013_04_03, updated_at 2017_09_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 u9090 NOP SLED"; file_data; flow:established,to_client; content:"|5c|u9090|5c|"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2017345; rev:4; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Flush IPTables Shellcode"; content:"|6a 52 58 99 52 66 68 2d 46 54 5b 52 48 b9 69 70 74 61 62 6c 65 73 51 d0 e0 28 c8 48 b9 2f 2f 73 62 69 6e 2f 2f 51 54 5f 52 53 57 54 5e 0f 05|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,a41l4.blogspot.ca/2017/03/polyflushiptables1434.html; classtype:shellcode-detect; sid:2024057; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Critical, created_at 2017_03_15, performance_impact Low, updated_at 2017_03_15;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode"; content:"|31 ff 57 6a 69 58 48 bb 5e c4 d2 dc 5e 5e e6 d0 0f 05 48 d1 cb b0 3b 53 87 f7 54 99 5f 0f 05|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,a41l4.blogspot.ca/2017/03/polysetuidexecve1434.html; classtype:shellcode-detect; sid:2024058; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Critical, created_at 2017_03_15, performance_impact Low, updated_at 2017_03_15;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Reverse Shell Shellcode"; content:"|6a 02 6a 2a 6a 10 6a 29 6a 01 6a 02|"; content:"|48 bf 2f 2f 62 69 6e 2f 73 68|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,exploit-db.com/exploits/41477/; classtype:shellcode-detect; sid:2024065; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Critical, created_at 2017_03_16, performance_impact Low, updated_at 2017_03_16;)

447
code/chef/templates/centos/mobilemalware.rules.erb Executable file
View file

@ -0,0 +1,447 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3-enhanced.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/getAdXml.do"; http_uri; nocase; content:"params="; nocase; reference:url,www.isc.sans.org/diary.html?storyid=10186; classtype:trojan-activity; sid:2012140; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_01_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1"; flow:established,to_server; content:"/push/androidxml/"; http_uri; nocase; content:"sim="; http_uri; nocase; content:"tel="; http_uri; nocase; content:"imsi="; http_uri; content:"pid="; http_uri; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A; classtype:trojan-activity; sid:2012451; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9033 (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 2"; flow:established,to_server; content:".log"; http_uri; nocase; content:"id="; http_uri; nocase; content:"softid="; http_uri; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A/; classtype:trojan-activity; sid:2012452; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan DroidDream Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/GMServer/GMServlet"; nocase; http_uri; content:"|0d 0a|User-Agent|3a| Dalvik"; http_header; reference:url,blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/; classtype:trojan-activity; sid:2012453; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1"; flow:established,to_server; content:"POST"; http_method; content:"request"; http_uri; nocase; content:".php"; http_uri; nocase; content:"<imei>"; content:"<smscenter>"; content:"<installtime>"; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012454; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 2"; flow:established,to_server; content:"req.php"; nocase; http_uri; content:"pid="; http_uri; nocase; content:"ver="; http_uri; nocase; content:"area="; http_uri; nocase; content:"insttime="; http_uri; nocase; content:"first="; http_uri; nocase; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012455; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; http_uri; content:"StartUpdata.ini"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012782; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/BackgroundUpdata.ini"; http_uri; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012783; rev:3; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; http_uri; nocase; content:"active.txt"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012784; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request"; flow:established,to_server; content:"/Kernel.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012844; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request"; flow:established,to_server; content:"/bs?Version="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012845; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2"; flow:established,to_server; content:"/number/?PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012846; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3"; flow:established,to_server; content:".jsp?PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012847; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI"; flow:established,to_server; content:"POST"; http_method; content:"imei="; nocase; http_uri; pcre:"/imei=\d{2}-?\d{6}-?\d{6,}-?\d{1,}/Ui"; content:!"Host|3a 20|iphone-wu.apple.com"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2012848; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending User Information to Server"; flow:established,to_server; content:"Host|3a| mobile.flexispy.com"; http_header; content:"/service"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_flexispy.a!tr.spy.html; classtype:trojan-activity; sid:2012850; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server Communication"; flow:established,to_server; content:"/PropertyFile.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012851; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server Communication"; flow:established,to_server; content:"TipFile.jsp"; http_uri; content:"&LanguageCode="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012852; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server Communication"; flow:established,to_server; content:"NumberFile.jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012853; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Merogo User Agent"; flow:established,to_server; content:"User-Agent|3A| LiveUpdater 1.0"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_merogo.b!tr.html; classtype:trojan-activity; sid:2012854; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic Location Logs To Remote Server"; flow:established,to_server; content:"/webapi/gpslog.php"; nocase; http_uri; content:"&long="; nocase; http_uri; content:"&lat="; nocase; http_uri; content:"&speed="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012855; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs to Remote Server"; flow:established,to_server; content:"/webapi/calllog.php"; http_uri; content:"&date="; http_uri; content:"&time="; http_uri; content:"&from="; http_uri; content:"&dur="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012856; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs to Remote Server"; flow:established,to_server; content:"/webapi/sms.php"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012857; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/HiShowServlet/servlet"; http_uri; pcre:"/\x2FHiShowServlet\x2Fservlet.+(InstalNum|UserActivation)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012858; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/cot?ID="; http_uri; content:"&DLType="; http_uri; content:"&SD="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012859; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0"; flow:established,to_server; content:"User-Agent|3A| LARK/"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012861; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"/billwebsvr.dll?Buy?user="; http_uri; content:"&key="; http_uri; content:"&channel="; http_uri; content:"&corp="; http_uri; content:"&product="; http_uri; content:"&phone="; http_uri; content:"&private="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012862; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"?id="; http_uri; content:"&time="; http_uri; content:"&imei="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012863; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"sender="; http_uri; content:"&cpId="; http_uri; content:"&cpServiceId="; http_uri; content:"&channelId="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012864; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to Server"; flow:established,to_server; content:"jiao.com"; http_header; fast_pattern; content:"/?id=book22"; nocase; http_uri; pcre:"/Host\x3A[^\n\r]*jiao.com/Hi"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012904; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smspacem CnC Communication Attempt"; flow:established,to_server; content:"/talktome.asmx"; nocase; http_uri; content:"cell"; http_client_body; nocase; content:"opname"; nocase; distance:0; http_client_body; reference:url,www.fortiguard.com/encyclopedia/virus/android_smspacem.a!tr.html; classtype:trojan-activity; sid:2012924; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_02, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Iphone iKee.B Checkin"; flow:established,to_server; content:"/xlm.p.php?id="; http_uri; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013019; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/search/sayhi.php"; http_uri; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013020; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Post of Infected Mobile Device Location Information"; flow:established,to_server; content:"POST"; http_method; nocase; content:"longitude="; http_uri; nocase; content:"latitude="; http_uri; nocase; classtype:trojan-activity; sid:2013021; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:"search/rpty.php"; http_uri; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013022; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query for gongfu-android.com DroidKungFu CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0E|gongfu-android|03|com"; distance:0; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013023; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_13, updated_at 2016_07_01;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Waplove.cn"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|waplove|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013038; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Tonclank JAR File Download"; flow:established,to_server; content:"/ProtocolGW/"; fast_pattern; http_uri; nocase; content:"filename="; http_uri; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013040; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_16, updated_at 2016_07_01;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Searchwebmobile.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0F|searchwebmobile|03|com"; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013041; rev:2; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Plankton/Tonclank Control Server Responding With JAR Download URL"; flow:established,to_client; content:"|0d 0a|url=http|3A|//"; nocase; content:"ProtocolGW/|3B|filename="; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013044; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_16, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 3"; flow:established,to_server; content:"POST"; http_method; content:"/search/getty.php"; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; reference:url,blog.fortinet.com/androiddroidkungfu-attacking-from-a-mobile-device/; classtype:trojan-activity; sid:2013063; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.HongTouTou Checkin"; flow:established,to_server; content:"POST"; http_method; content:".aspx?im="; http_uri; content:"User-Agent|3A| J2ME/UCWEB"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/android_hongtoutou.a!tr.html; classtype:trojan-activity; sid:2013072; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message"; flow:established,to_server; content:"/android/android.dbug.php?action=heart"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013078; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms URL for Possible File Download"; flow:established,to_server; content:"/ss/attachments/files/URLshorter.apk"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013079; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE XML Style POST Of IMEI International Mobile Equipment Identity"; flow:established,to_server; content:"POST"; http_method; nocase; content:"<IMEI>"; http_client_body; nocase; content:"<|2F|IMEI>"; fast_pattern; nocase; http_client_body; distance:0; content:!".blackberry.com|0d 0a|"; http_header; content:!".nokia.com|0d 0a|"; http_header; content:!".sonyericsson.com|0d 0a|"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2013138; rev:8; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE XML Style POST Of IMSI International Mobile Subscriber Identity"; flow:established,to_server; content:"POST"; http_method; nocase; content:"<IMSI>"; http_client_body; nocase; content:"<|2F|IMSI"; nocase; distance:0; http_client_body; reference:url,www.learntelecom.com/telephony/gsm/international-mobile-subscriber-identity-imsi; classtype:trojan-activity; sid:2013139; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message"; flow:established,to_server; content:".jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"PhoneImsi="; http_uri; content:"&PhoneNumber="; http_uri; content:"&Succeed="; http_uri; content:"&Fail="; http_uri; content:"&Source="; http_uri; content:"&Time="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013140; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Plugucsrv.sisx File Download"; flow:established,to_server; content:"plugucsrv.sisx"; http_uri; fast_pattern:only; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013141; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message"; flow:established,to_server; content:"/Jump.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013142; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin Message"; flow:established,to_server; content:"/KernelPara.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013143; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin Retriving XML File from Hard Coded CnC"; flow:established,to_server; content:"/flash/test.xml"; http_uri; fast_pattern:only; flowbits:set,ET.And.CruseWin; flowbits:noalert; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:trojan-activity; sid:2013193; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_05, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin XML Configuration File Sent From CnC Server"; flowbits:isset,ET.And.CruseWin; flow:established,from_server; content:"<connect>http|3A|//"; nocase; content:"<send number="; nocase; distance:0; content:"<insms>http|3A|//"; nocase; distance:0; content:"<delete number="; nocase; distance:0; content:"<clean app="; nocase; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:trojan-activity; sid:2013194; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Mobile Device Posting Phone Number"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&Phone"; fast_pattern; nocase; http_uri; content:"Number="; nocase; http_uri; pcre:"/\x26Phone(Number\x3D|\x5FNumber\x3D|\x2DNumber\x3D)/Ui"; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2013208; rev:3; metadata:created_at 2011_07_06, updated_at 2017_07_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Walkinwat Sending Data to CnC Server"; flow:established,to_server; content:"/wat.php"; nocase; http_uri; content:"incorporateapps.com"; nocase; http_header; pcre:"/Host\x3A[^\r\n]*incorporateapps\x2Ecom/Hi"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-033008-4831-99&tabid=2; reference:url,blog.avast.com/2011/03/21/android-is-calling-walk-and-text-and-be-malicious/; classtype:trojan-activity; sid:2013209; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_06, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Bgserv POST of Data to CnC Server"; flow:established,to_server; content:"POST"; http_method; uricontent:"/Coop/request"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-031005-2918-99&tabid=2; classtype:trojan-activity; sid:2013210; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_06, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Infected Device Registration"; flow:established,to_server; content:"/RegistUid.asp"; fast_pattern:only; http_uri; nocase; content:"?pid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&imei="; nocase; http_uri; content:"&sim="; nocase; http_uri; content:"&imsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013238; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Task Information Retrieval"; flow:established,to_server; content:"/alotWorkTask.aspx?no="; http_uri; content:"&uid="; http_uri; content:"&ti="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013240; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Uploading Watch Files"; flow:established,to_server; content:"/upload/UploadFiles.aspx?askId="; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013241; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/CommDN Downloading Second Stage Malware Binary"; flow:established,to_server; content:"DGOManagerServer/file/TianXiangServer2.sisx"; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_commdn.a!tr.html; classtype:trojan-activity; sid:2013261; rev:2; metadata:created_at 2011_07_13, updated_at 2011_07_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin"; flow:established,to_server; content:"/ddown/getvalid.aspx"; nocase; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013265; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message Template from CnC Server"; flow:established,to_client; content:"<smslist>"; content:"<sms id="; distance:0; content:"upnumber="; distance:0; content:"<|2F|smslist>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013266; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/HippoSms Method Request to CnC"; flow:established,to_server; content:"/clientRequest.htm?method="; http_uri; nocase; content:"&os="; http_uri; content:"&brand="; nocase; http_uri; content:"&sdkVersion="; nocase; http_uri; pcre:"/method\x3D(update|startcharge)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/android_hipposms.a!tr.html; classtype:trojan-activity; sid:2013299; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.AdSms Retrieving XML File from CnC Server"; flow:established,to_server; content:"/Submit.aspx?ver="; http_uri; content:"&sys="; http_uri; content:"&imei="; http_uri; content:"&ua="; http_uri; content:"&pro="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013316; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_26, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.AdSms XML File From CnC Server"; flow:established,from_server; content:"<cmdsystem>"; content:"<mobile>"; content:"<|2F|mobile>"; within:50; content:"<killprocess>"; distance:0; content:"<killinstall>"; distance:0; content:"<killuninst>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013317; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_26, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC Server"; flow:established,to_server; content:"POST"; http_method; content:"/security.jsp"; nocase; http_uri; content:"|0d 0a 0d 0a|f0="; content:"&b0="; distance:0; content:"&pid="; distance:0; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:trojan-activity; sid:2013327; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Netisend.A Posting Information to CnC"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/netsend/nmsm_json.jsp"; fast_pattern:only; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; reference:url,www.fortiguard.com/latest/mobile/2959807; classtype:trojan-activity; sid:2013694; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_09_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApp.B Sending Device Information"; flow:established,to_server; content:"/android_notifier/notifier.php?app="; http_uri; content:"&deviceId="; http_uri; content:"&mobile="; http_uri; content:"&country="; http_uri; content:"&carrier="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302891; classtype:trojan-activity; sid:2013965; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ozotshielder.A Checkin"; flow:established,to_server; content:"/AndroidService.aspx?imsi="; http_uri; content:"&mobile="; http_uri; content:"&pid="; http_uri; content:"&ownerid="; http_uri; content:"&testchlid="; http_uri; content:"&androidver="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302951; classtype:trojan-activity; sid:2013966; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/KungFu Package Delete Command"; flow:established,to_server; content:"/search/isavailable"; http_uri; content:".php?imei="; http_uri; content:"&ch="; http_uri; content:"&ver="; http_uri; content:"User-Agent|3A 20|adlib/"; http_header; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013968; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:to_server,established; content:"/send.php?a_id="; http_uri; content:"&telno="; fast_pattern:only; http_uri; content:"&m_addr="; http_uri; content:"Android"; http_user_agent; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; reference:url,anubis.iseclab.org/?action=result&task_id=1ba82b938005acea4ddefc8eff1f4db06; reference:md5,cf9ba4996531d40402efe268c7efda91; reference:md5,537f190d3d469ad1f178024940affcb5; classtype:trojan-activity; sid:2014161; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_01_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to_server; content:"/android_notifier/notifier.php?h="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM; classtype:trojan-activity; sid:2014162; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_01_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Plankton.P Commands Request to CnC Server"; flow:established,to_server; content:"/ProtocolGW/protocol/commands"; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_PLANKTON.P; classtype:trojan-activity; sid:2014215; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_02_07, updated_at 2016_07_01;)
alert tcp $HOME_NET 8888 -> any any (msg:"ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access"; flow:from_server,established; content:"/><title>Keystrokes - iKeyMonitor</title><style "; reference:url,moreinfo.thebigboss.org/moreinfo/depiction.php?file=ikeymonitorDp; classtype:policy-violation; sid:2014406; rev:2; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ksapp.A Checkin"; flow:to_server,established; content:"/kspp/do?imei="; fast_pattern:only; http_uri; content:"&wid="; http_uri; content:"&type="; http_uri; content:"&step="; http_uri; reference:md5,e6d9776113b29680aec73ac2d1445946; reference:md5,13e6ce4aac7e60b10bfde091c09b9d88; reference:url,anubis.iseclab.org/?action=result&task_id=16b7814b794cd728435e122ca2c2fcdd3; reference:url,www.fortiguard.com/latest/mobile/4158213; reference:url,symantec.com/connect/blogs/mdk-largest-mobile-botnet-china; classtype:trojan-activity; sid:2016318; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_12_12, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Updtkiller Sending Device Information"; flow:established,to_server; content:"/phone_getinfokou_android.php"; http_uri; reference:url,www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2012-082308-1823-99&tabid=2; classtype:trojan-activity; sid:2016094; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_12_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/CoolPaperLeak Sending Information To CnC"; flow:established,to_server; content:"POST"; http_method; content:"/geturl.aspx?email="; http_uri; content:"&lat="; http_uri; content:"&lon="; http_uri; content:"&mobile="; http_uri; content:"&group="; http_uri; reference:url,www.symantec.com/connect/blogs/androidcoolpaperleak-million-download-baby; classtype:trojan-activity; sid:2016209; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_01_15, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android TrojanFakeLookout.A"; flow:established,to_server; urilen:13; content:"/controls.php"; http_uri; content:"Dalvik/"; http_user_agent; reference:url,blog.trustgo.com/fakelookout/; reference:md5,65baecf1fe1ec7b074a5255dc5014beb; classtype:trojan-activity; sid:2016343; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_02_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Fakelash.A!tr.spy Checkin"; flow:to_server,established; content:"/data.php?action="; nocase; http_uri; content:"&online="; distance:0; http_uri; content:"&m="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; content:"User-Agent|3a| Dalvik/"; http_header; reference:md5,7dec1c9174d0f688667f6c34c0fa66c2; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:2016344; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_02_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Variant"; flow:established,to_server; content:"GET"; http_method; content:"/search/"; http_uri; content:".php?i="; http_uri; distance:0; content:"1.0|0d 0a|User-Agent|3a| unknown|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2016345; rev:5; metadata:created_at 2013_02_05, updated_at 2013_02_05;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Successful Install Report"; flow:established,to_server; content:"/Android_SMS/installing.php"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016512; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_03_01, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Sending SMS Messages CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/Android_SMS/receiving.php"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016513; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_03_01, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE signed-unsigned integer mismatch code-verification bypass"; flow:from_server,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; file_data; content:"PK"; depth:2; content:"|FD FF|"; distance:26; within:2; content:".dex"; nocase; within:128; reference:url,sophos.com/2013/07/17/anatomy-of-another-android-hole-chinese-researchers-claim-new-code-verification-bypass/; classtype:trojan-activity; sid:2017163; rev:2; metadata:created_at 2013_07_17, updated_at 2013_07_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeAhnAV.A CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/srev.asp"; http_uri; content:"action="; http_client_body; depth:7; content:"&b_name="; http_client_body; distance:0; content:"&b_conter="; http_client_body; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/android-fake-av-hosted-in-google-code-targets-south-koreans; classtype:trojan-activity; sid:2017466; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_09_16, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A GetTask CnC Beacon"; flow:established,to_server; content:"/getTask.php?"; fast_pattern:only; nocase; http_uri; content:"imei="; http_uri; content:"balance="; http_uri; content:!"Referer|3a 20|"; http_header; metadata: former_category MOBILE_MALWARE; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:trojan-activity; sid:2017587; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_10_13, updated_at 2017_03_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A Country CnC Beacon"; flow:established,to_server; content:".php?"; http_uri; content:"co"; http_uri; content:"untry="; http_uri; content:"phone="; http_uri; content:"&op="; http_uri; content:"imei="; fast_pattern:only; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:trojan-activity; sid:2017588; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_10_13, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install CnC Beacon"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/send_sim_no.php|20|HTTP/1."; fast_pattern; content:!"Referer|3a 20|"; http_header; content:"_no="; http_client_body; depth:16; metadata: former_category MOBILE_MALWARE; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017787; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_11_27, updated_at 2017_04_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Successful Fake Banking App Install CnC Server Acknowledgement"; flow:established,to_client; file_data; content:"|7b 22|success|22 3A|1,|22|message|22 3A 22|Product successfully updated.|22|}"; within:55; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017788; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_11_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon"; flow:established,to_server; content:"POST "; urilen:15; content:"/getLastVersion"; depth:15; http_uri; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2017999; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy RegisterRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:9; content:"/register"; depth:9; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018000; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:7; content:"/login"; depth:7; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018001; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:7; content:"/report"; depth:7; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018002; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:8; content:"/getTask"; depth:8; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018003; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC Beacon"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/reportMessage"; depth:14; http_uri; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/H"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018004; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/DwnlAPK-A Configuration File Request"; flow:established,to_server; content:"/iconfig.txt"; fast_pattern; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible)|0D 0A|"; http_header; reference:url,nakedsecurity.sophos.com/2014/01/31/android-banking-malware-with-a-twist-in-the-delivery/; classtype:trojan-activity; sid:2018071; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 1"; flow:to_server,established; content:"POST"; http_method; content:"androidbugreport.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; content:"&token="; depth:7; http_client_body; content:"&target="; depth:8; http_client_body; content:"&rd="; depth:4; http_client_body; content:"&fo="; depth:4; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018138; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 2"; flow:to_server,established; content:"POST"; http_method; content:"filter.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018139; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 3"; flow:to_server,established; content:"POST"; http_method; content:"history.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; content:"&ds="; depth:4; http_client_body; content:"&sg="; depth:4; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018140; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SMSSend Fake flappy bird APK"; flow:to_server,established; content:"GET"; http_method; content:"/bookmark/getServiceCode?price="; http_uri; fast_pattern:only; content:"Dalvik"; depth:6; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,securehoney.net/blog/how-to-dissect-android-flappy-bird-malware.html; reference:md5,6c357ac34d061c97e6237ce9bd1fe003; classtype:trojan-activity; sid:2018306; rev:3; metadata:created_at 2014_03_24, updated_at 2014_03_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/get.php|20|HTTP/1."; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:"info"; http_client_body; pcre:"/(?:^|&|\x22|\{\x22)id(?:=|\x22\x3a\x22)(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})(?:&|\x22|$)/P"; metadata: former_category MOBILE_MALWARE; reference:md5,a85990f79268a18329f4040a2ec85591; reference:md5,f48cd0c0e5362142c0c15316fa2635dd; classtype:trojan-activity; sid:2023553; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_04_17, malware_family Android_Hqwar, updated_at 2017_07_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS/Lotoor.Q"; flow:established, to_server; content: "device_id="; http_uri; pcre:"/^\d{10,20}&imsi=\d{10,15}&device_name=/URi"; content:"&app_id="; http_uri; pcre:"/^[a-f0-9]{30,35}&app_package_name=/URi"; content: "screen_density="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:md5,92608e6ff795862f83d891ad8337b387; classtype:trojan-activity; sid:2018520; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_06_04, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Adware.Wapsx.A"; flow:established, to_server; content:"/fengmian/"; fast_pattern:only; content:"meinv6.4.0 qiu shou gou, zhi mai 503 wan ren min bi"; http_user_agent; depth:51; content:!"Referer|3a|"; http_header; reference:md5,37e36531e6dbc3ad0954fd9bb4588fad; classtype:trojan-activity; sid:2018533; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_06_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Andr/com.sdwiurse"; flow:established,to_server; content:"POST"; http_method; content:"/youxi_up.php"; fast_pattern:only; http_uri; content:"--*****|0d 0a|Content-Disposition|3a| form-data|3b| name=|22|npki|22|"; depth:52; http_client_body; reference:url,fireeye.com/blog/technical/2014/06/what-are-you-doing-dsencrypt-malware.html; reference:md5,04d24eb45d3278400b5fee5c1b06226c; classtype:trojan-activity; sid:2018584; rev:3; metadata:created_at 2014_06_19, updated_at 2014_06_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Comll.Banker RAT CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/n/"; http_uri; content:!"Referer|3a 20|"; http_header; content:"content=eyJ"; http_client_body; depth:11; fast_pattern; content:!"Accept|3a|"; http_header; pcre:"/\/n\/\d{15}$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,a78e904a05d4a9e6a15b6f56b261eab9; classtype:trojan-activity; sid:2018630; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_03, updated_at 2017_03_09;)
alert http $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"ET MOBILE_MALWARE Android Spyware Dowgin Checkin"; flow:established,to_server; urilen:13; content:"POST"; http_method; content:"/webviewAdReq"; nocase; depth:13; http_uri; reference:md5,45bf9f6e19649d3e1642854ecd82623c; classtype:trojan-activity; sid:2018663; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin"; flow:established,to_server; content:"POST"; http_method; content:"/flash/api.php?id="; http_uri; fast_pattern:only; pcre:"/^\/flash\/api\.php\?id=\d/U"; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018769; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_24, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:14; content:"/api33/api.php"; http_uri; fast_pattern:only; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018774; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_24, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS.Simplocker Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:5; content:"/1/?1"; http_uri; fast_pattern:only; content:"{|22|n|22 3a 22|"; depth:6; http_client_body; content:"|22 2c 22|d|22 3a 22|"; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,welivesecurity.com/2014/07/22/androidsimplocker/; reference:md5,b98cac8f1ce9284f9882ba007878caf1; classtype:trojan-activity; sid:2018781; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_25, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Worm.AndroidOS.Selfmite.a Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/message.php"; http_uri; fast_pattern:only; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a|"; http_header; reference:md5,54b715f6608d4457a9d22cfdd8bddbe6; reference:url,adaptivemobile.com/blog/selfmite-worm; reference:url,computerworld.com/s/article/9249430/Self_propagating_SMS_worm_Selfmite_targets_Android_devices; classtype:trojan-activity; sid:2018792; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_28, updated_at 2016_07_01;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MOBILE_MALWARE Android/Trogle.A Possible Exfiltration of SMS via SMTP"; flow:established,to_server; content:"MAIL FROM|3a|<a137736513@qq.com>"; nocase; reference:md5,ef819779fc4bee6117c124fb752abf57; classtype:trojan-activity; sid:2018887; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_04, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/path/DeviceManager.php"; nocase; depth:23; http_uri; content:"func="; depth:5; http_client_body; content:"&deviceid="; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,6df6553b115d9ed837161a9e67146ecf; classtype:trojan-activity; sid:2018888; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_04, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"method=counter&app_key="; depth:23; http_client_body; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018945; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_18, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"method=devicestatus"; http_client_body; fast_pattern:only; content:"&app_key="; offset:19; http_client_body; content:"&imei="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018946; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_18, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Youmi.Adware Install Report CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:15; content:"/report/install"; http_uri; fast_pattern:only; content:"data="; http_client_body; depth:5; content:"os="; http_client_body; distance:0; content:"mac="; http_client_body; distance:0; content:"sign="; http_client_body; distance:0; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:trojan-activity; sid:2019125; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_09_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 1"; flow:established,to_server; content:"/updatesrv.aspx?f=1"; http_uri; fast_pattern:only; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019174; rev:2; metadata:created_at 2014_09_15, updated_at 2014_09_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 2"; flow:established,to_server; content:"/updatesrv.aspx?f=2&uuid="; http_uri; fast_pattern:only; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019175; rev:2; metadata:created_at 2014_09_15, updated_at 2014_09_15;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Code4hk.A Checkin"; flow:established,to_server; content:"ClientInfo"; content:"isWifi"; distance:0; content:"cpuInfo"; distance:0; content:"firstOnlineIp"; distance:0; content:"firstOnlineTime"; distance:0; content:"imei"; distance:0; content:"ipAddr"; distance:0; content:"phoneBrand"; distance:0; content:"phoneNumber"; distance:0; content:"simOperator"; distance:0; fast_pattern; reference:url,malware.lu/articles/2014/09/29/analysis-of-code4hk.html; classtype:trojan-activity; sid:2019318; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_09_30, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser Checkin"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/TargetConnect.aspx"; http_uri; content:"&tIMEI="; http_uri; content:"&tIMSI="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019331; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending GPS info"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/TargetUploadGps.aspx"; http_uri; content:"tmac="; http_uri; content:"&JZ="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019332; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending files"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/TargetUploadFile.aspx"; http_uri; content:"tmac="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019333; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser checking library version"; flow:to_server,established; content:"GET"; http_method; nocase; urilen:18; content:"/CheckLibrary.aspx"; http_uri; content:!"Referer|3a|"; http_header; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019334; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Koler.C Checkin"; flow:to_server,established; content:".php?v="; http_uri; content:"&brok="; fast_pattern:only; http_uri; content:"&u="; http_uri; content:"&id="; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/&id=\d{15}$/U"; reference:md5,6ae7b0d04e2fd64a50703910d0eff9cc; classtype:trojan-activity; sid:2019510; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_10_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Stealthgenie Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/SGCommand.aspx?sgcommand="; fast_pattern:6,20; http_uri; content:"&uid="; http_uri; distance:0; content:"&sid="; http_uri; distance:0; content:"&value="; http_uri; distance:0; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"|20|Android|20|"; http_user_agent; reference:md5,06947ce839a904d6abcb272ff46e7de1; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99&tabid=2; reference:url,engadget.com/2014/09/30/crackdown-on-spying-apps-leads-to-stealthgenie-ceos-arrest/; classtype:trojan-activity; sid:2019805; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_11_25, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 1"; flow:established,to_server; content:"/dmp/api/"; http_uri; fast_pattern:only; content:"UAC/"; depth:4; http_user_agent; content:"|28|Android|20|"; distance:0; http_user_agent; content:"dmp."; http_header; pcre:"/\/dmp\/api\/[a-z]+$/U"; pcre:"/^Host\x3a[^\r\n]+?dmp\.[^\r\n]+?\r?$/Hmi"; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019958; rev:4; metadata:created_at 2014_12_17, updated_at 2014_12_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"UAC/"; depth:4; http_user_agent; content:"|28|Android|20|"; distance:0; http_user_agent; content:"name=|22|softwareVersion|22|"; nocase; http_client_body; content:"name=|22|isEnc|22|"; nocase; distance:0; http_client_body; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019959; rev:3; metadata:created_at 2014_12_17, updated_at 2014_12_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper User-Agent"; flow:established,to_server; content:"UAC/"; depth:4; http_user_agent; fast_pattern; content:"|28|Android|20|"; distance:0; http_user_agent; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019960; rev:3; metadata:created_at 2014_12_17, updated_at 2014_12_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Syria-Twitter Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/contacts"; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:"contact|25|26="; depth:11; fast_pattern; http_client_body; pcre:"/\/contacts$/U"; reference:md5,b91315805ef1df07bdbfa07d3a467424; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020343; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_02_02, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SMSThief.F Banker CnC Beacon"; flow:established,to_server; content:"/input_data_get_contact.asp?user="; http_uri; content:"&pwd="; http_uri; content:"&addr="; http_uri; reference:url,research.zscaler.com/2015/02/android-banking-trojan-and-sms-stealer.html; reference:md5,ff081c1400a948f2bcc4952fed2c818b; classtype:trojan-activity; sid:2020353; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_02_03, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Operation Pawn Storm IOS_XAGENT Checkin"; flow:to_server,established; content:"XAgent/1."; depth:9; http_user_agent; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^(?:(?:sear|wat)ch|results|close|find|open)\/\?[a-zA-Z]{2,8}=/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020363; rev:3; metadata:created_at 2015_02_04, updated_at 2015_02_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE IOS_XAGENT UA"; flow:to_server,established; content:"XAgent/1."; http_user_agent; depth:9; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020364; rev:3; metadata:created_at 2015_02_04, updated_at 2015_02_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SMSSend.Y"; flow:established,to_server; content:"/api/log.html|3f|"; http_uri; fast_pattern; content:"c="; http_uri; content:"&o="; http_uri; content:"&n="; http_uri; content:"Apache-HttpClient"; depth:18; http_user_agent; reference:md5,ef79985c90675e7abfb6b9a6bc5a6c65; classtype:trojan-activity; sid:2020729; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_03_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin"; flow:to_server,established; content:"/pha?android_version="; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&phone_number="; http_uri; content:"&client_version="; http_uri; content:"&imei="; http_uri; content:"&name="; http_uri; reference:url,securityblog.s21sec.com/2015/05/new-ransomware-in-mobile-environment.html; classtype:trojan-activity; sid:2021174; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_06_01, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.m Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:!"User-Agent|3a 20|"; http_header; content:"content=eyJmaW5nZXJwcmludCI"; fast_pattern; depth:27; http_client_body; reference:md5,0aa69ad64e20bb6cbf72f346ce43ff23; reference:url,www.fireeye.com/blog/threat-research/2014/07/the-service-you-cant-refuse-a-secluded-hijackrat.html; classtype:trojan-activity; sid:2021185; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_06_04, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 5.2|29 20|"; http_header; content:"appid="; depth:6; http_client_body; content:"&model="; http_client_body; content:"&imei="; fast_pattern:only; http_client_body; content:"&connect="; http_client_body; content:"&dpi="; http_client_body; content:"&width="; http_client_body; content:"&cpu="; http_client_body; content:"&phoneno="; http_client_body; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021386; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_06, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"uuid="; http_client_body; content:"language="; http_client_body; content:"appkey"; http_client_body; content:"model="; http_client_body; content:"operatorsname="; fast_pattern:only; http_client_body; content:"networkname="; http_client_body; content:"networktype="; http_client_body; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021387; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_06, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Gunpoder Checkin"; flow:to_server,established; content:"/landing?c="; fast_pattern:only; http_uri; content:"&g="; http_uri; content:"&a="; http_uri; content:"&s1="; http_uri; content:"&s2="; http_uri; content:"&s3="; http_uri; content:"&s4="; http_uri; content:"&s5="; http_uri; content:"&s6="; http_uri; content:"&s7="; http_uri; content:"&s8="; http_uri; content:"&s9="; http_uri; content:"&s10="; http_uri; content:"&s11="; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,researchcenter.paloaltonetworks.com/2015/07/new-android-malware-family-evades-antivirus-detection-by-using-popular-ad-libraries/; reference:md5,b0b2cd71b4d15bb5f07b8315d7b27822; classtype:trojan-activity; sid:2021392; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_07, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE DNS Android/Spy.Feabme.A Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|tinduongpho|03|com|00|"; fast_pattern; distance:0; nocase; reference:md5,3ae3cb09c8f54210cb4faf7aa76741ee; reference:url,blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/; classtype:trojan-activity; sid:2021412; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin 2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/gac/"; fast_pattern:only; http_uri; content:"|20|Android|20|"; http_user_agent; content:"|0d 0a|Connection|3a| Keep-Alive|0d 0a|Accept-Encoding|3a| gzip|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^\/gac\/[a-f0-9]{15}$/U"; reference:url,blog.fortinet.com/post/locker-an-android-ransomware-full-of-surprises; classtype:trojan-activity; sid:2021617; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_08_12, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin"; flow:to_server,established; content:"/data.php?table="; fast_pattern:only; http_uri; content:"&game="; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/&game=[a-f0-9]{40}$/U"; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021737; rev:2; metadata:created_at 2015_08_31, updated_at 2015_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cert.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"id="; depth:3; http_client_body; content:"&cert="; http_client_body; content:"&priv="; fast_pattern:only; http_client_body; content:"&flag="; http_client_body; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021738; rev:2; metadata:created_at 2015_08_31, updated_at 2015_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M1"; flow:established,to_server; content:"GET"; http_method; content:".plist"; http_uri; content:"bb800.com|0d 0a|"; http_header; fast_pattern:only; pcre:"/\.plist$/U"; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/Hm"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021900; rev:3; metadata:created_at 2015_10_05, updated_at 2015_10_05;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M2"; flow:established,to_server; content:"GET"; http_method; content:"/itms-services|3a|"; http_uri; content:"bb800.com|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/Hm"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021901; rev:3; metadata:created_at 2015_10_05, updated_at 2015_10_05;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Kemoge DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|aps|06|kemoge|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021927; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:25; content:"/getInstalledPackages.jsp"; http_uri; fast_pattern:only; content:"sdCardFree="; http_client_body; depth:11; content:"&imei="; http_client_body; distance:0; content:"&hasSd="; http_client_body; distance:0; content:!"Referer|3a|"; http_header; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021928; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/v1.jsp?e="; http_uri; fast_pattern; depth:10; content:"&s="; http_uri; distance:0; content:"&g="; http_uri; distance:0; content:"&versionCode="; http_uri; distance:0; content:"&osVersion="; http_uri; distance:0; content:"&countryCode="; http_uri; distance:0; content:!"Referer|3a|"; http_header; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021929; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Cloudsota HTTP Host"; flow:to_server,established; content:"Host|3a| download.cloudsota.com"; http_header; reference:url,www.cmcm.com/blog/en/security/2015-11-09/842.html; classtype:trojan-activity; sid:2022081; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_12, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Acecard.c Checkin"; flow:to_server,established; urilen:1; content:"POST"; http_method; nocase; content:!"Referer|3a 20|"; http_header; content:"{|22|type|22 3a|"; depth:8; http_client_body; content:",|22|text|22 3a|"; http_client_body; content:",|22|code|22 3a|"; fast_pattern:only; http_client_body; content:",|22|from|22 3a|"; http_client_body; content:"|22|}"; http_client_body; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; reference:url,fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022137; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_24, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.EP HTTP Host"; flow:to_server,established; content:"Host|3a 20|jackdojacksgot.ru"; http_header; nocase; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; classtype:trojan-activity; sid:2022144; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_24, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw/SlemBunk/SLocker Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:!"Referer|3a 20|"; http_header; content:",|22|model|22 3a|"; http_client_body; content:",|22|apps|22 3a 5b 22|"; http_client_body; content:",|22|imei|22 3a|"; fast_pattern:only; http_client_body; pcre:"/^\{\x22(?:os|type)\x22\x3a/P"; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:md5,a83ce290469654002bcc64062c39387c; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022288; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_12_21, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SlemBunk.Banker Phished Credentials Upload"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"/"; http_uri; depth:1; content:"User-Agent|3A| Apache-HttpClient/UNAVAILABLE"; http_header; content:"{|22|data|22 3A|"; http_client_body; depth:8; content:"|22|password old|22 3A|"; fast_pattern; http_client_body; distance:0; content:"|22|login|22 3A|"; http_client_body; content:"|22|type|22 3A|"; http_client_body; distance:0; content:"|22|login old|22 3A|"; http_client_body; distance:0; content:"|22|password|22 3A|"; http_client_body; distance:0; content:"|22|name|22 3A|"; http_client_body; distance:0; content:"|22|code|22 3A|"; http_client_body; distance:0; content:!"Referer|3a|"; http_header; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022289; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_12_21, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Fakeinst.KD .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pc35hiptpcwqezgs"; nocase; distance:0; fast_pattern; reference:url,www.csis.dk/da/csis/blog/4818/; reference:md5,111b71c120167b5b571ee5501ffef65e; classtype:trojan-activity; sid:2022517; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_12, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yuwurw46taaep6ip"; nocase; distance:0; fast_pattern; reference:md5,58fed8b5b549be7ecbfbc6c63b84a728; classtype:trojan-activity; sid:2022562; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_23, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|voooxrrw2wxnoyew"; nocase; distance:0; fast_pattern; reference:md5,8d260ab2bb36aeaf5b033b80b6bc1e6a; classtype:trojan-activity; sid:2022563; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_23, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE DNS Trojan-Banker.AndroidOS.Marcher.i Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tmdxiawceahpbhmb|03|com"; nocase; distance:0; fast_pattern; reference:md5,3c52de547353d94e95cde7d4c219ccac; classtype:trojan-activity; sid:2022975; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_07_18, performance_impact Low, updated_at 2016_07_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS DualToy Checkin"; flow:to_server,established; content:"/i_info_proxy.php?cmd="; fast_pattern:only; http_uri; content:"&data="; http_uri; content:"|3b 20|iPhone|20|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/&data=(?:([A-Za-z0-9]|%2[FB]){4})*(?:([A-Za-z0-9]|%2[FB]){2}==|([A-Za-z0-9]|%2[FB]){3}=|([A-Za-z0-9]|%2[FB]){4})$/I"; metadata: former_category MOBILE_MALWARE; reference:url,researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/; classtype:trojan-activity; sid:2023240; rev:2; metadata:affected_product iOS, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_15, performance_impact Low, updated_at 2017_03_08;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE AndroRAT Bitter DNS Lookup (info2t .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|info2t|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; classtype:trojan-activity; sid:2023398; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_10_24, malware_family AndroRAT, performance_impact Low, updated_at 2016_10_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Adware.Adwo.A"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?m="; http_uri; content:"&a="; http_uri; content:"&os="; http_uri; content:!"&ComPut="; http_uri; content:!"User-Agent|3a 20|"; http_header; reference:md5,bbb0aa6c9f84963dacec55345fe4c47e; classtype:trojan-activity; sid:2023475; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_01, performance_impact Low, updated_at 2016_11_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Sending Credit Card Info"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cards_json.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"bot_id="; depth:7; fast_pattern; http_client_body; content:"&info="; http_client_body; content:"cardNum"; http_client_body; pcre:"/^bot_id=[a-f0-9]{32}&/P"; pcre:"/\.php$/U"; reference:md5,78c2444fe15a8e58c629076781d9442a; reference:url,blog.fortinet.com/2016/11/01/android-banking-malware-masquerades-as-flash-player-targeting-large-banks-and-popular-social-media-apps; classtype:trojan-activity; sid:2023483; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_03, performance_impact Low, updated_at 2016_11_03;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 1"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"sms|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023500; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, created_at 2016_11_11, updated_at 2016_11_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 2"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"itms-apps|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023501; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, created_at 2016_11_11, updated_at 2016_11_11;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/RequestActionsToExecute"; fast_pattern; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|CommandLine|22 3a|"; depth:15; http_client_body; content:",|22|CurrentDirectory|22 3a|"; http_client_body; pcre:"/\/RequestActionsToExecute$/U"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023507; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/NotifyLog"; fast_pattern:only; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|ClientId|22 3a|"; depth:12; http_client_body; content:",|22|Date|22 3a|"; http_client_body; pcre:"/\/NotifyLog$/U"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023508; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)
alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU SSL CnC Cert"; flow:established,from_server; content:"|02|IT"; content:"|03|AAA"; distance:0; content:"|02|BB"; distance:0; content:"|03|EEE"; distance:0; content:"|0d|IT Department"; distance:0; content:"|0a|SASDS_Srv0"; fast_pattern; distance:0; reference:md5,cbd1c2db9ffc6b67cea46d271594c2ae; classtype:trojan-activity; sid:2023509; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Unknown Redirector Nov 17 2016"; flow:from_server,established; file_data; content:"<script>"; content:".indexOf(|22|_mauthtoken|22|)=="; distance:0; content:"|22|ooglebot|22|"; content:"|7c|fennec|7c|"; content:"|22|_mauthtoken=1|3b| path=/|3b|expires=|22|"; fast_pattern; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023531; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_18, updated_at 2016_11_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Unknown Landing URI Nov 17 2016"; flow:to_server,established; content:"/kt/JpNx9n"; http_uri; pcre:"/\/kt\/JpNx9n$/U"; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023532; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_18, updated_at 2016_11_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin"; flow:to_server,established; content:"lm="; http_uri; content:"/watch/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023680; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 2"; flow:to_server,established; content:"lm="; http_uri; content:"/search/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023681; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 3"; flow:to_server,established; content:"lm="; http_uri; content:"/find/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023682; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 4"; flow:to_server,established; content:"lm="; http_uri; content:"/results/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023683; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 5"; flow:to_server,established; content:"lm="; http_uri; content:"/open/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023684; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 6"; flow:to_server,established; content:"lm="; http_uri; content:"/close/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023685; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert"; flow:established,from_server; content:"|00 dd 45 ec 3f 08 74 58 6a|"; content:"|0a|Department"; distance:0; content:"|55 04 03|"; distance:0; content:"|0f|www.example.com"; distance:1; within:16; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023708; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|rockybalboa|02|at|00|"; nocase; distance:0; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023709; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|storegoogle|02|at|00|"; nocase; distance:0; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023710; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php"; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Language|3a 20|en-US|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; depth:98; http_header; content:!"Referer|3a 20|"; http_header; content:"&method="; fast_pattern:only; http_client_body; pcre:"/^d(?:id|ei)=[A-F0-9]{10,100}&method=IS[A-Z]{1,10}$/P"; pcre:"/\.php$/U"; reference:md5,d6ef9b0cdb49b56c53da3433e30f3fd6; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023933; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, performance_impact Low, updated_at 2017_02_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b Apps List Exfil"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/functions.php"; fast_pattern:only; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:"apslst="; depth:7; http_client_body; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023934; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, performance_impact Low, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|androidbak|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023935; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|droidback|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023936; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|endpointup|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023937; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|siteanalysto|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023938; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|goodydaddy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023939; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.C2P.Qd!c Ransomware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/stat/locker|20|HTTP/1."; fast_pattern:only; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"type="; http_client_body; depth:5; content:"&version="; http_client_body; content:"&lid="; http_client_body; content:"&c="; http_client_body; content:"&i="; http_client_body; metadata: former_category MOBILE_MALWARE; reference:url,www.zscaler.com/blogs/research/new-android-ransomware-bypasses-all-antivirus-programs; classtype:trojan-activity; sid:2024123; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_03_31, updated_at 2017_03_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/support.aspx|20|HTTP/1."; content:"SessionId1|3a 20|"; http_header; content:"SessionId2|3a 20|"; fast_pattern:only; http_header; content:"|3b 20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|header|22 3b 20|filename=|22|header|22 0d 0a|"; http_client_body; metadata: former_category MOBILE_MALWARE; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:trojan-activity; sid:2024171; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_04_04, updated_at 2017_04_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon M2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/adinfo?gi="; fast_pattern:only; http_uri; content:"&bf="; http_uri; pcre:"/^Host\x3a[^\n\r]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[\r\n]+$/Hm"; metadata: former_category MOBILE_MALWARE; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:trojan-activity; sid:2024172; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_04_04, updated_at 2017_04_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/sdk_api.php?id="; fast_pattern:only; http_uri; content:"&type="; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:!"Referer|3a 20|"; http_header; pcre:"/\.php\?id=[a-f0-9]{8}(?:-[a-f0-9]{4}){4}[a-f0-9]{8}&type=/U"; metadata: former_category MOBILE_MALWARE; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024201; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_04_11, malware_family Android_Ewind, updated_at 2017_04_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Response"; flow:from_server,established; file_data; content:"[{|22|id|22 3a 22|0|22|,|22|command|22 3a 22|OK|22|}"; depth:26; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024202; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_04_11, malware_family Android_Ewind, updated_at 2017_04_11;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Dropper.Abd Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/ad-"; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"RgQ7"; depth:4; fast_pattern; http_client_body; pcre:"/\/ad-(?:strat|devi)\/$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,66a1dda748d073f5e659b700339c3343; reference:url,www.zscaler.com/blogs/research/malicious-android-ads-leading-drive-downloads; classtype:trojan-activity; sid:2024411; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android_07012016, signature_severity Major, created_at 2017_06_19, updated_at 2017_06_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a CnC Beacon"; flow:to_server,established; content:"/inj/injek-1.php?id="; fast_pattern:only; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/\?id=(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,e9542a8bd9f0ab57e40bb8519ac443a2; classtype:trojan-activity; sid:2024426; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_06_26, malware_family Android_Marcher, updated_at 2017_06_26;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE ANDROIDOS_LEAKERLOCKER.HRX DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|updatmaster|03|top|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,reference:url,blog.trendmicro.com/trendlabs-security-intelligence/leakerlocker-mobile-ransomware-threatens-expose-user-information/; classtype:trojan-activity; sid:2024509; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_08_02, updated_at 2017_08_02;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE WireX Botnet DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|axclick|05|store|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:md5,6af299a2ac9b59f7d551b6e235e0d200; reference:url,blog.cloudflare.com/the-wirex-botnet/; classtype:trojan-activity; sid:2024615; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_08_28, malware_family Android_WireX, updated_at 2017_08_28;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|b1k51|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024735; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|b1j3aas|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024736; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|wechaatt|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024737; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|10as05|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024738; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 5"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ch0ck4|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024739; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 6"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|fatur1s|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024740; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 7"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|b5k31|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024741; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 8"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|erd0|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024742; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 9"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|b1v2a5|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024743; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 10"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|b1502b|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024744; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 11"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|elsssee|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024745; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|kvp41|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024746; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 13"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|servertestapi|03|ltd|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024747; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 14"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|taxii|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024748; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|p0w3r|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024749; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 16"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|4r3a|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024750; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

18
code/chef/templates/centos/nmap.rules.erb Executable file
View file

@ -0,0 +1,18 @@
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS window 2048"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2000537; rev:8;)
alert ip any any -> any any (msg:"ET SCAN NMAP -sO"; dsize:0; ip_proto:21; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000536; classtype:attempted-recon; sid:2000536; rev:7;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS window 1024"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2009582; rev:2;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS window 3072"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2009583; rev:2;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS window 4096"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:4096; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2009584; rev:1;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000538; classtype:attempted-recon; sid:2000538; rev:8;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sA (2)"; fragbits:!D; dsize:0; flags:A,12; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000540; classtype:attempted-recon; sid:2000540; rev:8;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -f -sF"; fragbits:!M; dsize:0; flags:F,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000543; classtype:attempted-recon; sid:2000543; rev:7;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -f -sN"; fragbits:!M; dsize:0; flags:0,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000544; classtype:attempted-recon; sid:2000544; rev:7;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -f -sS"; fragbits:!M; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000545; classtype:attempted-recon; sid:2000545; rev:7;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -f -sX"; fragbits:!M; dsize:0; flags:FPU,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000546; classtype:attempted-recon; sid:2000546; rev:7;)
alert http any any -> any $HTTP_PORTS (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Nmap NSE"; reference:url,doc.emergingthreats.net/2009359; classtype:web-application-attack; sid:2009359; rev:3;)
alert http any any -> any any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; nocase; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:4;)
alert icmp any any -> any any (msg:"GPL SCAN PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:2100469; rev:4;)
alert tcp any any -> any any (msg:"GPL SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:2100628; rev:8;)
alert tcp any any -> any any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:2101228; rev:8;)
alert tcp any any -> any any (msg:"GPL SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:2100629; rev:7;)
alert http any any -> $HTTP_SERVERS any (msg:"ET SCAN NMAP SQL Spider Scan"; flow:established,to_server; content:"GET"; http_method; content:" OR sqlspider"; http_uri; reference:url,nmap.org/nsedoc/scripts/sql-injection.html; classtype:web-application-attack; sid:2013778; rev:2;)

772
code/chef/templates/centos/shellcode.rules.erb Executable file
View file

@ -0,0 +1,772 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2014, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3.
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode"; flow:established; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009246; classtype:shellcode-detect; sid:2009246; rev:3;)
#by Jaime Blasco
#
alert udp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode (UDP)"; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009285; classtype:shellcode-detect; sid:2009285; rev:2;)
#by Jaime Blasco
#
alert tcp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode"; flow:established; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009247; classtype:shellcode-detect; sid:2009247; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode (UDP)"; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009284; classtype:shellcode-detect; sid:2009284; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode"; flow:established; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009248; classtype:shellcode-detect; sid:2009248; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode (UDP)"; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009283; classtype:shellcode-detect; sid:2009283; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode"; flow:established; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009249; classtype:shellcode-detect; sid:2009249; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode (UDP)"; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009282; classtype:shellcode-detect; sid:2009282; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode"; flow:established; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009250; classtype:shellcode-detect; sid:2009250; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode (UDP)"; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009281; classtype:shellcode-detect; sid:2009281; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode"; flow:established; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009251; classtype:shellcode-detect; sid:2009251; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode (UDP)"; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009280; classtype:shellcode-detect; sid:2009280; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009252; classtype:shellcode-detect; sid:2009252; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009279; classtype:shellcode-detect; sid:2009279; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009253; classtype:shellcode-detect; sid:2009253; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009278; classtype:shellcode-detect; sid:2009278; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode"; flow:established; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009254; classtype:shellcode-detect; sid:2009254; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode (UDP)"; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009277; classtype:shellcode-detect; sid:2009277; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode"; flow:established; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009255; classtype:shellcode-detect; sid:2009255; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode (UDP)"; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009276; classtype:shellcode-detect; sid:2009276; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode"; flow:established; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009256; classtype:shellcode-detect; sid:2009256; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode (UDP)"; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009275; classtype:shellcode-detect; sid:2009275; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode"; flow:established; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009257; classtype:shellcode-detect; sid:2009257; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode (UDP)"; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009274; classtype:shellcode-detect; sid:2009274; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode"; flow:established; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009258; classtype:shellcode-detect; sid:2009258; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode (UDP)"; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009273; classtype:shellcode-detect; sid:2009273; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Furth Shellcode"; flow:established; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009259; classtype:shellcode-detect; sid:2009259; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Furth Shellcode (UDP)"; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009272; classtype:shellcode-detect; sid:2009272; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode"; flow:established; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009260; classtype:shellcode-detect; sid:2009260; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode (UDP)"; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009271; classtype:shellcode-detect; sid:2009271; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode"; flow:established; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009261; classtype:shellcode-detect; sid:2009261; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode (UDP)"; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009270; classtype:shellcode-detect; sid:2009270; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode"; flow:established; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009262; classtype:shellcode-detect; sid:2009262; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode (UDP)"; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009269; classtype:shellcode-detect; sid:2009269; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode"; flow:established; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009263; classtype:shellcode-detect; sid:2009263; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode (UDP)"; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009268; classtype:shellcode-detect; sid:2009268; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode"; flow:established; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009264; classtype:shellcode-detect; sid:2009264; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode (UDP)"; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009267; classtype:shellcode-detect; sid:2009267; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode"; flow:established; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009265; classtype:shellcode-detect; sid:2009265; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode (UDP)"; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009266; classtype:shellcode-detect; sid:2009266; rev:2;)
#by Anonymous Researchers(tm)
#Intended to catch common shellcode encoding in exploit scripts coming to clients in web sessions
#high load. use these if you need them!
#
##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:2; content:!"|0A|"; within:2; content:!"|20|"; within:2; pcre:"/(%U([0-9a-f]{2})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003173; classtype:trojan-activity; sid:2003173; rev:7;)
#by Anonymous Researchers(tm)
#Intended to catch common shellcode encoding in exploit scripts coming to clients in web sessions
#high load. use these if you need them!
#
##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:4; content:!"|0A|"; within:4; content:!"|20|"; within:4; pcre:"/(%U([0-9a-f]{4})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003174; classtype:trojan-activity; sid:2003174; rev:8;)
#by Alejandro Gramajo
##############################################################################
#x86 Pex Variable Length Fnstenv/mov/sub Double Word Xor Encoder
#D9 EE fldz
#D9 74 24 F4 fnstenv [esp - 12]
#5B pop ebx
#81 73 13 xorkey xor_xor: xor DWORD [ebx + 22], xorkey
#83 EB FC sub ebx,-4
#E2 F4 loop xor_xor
#Real traffic dump
#Content1
#98 49 F8 27 91 2F 27 48 4F 4E 6A 12 59 <D9 EE D9 .I.'./'HONj.Y...
#74 24 F4 5B 81 73 13> 2E D6 9A FE <83 EB FC E2 F4> t$.[.s..........
#Xorkey Content2
#
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexFnstenvMov/Sub Encoder"; flow:established; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002903; classtype:shellcode-detect; sid:2002903; rev:5;)
##############################################################################
#x86 Skylined\'s Alpha2 Alphanumeric Encoder
#
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Alpha2 GetEIPs Encoder"; flow:established; content:"|EB 03 59 EB 05 E8 F8 FF FF FF|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002904; classtype:shellcode-detect; sid:2002904; rev:5;)
##############################################################################
#x86 Call $+4 countdown xor encoder
#E8 FF FF FF call $+4
#FF C1 inc ecx
#5E pop esi
#30 4C 0E 07 xor_xor: xor [esi + ecx + 0x07], cl
#E2 FA loop xor_xor
#
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Countdown Encoder"; flow:established; content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002905; classtype:shellcode-detect; sid:2002905; rev:5;)
##############################################################################
#x86 Pex Alphanumeric Encoder
#VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089 win32getpc
#?? JJJJJ ?? baseaddr
#VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM decoder
#
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexAlphaNum Encoder"; flow:established; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; content:"JJJJJ"; distance: 2; within: 5; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM"; distance: 2; within: 55; reference:url,doc.emergingthreats.net/bin/view/Main/2002906; classtype:shellcode-detect; sid:2002906; rev:5;)
##############################################################################
#x86 Pex Call $+4 Double Word Xor Encoder
#E8 FF FF FF call $+4
#FF C0 inc eax
#5E pop esi
#81 76 0E xorkey xor_xor: xor [esi + 0x0e], xorkey
#83 EE FC sub esi, -4
#E2 F4 loop xor_xor
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 PexCall Encoder"; flow:established; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|82 EE FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002907; classtype:shellcode-detect; sid:2002907; rev:5;)
##############################################################################
#x86 IA32 Jmp/Call XOR Additive Feedback Decoder
#FC cld
#BB key mov ebx, key
#EB 0C jmp short 0x14
#5E pop esi
#56 push esi
#31 1E xor [esi], ebx
#AD lodsd
#01 C3 add ebx, eax
#85 C0 test eax, eax
#75 F7 jnz 0xa
#C3 ret
#E8 EF FF FF FF call 0x8
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 JmpCallAdditive Encoder"; flow:established; content:"|FC BB|"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; distance: 4; within: 19; reference:url,doc.emergingthreats.net/bin/view/Main/2002908; classtype:shellcode-detect; sid:2002908; rev:5;)
#Metasploit BSD shellcode detect rules by h0f - Jennylab
#Alberto Garcia de Dios
#albertogdedios@andaluciajunta.es
#http://www.jennylab.org
#####
#METASPLOIT SHELLCODE RULES
#####
#BSD METASPLOIT RULES
#### BSD BIND SHELL #######
#BSD Bind Shell - ENCODE: PexFnstenvSub
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010383; classtype:shellcode-detect; sid:2010383; rev:2;)
#BSD Bind Shell - ENCODE: CountDown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 2)"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74 45 d3|"; reference:url,doc.emergingthreats.net/2010385; classtype:shellcode-detect; sid:2010385; rev:4;)
#BSD Bind Shell - ENCODE: CountDown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 3)"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45 6a 69 63|"; reference:url,doc.emergingthreats.net/2010386; classtype:shellcode-detect; sid:2010386; rev:3;)
#BSD Bind Shell - ENCODE: CountDown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 4)"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a 2a cc a5|"; reference:url,doc.emergingthreats.net/2010387; classtype:shellcode-detect; sid:2010387; rev:3;)
#BSD Bind Shell - ENCODE: CountDown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 5)"; content:"|17 1c 1a 19 fb 77 80 ce|"; reference:url,doc.emergingthreats.net/2010388; classtype:shellcode-detect; sid:2010388; rev:3;)
#BSD Bind Shell - ENCODE: Pex
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 1)"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010389; classtype:shellcode-detect; sid:2010389; rev:3;)
#BSD Bind Shell - ENCODE: Pex
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010390; classtype:shellcode-detect; sid:2010390; rev:3;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 1)"; content:"|6a 61 58 99 52 68 10 02|"; reference:url,doc.emergingthreats.net/2010391; classtype:shellcode-detect; sid:2010391; rev:3;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 2)"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a 68 58 cd|"; reference:url,doc.emergingthreats.net/2010392; classtype:shellcode-detect; sid:2010392; rev:2;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 3)"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a 5a 58 51|"; reference:url,doc.emergingthreats.net/2010393; classtype:shellcode-detect; sid:2010393; rev:3;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 4)"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3|"; reference:url,doc.emergingthreats.net/2010394; classtype:shellcode-detect; sid:2010394; rev:3;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 5)"; content:"|50 54 53 53 b0 3b cd 80|"; reference:url,doc.emergingthreats.net/2010395; classtype:shellcode-detect; sid:2010395; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49 51 5a 56|"; reference:url,doc.emergingthreats.net/2010396; classtype:shellcode-detect; sid:2010396; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2)"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33 30 42 43|"; reference:url,doc.emergingthreats.net/2010397; classtype:shellcode-detect; sid:2010397; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010398; classtype:shellcode-detect; sid:2010398; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4)"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36 41|"; reference:url,doc.emergingthreats.net/2010399; classtype:shellcode-detect; sid:2010399; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5)"; content:"|41 4e 44 35 44 34 44|"; reference:url,doc.emergingthreats.net/2010400; classtype:shellcode-detect; sid:2010400; rev:3;)
#BSD Bind Shell - ENCODE: PexFstEnvMov
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1)"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010401; classtype:shellcode-detect; sid:2010401; rev:3;)
#BSD Bind Shell - ENCODE: PexFstEnvMov
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010402; classtype:shellcode-detect; sid:2010402; rev:3;)
#BSD Bind Shell - ENCODE: JmpCallAditive
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (JmpCallAdditive Encoded)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010403; classtype:shellcode-detect; sid:2010403; rev:3;)
#BSD Bind Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49 49 49 49|"; reference:url,doc.emergingthreats.net/2010404; classtype:shellcode-detect; sid:2010404; rev:3;)
#BSD Bind Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 2)"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|"; reference:url,doc.emergingthreats.net/2010405; classtype:shellcode-detect; sid:2010405; rev:3;)
#BSD Bind Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 3)"; content:"|49 72 4e 4e 69 6b 53|"; reference:url,doc.emergingthreats.net/2010406; classtype:shellcode-detect; sid:2010406; rev:3;)
#BSD Reverse Shell - ENCODE: PexFnstenvSub
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1)"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010407; classtype:shellcode-detect; sid:2010407; rev:3;)
#### EOF BSD BIND SHELL ######
### BSD REVERSE SHELL #######
#BSD Reverse Shell - ENCODE: PexFnstenvSub
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010408; classtype:shellcode-detect; sid:2010408; rev:3;)
#BSD Reverse Shell - ENCODE: Countdown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 1)"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa 6b 63 5b 9d|"; reference:url,doc.emergingthreats.net/2010409; classtype:shellcode-detect; sid:2010409; rev:3;)
#BSD Reverse Shell - ENCODE: Countdown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 2)"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c 96 7d 79 7e|"; reference:url,doc.emergingthreats.net/2010410; classtype:shellcode-detect; sid:2010410; rev:3;)
#BSD Reverse Shell - ENCODE: Countdown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 3)"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50 54 b2 df 6d|"; reference:url,doc.emergingthreats.net/2010411; classtype:shellcode-detect; sid:2010411; rev:3;)
#BSD Reverse Shell - ENCODE: Countdown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 4)"; content:"|57 44 55 4a 5b 62|"; reference:url,doc.emergingthreats.net/2010412; classtype:shellcode-detect; sid:2010412; rev:3;)
#BSD Reverse Shell - ENCODE: Pex
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 1)"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010413; classtype:shellcode-detect; sid:2010413; rev:3;)
#BSD Reverse Shell - ENCODE: Pex
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010414; classtype:shellcode-detect; sid:2010414; rev:3;)
#BSD Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 1)"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50|"; reference:url,doc.emergingthreats.net/2010415; classtype:shellcode-detect; sid:2010415; rev:3;)
#BSD Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 2)"; content:"|6a 61 58 99 52 42 52 42 52 68|"; reference:url,doc.emergingthreats.net/2010416; classtype:shellcode-detect; sid:2010416; rev:3;)
#BSD Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 3)"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59 b0 5a 51 57|"; reference:url,doc.emergingthreats.net/2010417; classtype:shellcode-detect; sid:2010417; rev:3;)
#BSD Reverse Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1)"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f 49 38 41 4e|"; reference:url,doc.emergingthreats.net/2010418; classtype:shellcode-detect; sid:2010418; rev:3;)
#BSD Reverse Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2)"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56 4a 35 4d 4c|"; reference:url,doc.emergingthreats.net/2010419; classtype:shellcode-detect; sid:2010419; rev:3;)
#BSD Reverse Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010420; classtype:shellcode-detect; sid:2010420; rev:3;)
#BSD Reverse Shell - ENCODE: PexFnstenvMov
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1)"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010421; classtype:shellcode-detect; sid:2010421; rev:3;)
#BSD Reverse Shell - ENCODE: PexFnstenvMov
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010422; classtype:shellcode-detect; sid:2010422; rev:3;)
#BSD Reverse Shell - ENCODE: JmpCallAditive
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010423; classtype:shellcode-detect; sid:2010423; rev:2;)
#BSD Reverse Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 1)"; content:"|49 49 49 49 49 49 49 51 5a 6a|"; reference:url,doc.emergingthreats.net/2010424; classtype:shellcode-detect; sid:2010424; rev:2;)
#BSD Reverse Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 2)"; content:"|58 50 30 42 31 41 42 6b 42 41|"; reference:url,doc.emergingthreats.net/2010425; classtype:shellcode-detect; sid:2010425; rev:2;)
#BSD Reverse Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 3)"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|"; reference:url,doc.emergingthreats.net/2010426; classtype:shellcode-detect; sid:2010426; rev:2;)
##### EOF BSD Reverse Shell#####
##### BSD SPARC Bind Shell #########
#BSD SPARC Bind Shell - ENCODE: SPARC
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010427; classtype:shellcode-detect; sid:2010427; rev:2;)
##### EOF BSD Reverse Shell#####
##### BSD SPARC Bind Shell #########
#BSD SPARC Bind Shell - ENCODE: SPARC
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010428; classtype:shellcode-detect; sid:2010428; rev:2;)
#BSD SPARC Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 1)"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20 10 82 10 20 68|"; reference:url,doc.emergingthreats.net/2010429; classtype:shellcode-detect; sid:2010429; rev:2;)
#BSD SPARC Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20 6a 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010430; classtype:shellcode-detect; sid:2010430; rev:2;)
#BSD SPARC Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 3)"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20 1e 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010431; classtype:shellcode-detect; sid:2010431; rev:2;)
#BSD SPARC Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 4)"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf f0 d0 23 bf f8|"; reference:url,doc.emergingthreats.net/2010432; classtype:shellcode-detect; sid:2010432; rev:2;)
#### EOF BSD SPARC Bind Shell #########4
### BSD SPARC Reverse Shell ########
#BSD SPARC Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 1)"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10 20 02 82 10 20 61|"; reference:url,doc.emergingthreats.net/2010433; classtype:shellcode-detect; sid:2010433; rev:2;)
#### EOF BSD SPARC Bind Shell #########4
### BSD SPARC Reverse Shell ########
#BSD SPARC Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2 60 01 82 10 20 5a|"; reference:url,doc.emergingthreats.net/2010434; classtype:shellcode-detect; sid:2010434; rev:2;)
#### EOF BSD SPARC Bind Shell #########4
### BSD SPARC Reverse Shell ########
#BSD SPARC Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 3)"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f c0|"; reference:url,doc.emergingthreats.net/2010437; classtype:shellcode-detect; sid:2010437; rev:2;)
#BSD SPARC Reverse Shell - ENCODE: SPARC
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010435; classtype:shellcode-detect; sid:2010435; rev:2;)
#BSD SPARC Reverse Shell - ENCODE: SPARC
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010436; classtype:shellcode-detect; sid:2010436; rev:2;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; classtype:shellcode-detect; sid:2100640; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:2100641; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:2100642; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:2100643; rev:8;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:2100652; rev:10;)
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:2100638; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:2100639; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:2100644; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:2100645; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:2100646; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:2100647; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2102313; rev:3;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2102312; rev:3;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2102314; rev:3;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:653; rev:9;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern:only; classtype:shellcode-detect; sid:2101424; rev:8;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:6;)
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:2100649; rev:9;)
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:2100650; rev:9;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; reference:arachnids,291; classtype:shellcode-detect; sid:2100651; rev:9;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101324; rev:7;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101326; rev:7;)
#
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern:only; classtype:shellcode-detect; sid:2100691; rev:7;)
#
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray"; flow:established,to_client; content:"unescape"; nocase; content:"%u"; nocase; distance:0; content:"%u"; nocase; within:6; pcre:"/unescape.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}/smi"; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; classtype:shellcode-detect; sid:2011346; rev:7;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected"; flow:established; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; content:!"MZ"; content:!"This program cannot be run in DOS mode"; content:!"Windows Program"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011803; rev:5;)
#
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UDP x86 JMP to CALL Shellcode Detected"; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011804; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012086; rev:2;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012087; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 8F|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012088; rev:2;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; content:"|E8 00 00 00 00 8F|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012089; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F 1A|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012090; rev:2;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F 1A|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012091; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F A9|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012092; rev:2;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F A9|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012093; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:4;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90%90"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:4;)
#
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Usage of Actionscript ByteArray writeByte Function to Build Shellcode"; flow:established,to_client; content:"writeByte(0x"; nocase; pcre:"/writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}/smi"; reference:url,blog.fireeye.com/research/2009/07/actionscript_heap_spray.html; classtype:shellcode-detect; sid:2012120; rev:2;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:4;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012252; rev:3;)
#
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0a%0a%0a%0a Heap Spray String"; flow:established,to_client; content:"%0a%0a%0a%0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012253; rev:2;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0a0a%u0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012254; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0a%u0a%u0a%u0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012255; rev:3;)
#
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0c0c0c0c Heap Spray String"; flow:established,to_client; content:"0c0c0c0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012256; rev:2;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String"; flow:established,to_client; content:"%0c%0c%0c%0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012257; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0c0c%u0c0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012258; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0c%u0c%u0c%u0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012259; rev:3;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE UTF-8/16 Encoded Shellcode"; flow:established,to_client; content:"|5C|u"; nocase; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; pcre:"/\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012510; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable %u Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"%u"; nocase; within:3; content:"%u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x25u[a-f,0-9]{2,4}\x25u[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012534; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable Unicode Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"|5C|u"; nocase; within:3; content:"|5C|u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012535; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt"; flow:established,to_client; content:"|22|u|22 20|+|20 22|0|22 20|+|20 22|"; content:"|22 20|+|20 22|"; distance:1; within:5; pcre:"/\x220\x22\x20\x2B\x20\x22[a-d]\x22\x20\x2B\x20\x22/smi"; classtype:shellcode-detect; sid:2012925; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0a0a0a0a Heap Spray Attempt"; flow:established,to_client; content:"0x0a0a0a0a"; nocase; classtype:shellcode-detect; sid:2012962; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt"; flow:established,to_client; content:"0x0b0b0b0b"; nocase; classtype:shellcode-detect; sid:2012963; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0c0c0c0c Heap Spray Attempt"; flow:established,to_client; content:"0x0c0c0c0c"; nocase; classtype:shellcode-detect; sid:2012964; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0d0d0d0d Heap Spray Attempt"; flow:established,to_client; content:"0x0d0d0d0d"; nocase; classtype:shellcode-detect; sid:2012965; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt"; flow:established,to_client; content:"%0d%0d%0d%0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012966; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d%u0d%u0d%u0d UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u0d%u0d%u0d%u0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012967; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d0d%u0d0d UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u0d0d%u0d0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012968; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Vertical Slash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|7C|u0"; nocase; content:"|7C|u0"; distance:1; within:4; pcre:"/\x7Cu0[a-d](\x7Cu0|0)[a-d]/\x7Cu0[a-d](\x7Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012969; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|5C|u0"; nocase; content:"|5C|u0"; distance:1; within:4; pcre:"/\x5Cu0[a-d](\x5Cu0|0)[a-d]/\x5Cu0[a-d](\x5Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012970; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt"; flow:established,to_client; content:"%41%41%41%41"; fast_pattern:only; classtype:shellcode-detect; sid:2013145; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u41%u41%u41%u41"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013146; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u4141%u4141"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013147; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE JavaScript Redefinition of a HeapLib Object - Likely Malicious Heap Spray Attempt"; flow:established,to_client; content:"heap|2E|"; nocase; fast_pattern:only; pcre:"/var\x20[^\n\r]*\x3D[^\n\r]*heap\x2E/smi"; classtype:shellcode-detect; sid:2013148; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; file_data; content:"Heap|2E|"; nocase; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; file_data; content:"|5C|x0a|5C|x0a|5C|x0a|5C|x0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013267; rev:4;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; file_data; content:"|5C|x0b|5C|x0b|5C|x0b|5C|x0b"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013268; rev:4;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013269; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C|x0d|5C|x0d|5C|x0d|5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013270; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C|x90|5C|x90|5C|x90|5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013271; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Hex Obfuscated Content"; flow:established,to_client; content:"unescape|28|"; fast_pattern; content:"|5C|x"; distance:1; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; pcre:"/unescape\x28(\x22|\x27)\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/smi"; classtype:shellcode-detect; sid:2013272; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013273; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013274; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013275; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013276; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013277; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013278; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C 5C|x41|5C 5C|x41|5C 5C|x41|5C 5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013279; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; pcre:"/u0[a-d]u0[a-d]u0[a-d]u0[a-d]/smi"; classtype:shellcode-detect; sid:2013319; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:3; within:2; pcre:"/u0[a-d]0[a-d]u0[a-d]0[a-d]/smi"; classtype:shellcode-detect; sid:2013320; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c|5C|0c"; nocase; distance:0; classtype:bad-unknown; sid:2016714; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c0c"; nocase; distance:0; classtype:bad-unknown; sid:2016715; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 u9090 NOP SLED"; file_data; flow:established,to_client; content:"|5c|u9090|5c|"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2017345; rev:4;)

90
code/chef/templates/centos/suricata.init.erb Executable file
View file

@ -0,0 +1,90 @@
#!/bin/bash
#
# Init file for suricata
#
#
# chkconfig: 345 52 48
# description: Network Intrusion Detection System
#
# processname: Suricata
# pidfile: /var/run/suricata.pid
source /etc/rc.d/init.d/functions
### Read configuration
[ -r "$SYSCONFIG" ] && source "$SYSCONFIG"
RETVAL=0
prog="suricata"
desc="Suricata IDS"
start() {
# Make sure the interfaces are up, or suricata won't start.
for interface in <% @interface.each do |int| -%><%= int %> <% end -%>
do
/sbin/ifconfig $interface up
done
echo -n $"Starting $desc ($prog): "
daemon "suricata -D -c /etc/suricata/suricata.yaml <% @interface.each do |int| -%> -i <%= int %> <% end -%> >> /var/log/suricata/suricata.log"
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
return $RETVAL
}
stop() {
echo -n $"Shutting down $desc ($prog): "
killproc $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
return $RETVAL
}
restart() {
stop
start
}
reload() {
echo "Checking config before restarting"
suricata -T -c /etc/suricata/suricata.yaml >/dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ]
then
kill -USR2 $(cat /var/run/suricata.pid)
else
echo "Config broken, not reloading"
fi
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
condrestart)
[ -e /var/lock/subsys/$prog ] && restart
RETVAL=$?
;;
status)
status $prog
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
RETVAL=1
esac
exit $RETVAL

12
code/chef/templates/centos/suricata.service.erb Executable file
View file

@ -0,0 +1,12 @@
[Unit]
Description=Open Source Next Generation Intrusion Detection and Prevention Engine
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml <% @interface.each do |int| -%> -i <%= int %> <% end -%>
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill $MAINPID
[Install]
WantedBy=multi-user.target

317
code/chef/templates/centos/suricata.yaml.erb Executable file
View file

@ -0,0 +1,317 @@
%YAML 1.1
---
default-log-dir: /var/log/suricata/
unix-command:
enabled: no
run-as:
user: suricata
group: suricata
outputs:
- fast:
enabled: yes
filename: fast.log
append: yes
- unified2-alert:
enabled: no
filename: unified2.alert
- http-log:
enabled: no
filename: http.log
append: yes
- tls-log:
enabled: no # Log TLS connections.
filename: tls.log # File to store TLS logs.
certs-log-dir: certs # directory to store the certificates files
- pcap-info:
enabled: no
- pcap-log:
enabled: no
filename: log.pcap
limit: 1000mb
max-files: 2000
mode: normal # normal or sguil.
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
- alert-debug:
enabled: no
filename: alert-debug.log
append: yes
- alert-prelude:
enabled: no
profile: suricata
log-packet-content: no
log-packet-header: yes
- stats:
enabled: no
filename: stats.log
interval: 8
- syslog:
enabled: no
facility: local5
- drop:
enabled: no
filename: drop.log
append: yes
- file-store:
enabled: no # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-md5: no # force logging of md5 checksums
- file-log:
enabled: no
filename: files-json.log
append: yes
force-magic: no # force logging magic on all logged files
force-md5: no # force logging of md5 checksums
magic-file: /usr/share/file/magic
nfq:
af-packet:
threshold-file: /etc/suricata/threshold.config
detect-engine:
- profile: medium
- custom-values:
toclient-src-groups: 2
toclient-dst-groups: 2
toclient-sp-groups: 2
toclient-dp-groups: 3
toserver-src-groups: 2
toserver-dst-groups: 4
toserver-sp-groups: 2
toserver-dp-groups: 25
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
threading:
set-cpu-affinity: no
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- receive-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- decode-cpu-set:
cpu: [ 0, 1 ]
mode: "balanced"
- stream-cpu-set:
cpu: [ "0-1" ]
- detect-cpu-set:
cpu: [ "all" ]
mode: "exclusive" # run detect threads in these cpus
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
- verdict-cpu-set:
cpu: [ 0 ]
prio:
default: "high"
- reject-cpu-set:
cpu: [ 0 ]
prio:
default: "low"
- output-cpu-set:
cpu: [ "all" ]
prio:
default: "medium"
detect-thread-ratio: 1.5
cuda:
- mpm:
packet-buffer-limit: 2400
packet-size-limit: 1500
packet-buffers: 10
batching-timeout: 1
page-locked: enabled
device-id: 0
cuda-streams: 2
mpm-algo: ac
pattern-matcher:
- b2gc:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2gm:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2g:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b3g:
search-algo: B3gSearchBNDMq
hash-size: low
bf-size: medium
- wumanber:
hash-size: low
bf-size: medium
defrag:
memcap: 32mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60
flow:
memcap: 32mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
flow-timeouts:
default:
new: 30
established: 300
closed: 0
emergency-new: 10
emergency-established: 100
emergency-closed: 0
tcp:
new: 60
established: 3600
closed: 120
emergency-new: 10
emergency-established: 300
emergency-closed: 20
udp:
new: 30
established: 300
emergency-new: 10
emergency-established: 100
icmp:
new: 30
established: 300
emergency-new: 10
emergency-established: 100
stream:
memcap: 32mb
checksum-validation: yes # reject wrong csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
memcap: 64mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
host:
hash-size: 4096
prealloc: 1000
memcap: 16777216
logging:
default-log-level: info
default-output-filter:
outputs:
- console:
enabled: yes
- file:
enabled: no
filename: /var/log/suricata.log
- syslog:
enabled: no
facility: local5
pfring:
- interface: <%= @pcapinterface %>
threads: 1
cluster-id: 99
cluster-type: cluster_flow
- interface: default
pcap:
- interface: <%= @pcapinterface %>
- interface: default
ipfw:
default-rule-path: /etc/suricata/rules/
rule-files:
- local.rules
- tor.rules
- emerging-shellcode.rules
- dshield.rules
- compromised.rules
- dshield.rules
- mobilemalware.rules
- nmap.rules
- shellcode.rules
- osxmalware.rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
vars:
address-groups:
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
action-order:
- pass
- drop
- reject
- alert
host-os-policy:
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
asn1-max-frames: 256
engine-analysis:
rules-fast-pattern: yes
rules: yes
pcre:
match-limit: 3500
match-limit-recursion: 1500
libhtp:
default-config:
personality: IDS
request-body-limit: 3072
response-body-limit: 3072
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 32kb
response-body-inspect-window: 4kb
double-decode-path: no
double-decode-query: no
server-config:
- apache:
address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
personality: Apache_2_2
request-body-limit: 4096
response-body-limit: 4096
double-decode-path: no
double-decode-query: no
- iis7:
address:
- 192.168.0.0/24
- 192.168.10.0/24
personality: IIS_7_0
request-body-limit: 4096
response-body-limit: 4096
double-decode-path: no
double-decode-query: no
profiling:
rules:
enabled: yes
filename: rule_perf.log
append: yes
sort: avgticks
limit: 100
packets:
enabled: yes
filename: packet_stats.log
append: yes
csv:
enabled: no
filename: packet_stats.csv
locks:
enabled: no
filename: lock_stats.log
append: yes
coredump:
max-dump: unlimited
napatech:
hba: -1
use-all-streams: yes
streams: [1, 2, 3]

775
code/chef/templates/centos/tor.rules.erb Executable file
View file

@ -0,0 +1,775 @@
#
# Emerging Threats Tor rules.
#
# These will tell you if someone using Tor for source anonymization is communicating with your network.
#
# Tor in itself isn't inherently hostile. In many environments that may be a very suspicious way
# to communicate.
#
# More information available at doc.emergingthreats.net/bin/view/Main/TorRules
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# VERSION 3093
# Updated 2017-09-22 00:30:01
alert ip [103.234.220.197,103.236.201.110,103.236.201.57,103.27.124.82,103.29.70.23,103.35.74.75,103.35.74.77,103.3.61.114,103.56.207.84,103.8.79.229] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520000; rev:3093;)
alert ip [104.192.0.50,104.200.20.46,104.218.63.73,104.218.63.74,104.218.63.75,104.218.63.76,104.223.123.100,104.223.123.101,104.223.123.98,104.223.123.99] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520002; rev:3093;)
alert ip [104.236.141.156,104.237.203.98,104.244.74.78,106.187.37.101,107.181.174.84,107.189.49.130,109.126.9.228,109.169.33.163,109.201.133.100,109.69.67.17] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520004; rev:3093;)
alert ip [1.161.250.166,118.163.74.160,120.29.217.46,124.109.1.207,125.212.241.182,126.72.58.19,128.199.47.160,128.52.128.105,128.70.19.225,130.204.161.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520006; rev:3093;)
alert ip [131.111.179.83,133.218.187.161,137.74.167.96,137.74.169.241,137.74.73.179,13.79.231.167,138.197.207.243,138.197.216.132,138.197.4.77,138.197.85.80] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520008; rev:3093;)
alert ip [138.68.40.100,139.162.105.26,139.162.10.72,139.162.16.13,139.162.226.245,139.162.28.23,139.162.28.31,139.59.62.94,141.138.141.208,141.170.2.53] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520010; rev:3093;)
alert ip [141.255.189.161,14.202.230.49,142.4.211.161,142.44.156.140,142.44.166.241,143.106.60.70,144.217.161.119,144.217.167.240,144.217.240.34,144.217.60.211] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520012; rev:3093;)
alert ip [144.217.60.239,144.217.94.195,144.217.94.96,145.239.29.201,145.239.74.47,145.239.82.79,146.0.79.144,146.185.177.103,147.135.156.122,148.251.43.239] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520014; rev:3093;)
alert ip [149.202.185.34,149.202.238.204,149.56.106.210,149.56.201.79,149.56.223.240,151.80.238.152,151.80.38.67,154.127.60.92,154.16.149.35,154.16.149.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520016; rev:3093;)
alert ip [155.133.82.112,155.4.250.85,156.67.106.251,156.67.106.30,156.67.106.32,158.255.6.242,158.69.215.7,158.69.83.25,162.213.0.243,162.220.246.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520018; rev:3093;)
alert ip [162.221.201.57,162.243.166.137,162.247.72.199,162.247.72.200,162.247.72.201,162.247.72.202,162.247.72.213,162.247.72.216,162.247.72.217,162.247.72.7] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520020; rev:3093;)
alert ip [162.247.73.204,162.247.73.206,163.172.101.137,163.172.136.101,163.172.137.222,163.172.138.11,163.172.139.161,163.172.140.123,163.172.151.250,163.172.151.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520022; rev:3093;)
alert ip [163.172.160.182,163.172.162.106,163.172.163.85,163.172.170.212,163.172.171.163,163.172.179.129,163.172.212.115,163.172.217.50,163.172.223.200,163.172.223.87] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520024; rev:3093;)
alert ip [163.172.67.180,164.132.106.162,164.132.51.91,164.77.133.220,165.255.108.14,166.70.207.2,167.114.251.167,167.114.34.150,167.114.89.195,167.160.84.183] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520026; rev:3093;)
alert ip [169.239.183.210,170.250.140.52,171.25.193.20,171.25.193.235,171.25.193.25,171.25.193.77,171.25.193.78,172.104.146.56,172.104.148.28,172.104.180.171] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520028; rev:3093;)
alert ip [172.104.187.79,172.104.41.83,172.98.193.43,173.14.173.227,173.208.153.75,173.254.216.66,173.254.216.67,173.254.216.68,173.254.216.69,173.255.226.142] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520030; rev:3093;)
alert ip [173.255.229.8,173.255.231.125,173.255.253.173,176.10.104.240,176.10.104.243,176.10.107.180,176.10.99.200,176.10.99.201,176.10.99.202,176.10.99.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520032; rev:3093;)
alert ip [176.10.99.204,176.10.99.205,176.10.99.206,176.10.99.207,176.10.99.208,176.10.99.209,176.121.10.44,176.121.10.52,176.126.252.11,176.214.189.247] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520034; rev:3093;)
alert ip [176.31.180.157,176.31.45.3,176.36.117.185,176.38.163.77,176.58.100.98,178.156.202.125,178.17.170.13,178.17.170.135,178.17.170.156,178.17.170.164] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520036; rev:3093;)
alert ip [178.17.170.194,178.17.170.195,178.17.170.196,178.17.171.111,178.17.171.40,178.17.171.43,178.17.171.49,178.17.174.10,178.17.174.14,178.17.174.198] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520038; rev:3093;)
alert ip [178.17.174.32,178.175.131.194,178.18.83.215,178.202.169.177,178.20.55.16,178.20.55.18,178.209.42.84,178.238.237.44,178.32.181.96,178.32.181.97] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520040; rev:3093;)
alert ip [178.32.181.98,178.32.181.99,178.32.53.94,178.62.85.101,178.63.110.151,179.43.146.230,18.248.1.85,18.248.2.85,184.105.220.24,185.100.84.108] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520042; rev:3093;)
alert ip [185.100.84.82,185.100.85.101,185.100.85.112,185.100.85.147,185.100.85.190,185.100.85.192,185.100.85.61,185.100.86.128,185.100.86.141,185.100.86.154] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520044; rev:3093;)
alert ip [185.100.86.167,185.100.86.86,185.100.87.82,185.103.99.60,185.104.120.2,185.104.120.4,185.104.120.7,185.10.68.119,185.10.68.139,185.10.68.191] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520046; rev:3093;)
alert ip [185.107.81.233,185.107.81.234,185.11.167.4,185.11.167.55,185.11.167.56,185.11.167.57,185.11.167.58,185.11.167.59,185.11.167.60,185.112.157.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520048; rev:3093;)
alert ip [185.112.254.195,185.117.118.234,185.157.232.64,185.159.128.193,185.159.131.99,185.16.200.176,185.163.1.11,185.165.168.229,185.165.168.42,185.165.168.77] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 26"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520050; rev:3093;)
alert ip [185.170.42.18,185.175.208.179,185.175.208.180,185.189.14.230,185.189.14.61,185.34.33.2,185.38.14.171,185.38.14.215,185.61.138.207,185.61.149.193] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 27"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520052; rev:3093;)
alert ip [185.62.57.91,185.65.205.10,185.66.200.10,185.70.11.132,185.72.244.24,185.82.216.233,185.82.216.241,185.86.149.175,185.87.185.45,187.104.48.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 28"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520054; rev:3093;)
alert ip [187.20.55.95,188.165.62.9,188.209.52.238,188.226.212.13,18.85.22.204,189.84.21.44,190.10.8.50,191.96.249.110,192.160.102.164,192.160.102.165] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 29"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520056; rev:3093;)
alert ip [192.160.102.166,192.160.102.168,192.160.102.169,192.160.102.170,192.195.80.10,192.34.80.176,192.36.27.4,192.42.116.16,192.81.131.49,193.107.85.56] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 30"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520058; rev:3093;)
alert ip [193.107.85.57,193.107.85.62,193.110.157.151,193.15.16.4,193.164.131.95,193.171.202.146,193.201.225.45,193.233.60.154,193.70.39.41,193.70.89.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 31"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520060; rev:3093;)
alert ip [193.70.89.20,194.218.3.79,194.54.162.212,195.123.212.118,195.123.212.34,195.219.163.68,195.219.166.53,195.22.126.177,195.22.126.178,195.228.45.176] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 32"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520062; rev:3093;)
alert ip [195.254.135.76,196.41.123.180,197.231.221.211,198.167.223.38,198.167.223.50,198.211.103.26,198.211.122.191,198.50.159.204,198.50.200.129,198.50.200.131] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 33"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520064; rev:3093;)
alert ip [198.50.200.134,198.50.200.135,198.50.200.147,198.58.100.240,198.58.107.53,198.73.50.71,198.96.155.3,199.127.226.150,199.249.223.40,199.249.223.60] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 34"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520066; rev:3093;)
alert ip [199.249.223.61,199.249.223.62,199.249.223.63,199.249.223.64,199.249.223.65,199.249.223.66,199.249.223.67,199.249.223.68,199.249.223.69,199.249.223.71] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 35"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520068; rev:3093;)
alert ip [199.249.223.72,199.249.223.73,199.249.223.74,199.249.223.75,199.249.223.76,199.249.223.77,199.249.223.78,199.249.223.79,199.249.223.81,199.249.224.40] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 36"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520070; rev:3093;)
alert ip [199.249.224.41,199.249.224.42,199.249.224.43,199.249.224.44,199.249.224.45,199.249.224.46,199.249.224.47,199.249.224.48,199.249.224.49,199.68.196.124] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 37"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520072; rev:3093;)
alert ip [199.87.154.255,204.11.50.131,204.194.29.4,204.8.156.142,204.85.191.30,204.85.191.31,205.166.94.153,205.168.84.133,206.248.184.127,206.55.74.0] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 38"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520074; rev:3093;)
alert ip [207.244.70.35,208.67.1.79,208.67.1.82,208.67.1.83,209.123.234.23,210.3.102.152,211.21.48.217,212.16.104.33,212.19.17.213,212.21.66.6] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 39"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520076; rev:3093;)
alert ip [212.47.227.114,212.47.229.60,212.47.239.73,212.47.243.140,212.47.246.21,212.81.199.159,212.83.140.95,212.83.40.239,212.92.219.15,213.108.105.71] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 40"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520078; rev:3093;)
alert ip [213.108.105.92,213.136.74.184,213.61.149.125,213.61.149.126,213.95.21.54,216.218.134.12,216.218.222.11,216.218.222.12,216.218.222.13,216.239.90.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 41"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520080; rev:3093;)
alert ip [217.115.10.131,217.170.197.83,217.182.207.27,217.182.74.253,217.182.76.240,217.182.78.177,222.110.3.1,223.26.48.248,23.129.64.11,23.129.64.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 42"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520082; rev:3093;)
alert ip [23.129.64.13,23.129.64.14,23.129.64.15,23.129.64.16,23.129.64.17,23.129.64.18,23.129.64.19,23.129.64.20,23.92.27.23,23.92.28.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 43"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520084; rev:3093;)
alert ip [23.95.70.22,24.207.212.154,2.44.188.87,31.185.104.19,31.185.104.20,31.185.104.21,31.185.27.203,35.184.106.64,36.226.247.96,36.227.172.7] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 44"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520086; rev:3093;)
alert ip [37.139.8.104,37.187.105.104,37.187.53.94,37.187.7.74,37.218.240.21,37.218.240.50,37.218.240.68,37.218.240.80,37.220.35.202,37.220.36.240] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 45"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520088; rev:3093;)
alert ip [37.48.120.196,37.48.120.9,37.59.112.7,37.59.119.196,37.97.228.159,41.206.188.206,41.231.53.101,41.78.128.113,45.33.23.23,45.33.48.204] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 46"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520090; rev:3093;)
alert ip [45.62.236.66,45.62.251.245,45.76.115.159,45.79.137.11,45.79.198.115,45.79.73.22,46.101.127.145,46.101.139.248,46.101.150.49,46.101.164.37] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 47"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520092; rev:3093;)
alert ip [46.165.223.217,46.165.230.5,46.165.254.166,46.17.97.112,46.182.106.190,46.182.18.214,46.182.18.29,46.182.18.40,46.182.18.46,46.182.19.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 48"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520094; rev:3093;)
alert ip [46.182.19.219,46.183.218.199,46.183.221.231,46.194.55.111,46.226.108.26,46.233.0.70,46.235.227.70,46.246.49.91,46.29.248.238,46.45.137.71] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 49"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520096; rev:3093;)
alert ip [46.4.55.177,46.4.81.178,50.247.195.124,50.76.159.218,51.15.134.120,51.15.141.220,51.15.212.104,51.15.34.210,51.15.40.233,51.15.43.205] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 50"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520098; rev:3093;)
alert ip [51.15.43.232,51.15.44.197,51.15.45.97,51.15.46.49,51.15.50.133,51.15.53.118,51.15.53.83,51.15.54.136,51.15.56.11,51.15.57.177] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 51"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520100; rev:3093;)
alert ip [51.15.57.79,51.15.60.255,51.15.60.62,51.15.62.146,51.15.63.229,51.15.63.98,51.15.64.212,51.15.70.13,51.15.70.177,51.15.70.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 52"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520102; rev:3093;)
alert ip [51.15.70.228,51.15.76.81,51.15.79.107,51.15.87.157,51.255.202.66,5.188.11.165,5.189.146.133,5.189.188.111,5.196.0.149,5.196.1.129] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 53"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520104; rev:3093;)
alert ip [5.196.121.161,5.196.66.162,5.199.130.188,52.15.62.13,5.254.112.154,5.254.79.66,5.39.217.14,54.36.81.57,5.56.214.118,5.79.68.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 54"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520106; rev:3093;)
alert ip [59.127.163.155,5.9.158.75,59.177.81.30,5.9.195.140,60.248.162.179,62.102.148.67,62.109.29.199,62.133.130.105,62.141.39.47,62.149.13.57] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 55"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520108; rev:3093;)
alert ip [62.176.4.10,62.198.32.223,62.210.105.116,62.210.105.86,62.210.115.87,62.210.129.246,62.210.149.35,62.210.37.82,62.212.73.141,62.219.3.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 56"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520110; rev:3093;)
alert ip [62.219.3.48,64.113.32.29,64.124.32.84,64.137.162.142,64.137.205.124,64.137.210.30,64.137.210.54,64.137.210.86,64.27.17.140,65.129.144.43] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 57"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520112; rev:3093;)
alert ip [65.181.123.254,65.19.167.130,65.19.167.131,65.19.167.132,66.155.4.213,66.180.193.219,66.70.217.179,67.205.146.164,67.215.255.140,69.164.207.234] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 58"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520114; rev:3093;)
alert ip [71.46.220.68,72.12.207.14,72.14.179.10,72.14.182.209,72.174.26.72,72.52.75.27,72.93.243.211,74.50.54.69,75.54.229.204,77.109.139.87] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 59"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520116; rev:3093;)
alert ip [77.246.163.141,77.247.181.165,77.250.227.12,77.81.107.138,78.107.237.16,78.129.137.28,78.131.53.162,78.13.201.140,78.142.175.70,78.31.164.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 60"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520118; rev:3093;)
alert ip [78.41.115.145,78.45.15.253,78.63.161.0,78.70.167.74,79.137.67.116,79.137.79.167,79.137.80.94,79.169.39.161,80.241.60.207,80.67.172.162] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 61"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520120; rev:3093;)
alert ip [80.79.23.7,80.82.67.186,80.85.84.23,81.171.19.32,82.146.58.35,82.165.100.196,82.211.0.201,82.221.101.67,82.221.112.122,82.221.128.217] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 62"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520122; rev:3093;)
alert ip [82.221.139.25,82.223.27.82,82.247.198.227,83.151.233.181,83.92.47.99,84.0.95.9,84.105.18.164,84.190.180.142,84.19.180.135,84.19.181.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 63"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520124; rev:3093;)
alert ip [84.200.50.18,84.200.82.163,84.209.48.106,84.217.13.138,84.3.0.53,84.48.199.78,84.53.192.243,84.53.225.118,85.119.83.78,85.143.95.50] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 64"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520126; rev:3093;)
alert ip [85.195.107.250,85.248.227.163,85.248.227.164,85.248.227.165,85.90.244.23,85.93.218.204,86.107.110.217,87.118.115.176,87.118.116.12,87.118.116.90] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 65"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520128; rev:3093;)
alert ip [87.118.122.254,87.118.122.30,87.118.122.50,87.118.83.3,87.118.92.43,87.120.254.189,87.120.254.81,87.120.254.92,87.140.25.245,87.81.148.61] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 66"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520130; rev:3093;)
alert ip [87.98.178.61,88.190.118.95,88.198.125.96,88.198.56.140,88.77.186.64,88.83.40.246,89.144.12.15,89.187.150.12,89.187.150.13,89.187.150.14] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 67"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520132; rev:3093;)
alert ip [89.187.150.15,89.212.99.66,89.234.157.254,89.236.34.117,89.248.166.157,89.31.57.58,89.31.96.168,89.32.127.178,89.34.237.121,89.38.208.57] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 68"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520134; rev:3093;)
alert ip [89.45.226.28,91.121.52.156,91.134.232.48,91.146.121.3,91.219.236.232,91.219.237.244,91.221.57.129,91.223.82.156,91.233.106.121,91.233.106.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 69"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520136; rev:3093;)
alert ip [91.250.241.241,92.169.87.4,92.222.38.67,92.222.6.12,92.222.74.226,92.27.153.74,92.63.173.28,93.115.95.201,93.115.95.202,93.115.95.204] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 70"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520138; rev:3093;)
alert ip [93.115.95.205,93.115.95.206,93.115.95.207,93.115.95.216,93.174.90.30,93.174.93.133,93.174.93.71,93.186.13.12,93.220.94.148,93.64.207.55] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 71"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520140; rev:3093;)
alert ip [94.102.50.42,94.130.28.151,94.142.242.84,94.198.100.17,94.23.239.44,94.242.205.2,94.242.246.23,94.242.246.24,94.242.57.161,94.242.57.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 72"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520142; rev:3093;)
# Non-Exit Nodes
alert ip [103.10.197.50,103.234.220.197,103.236.201.110,103.236.201.57,103.27.124.82,103.29.70.23,103.35.74.75,103.35.74.77,103.3.61.114,103.56.207.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522000; rev:3093;)
alert ip [103.8.79.229,104.192.0.50,104.200.20.46,104.218.63.73,104.218.63.74,104.218.63.75,104.218.63.76,104.223.123.100,104.223.123.101,104.223.123.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522002; rev:3093;)
alert ip [104.223.123.99,104.236.141.156,104.237.203.98,104.244.74.78,106.187.37.101,107.181.174.84,107.189.49.130,109.126.9.228,109.169.33.163,109.201.133.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522004; rev:3093;)
alert ip [109.69.67.17,1.161.250.166,118.163.74.160,120.29.217.46,124.109.1.207,125.212.241.182,126.72.58.19,128.199.47.160,128.52.128.105,128.70.19.225] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522006; rev:3093;)
alert ip [130.204.161.3,131.111.179.83,133.218.187.161,137.74.167.96,137.74.169.241,137.74.73.179,13.79.231.167,138.197.207.243,138.197.216.132,138.197.4.77] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522008; rev:3093;)
alert ip [138.197.85.80,138.68.40.100,139.162.105.26,139.162.10.72,139.162.16.13,139.162.226.245,139.162.28.23,139.162.28.31,139.59.62.94,141.138.141.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522010; rev:3093;)
alert ip [141.170.2.53,141.255.189.161,14.202.230.49,142.4.211.161,142.44.156.140,142.44.166.241,143.106.60.70,144.217.161.119,144.217.167.240,144.217.240.34] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522012; rev:3093;)
alert ip [144.217.60.211,144.217.60.239,144.217.94.195,144.217.94.96,145.239.29.201,145.239.74.47,145.239.82.79,146.0.79.144,146.185.177.103,147.135.156.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522014; rev:3093;)
alert ip [148.251.43.239,149.202.185.34,149.202.238.204,149.56.106.210,149.56.201.79,149.56.223.240,151.80.238.152,151.80.38.67,154.127.60.92,154.16.149.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522016; rev:3093;)
alert ip [154.16.149.74,155.133.82.112,155.4.250.85,156.67.106.251,156.67.106.30,156.67.106.32,158.255.6.242,158.69.215.7,158.69.83.25,162.213.0.243] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522018; rev:3093;)
alert ip [162.220.246.230,162.221.201.57,162.243.166.137,162.247.72.199,162.247.72.200,162.247.72.201,162.247.72.202,162.247.72.213,162.247.72.216,162.247.72.217] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522020; rev:3093;)
alert ip [162.247.72.7,162.247.73.204,162.247.73.206,163.172.101.137,163.172.136.101,163.172.137.222,163.172.138.11,163.172.139.161,163.172.140.123,163.172.151.250] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522022; rev:3093;)
alert ip [163.172.151.47,163.172.160.182,163.172.162.106,163.172.163.85,163.172.170.212,163.172.171.163,163.172.179.129,163.172.212.115,163.172.217.50,163.172.223.200] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522024; rev:3093;)
alert ip [163.172.223.87,163.172.67.180,164.132.106.162,164.132.51.91,164.77.133.220,165.255.108.14,166.70.207.2,167.114.251.167,167.114.34.150,167.114.89.195] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522026; rev:3093;)
alert ip [167.160.84.183,169.239.183.210,170.250.140.52,171.25.193.20,171.25.193.235,171.25.193.25,171.25.193.77,171.25.193.78,172.104.146.56,172.104.148.28] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522028; rev:3093;)
alert ip [172.104.180.171,172.104.187.79,172.104.41.83,172.98.193.43,173.14.173.227,173.208.153.75,173.254.216.66,173.254.216.67,173.254.216.68,173.254.216.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522030; rev:3093;)
alert ip [173.255.226.142,173.255.229.8,173.255.231.125,173.255.253.173,176.10.104.240,176.10.104.243,176.10.107.180,176.10.99.200,176.10.99.201,176.10.99.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522032; rev:3093;)
alert ip [176.10.99.203,176.10.99.204,176.10.99.205,176.10.99.206,176.10.99.207,176.10.99.208,176.10.99.209,176.121.10.44,176.121.10.52,176.126.252.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522034; rev:3093;)
alert ip [176.214.189.247,176.31.180.157,176.31.45.3,176.36.117.185,176.38.163.77,176.58.100.98,178.156.202.125,178.17.170.13,178.17.170.135,178.17.170.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522036; rev:3093;)
alert ip [178.17.170.164,178.17.170.194,178.17.170.195,178.17.170.196,178.17.171.111,178.17.171.40,178.17.171.43,178.17.171.49,178.17.174.10,178.17.174.14] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522038; rev:3093;)
alert ip [178.17.174.198,178.17.174.32,178.175.131.194,178.18.83.215,178.202.169.177,178.20.55.16,178.20.55.18,178.209.42.84,178.238.237.44,178.32.181.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522040; rev:3093;)
alert ip [178.32.181.97,178.32.181.98,178.32.181.99,178.32.53.94,178.62.85.101,178.63.110.151,179.43.146.230,18.248.1.85,18.248.2.85,184.105.220.24] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522042; rev:3093;)
alert ip [185.100.84.108,185.100.84.82,185.100.85.101,185.100.85.112,185.100.85.147,185.100.85.190,185.100.85.192,185.100.85.61,185.100.86.128,185.100.86.141] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522044; rev:3093;)
alert ip [185.100.86.154,185.100.86.167,185.100.86.86,185.100.87.82,185.103.99.60,185.104.120.2,185.104.120.4,185.104.120.7,185.10.68.119,185.10.68.139] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522046; rev:3093;)
alert ip [185.10.68.191,185.107.81.233,185.107.81.234,185.11.167.4,185.11.167.55,185.11.167.56,185.11.167.57,185.11.167.58,185.11.167.59,185.11.167.60] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522048; rev:3093;)
alert ip [185.112.157.135,185.112.254.195,185.117.118.234,185.157.232.64,185.159.128.193,185.159.131.99,185.16.200.176,185.163.1.11,185.165.168.229,185.165.168.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 26"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522050; rev:3093;)
alert ip [185.165.168.77,185.170.42.18,185.175.208.179,185.175.208.180,185.189.14.230,185.189.14.61,185.34.33.2,185.38.14.171,185.38.14.215,185.61.138.207] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 27"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522052; rev:3093;)
alert ip [185.61.149.193,185.62.57.91,185.65.205.10,185.66.200.10,185.70.11.132,185.72.244.24,185.82.216.233,185.82.216.241,185.86.149.175,185.87.185.45] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 28"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522054; rev:3093;)
alert ip [187.104.48.3,187.20.55.95,188.165.62.9,188.209.52.238,188.226.212.13,18.85.22.204,189.84.21.44,190.10.8.50,191.96.249.110,192.160.102.164] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 29"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522056; rev:3093;)
alert ip [192.160.102.165,192.160.102.166,192.160.102.168,192.160.102.169,192.160.102.170,192.195.80.10,192.34.80.176,192.36.27.4,192.42.116.16,192.81.131.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 30"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522058; rev:3093;)
alert ip [193.107.85.56,193.107.85.57,193.107.85.62,193.110.157.151,193.15.16.4,193.164.131.95,193.171.202.146,193.201.225.45,193.233.60.154,193.70.39.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 31"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522060; rev:3093;)
alert ip [193.70.89.19,193.70.89.20,194.218.3.79,194.54.162.212,195.123.212.118,195.123.212.34,195.219.163.68,195.219.166.53,195.22.126.177,195.22.126.178] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 32"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522062; rev:3093;)
alert ip [195.228.45.176,195.254.135.76,196.41.123.180,197.231.221.211,198.167.223.38,198.167.223.50,198.211.103.26,198.211.122.191,198.50.159.204,198.50.200.129] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 33"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522064; rev:3093;)
alert ip [198.50.200.131,198.50.200.134,198.50.200.135,198.50.200.147,198.58.100.240,198.58.107.53,198.73.50.71,198.96.155.3,199.127.226.150,199.249.223.40] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 34"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522066; rev:3093;)
alert ip [199.249.223.60,199.249.223.61,199.249.223.62,199.249.223.63,199.249.223.64,199.249.223.65,199.249.223.66,199.249.223.67,199.249.223.68,199.249.223.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 35"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522068; rev:3093;)
alert ip [199.249.223.71,199.249.223.72,199.249.223.73,199.249.223.74,199.249.223.75,199.249.223.76,199.249.223.77,199.249.223.78,199.249.223.79,199.249.223.81] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 36"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522070; rev:3093;)
alert ip [199.249.224.40,199.249.224.41,199.249.224.42,199.249.224.43,199.249.224.44,199.249.224.45,199.249.224.46,199.249.224.47,199.249.224.48,199.249.224.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 37"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522072; rev:3093;)
alert ip [199.68.196.124,199.87.154.255,204.11.50.131,204.194.29.4,204.8.156.142,204.85.191.30,204.85.191.31,205.166.94.153,205.168.84.133,206.248.184.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 38"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522074; rev:3093;)
alert ip [206.55.74.0,207.244.70.35,208.67.1.79,208.67.1.82,208.67.1.83,209.123.234.23,210.3.102.152,211.21.48.217,212.16.104.33,212.19.17.213] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 39"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522076; rev:3093;)
alert ip [212.21.66.6,212.47.227.114,212.47.229.60,212.47.239.73,212.47.243.140,212.47.246.21,212.81.199.159,212.83.140.95,212.83.40.239,212.92.219.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 40"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522078; rev:3093;)
alert ip [213.108.105.71,213.108.105.92,213.136.74.184,213.61.149.125,213.61.149.126,213.95.21.54,216.218.134.12,216.218.222.11,216.218.222.12,216.218.222.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 41"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522080; rev:3093;)
alert ip [216.239.90.19,217.115.10.131,217.170.197.83,217.182.207.27,217.182.74.253,217.182.76.240,217.182.78.177,222.110.3.1,223.26.48.248,23.129.64.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 42"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522082; rev:3093;)
alert ip [23.129.64.12,23.129.64.13,23.129.64.14,23.129.64.15,23.129.64.16,23.129.64.17,23.129.64.18,23.129.64.19,23.129.64.20,23.92.27.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 43"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522084; rev:3093;)
alert ip [23.92.28.23,23.95.70.22,24.207.212.154,2.44.188.87,31.185.104.19,31.185.104.20,31.185.104.21,31.185.27.203,35.184.106.64,36.226.247.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 44"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522086; rev:3093;)
alert ip [36.227.172.7,37.139.8.104,37.187.105.104,37.187.53.94,37.187.7.74,37.218.240.21,37.218.240.50,37.218.240.68,37.218.240.80,37.220.35.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 45"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522088; rev:3093;)
alert ip [37.220.36.240,37.48.120.196,37.48.120.9,37.59.112.7,37.59.119.196,37.97.228.159,41.206.188.206,41.231.53.101,41.78.128.113,45.33.23.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 46"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522090; rev:3093;)
alert ip [45.33.48.204,45.62.236.66,45.62.251.245,45.76.115.159,45.79.137.11,45.79.198.115,45.79.73.22,46.101.127.145,46.101.139.248,46.101.150.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 47"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522092; rev:3093;)
alert ip [46.101.164.37,46.165.223.217,46.165.230.5,46.165.254.166,46.17.97.112,46.182.106.190,46.182.18.214,46.182.18.29,46.182.18.40,46.182.18.46] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 48"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522094; rev:3093;)
alert ip [46.182.19.15,46.182.19.219,46.183.218.199,46.183.221.231,46.194.55.111,46.226.108.26,46.233.0.70,46.235.227.70,46.246.49.91,46.29.248.238] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 49"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522096; rev:3093;)
alert ip [46.45.137.71,46.4.55.177,46.4.81.178,50.247.195.124,50.76.159.218,51.15.134.120,51.15.141.220,51.15.212.104,51.15.34.210,51.15.40.233] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 50"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522098; rev:3093;)
alert ip [51.15.43.205,51.15.43.232,51.15.44.197,51.15.45.97,51.15.46.49,51.15.50.133,51.15.53.118,51.15.53.83,51.15.54.136,51.15.56.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 51"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522100; rev:3093;)
alert ip [51.15.57.177,51.15.57.79,51.15.60.255,51.15.60.62,51.15.62.146,51.15.63.229,51.15.63.98,51.15.64.212,51.15.70.13,51.15.70.177] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 52"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522102; rev:3093;)
alert ip [51.15.70.226,51.15.70.228,51.15.76.81,51.15.79.107,51.15.87.157,51.255.202.66,5.188.11.165,5.189.146.133,5.189.188.111,5.196.0.149] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 53"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522104; rev:3093;)
alert ip [5.196.1.129,5.196.121.161,5.196.66.162,5.199.130.188,52.15.62.13,5.254.112.154,5.254.79.66,5.39.217.14,54.36.81.57,5.56.214.118] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 54"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522106; rev:3093;)
alert ip [5.79.68.161,59.127.163.155,5.9.158.75,59.177.81.30,5.9.195.140,60.248.162.179,62.102.148.67,62.109.29.199,62.133.130.105,62.141.39.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 55"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522108; rev:3093;)
alert ip [62.149.13.57,62.176.4.10,62.198.32.223,62.210.105.116,62.210.105.86,62.210.115.87,62.210.129.246,62.210.149.35,62.210.37.82,62.212.73.141] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 56"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522110; rev:3093;)
alert ip [62.219.3.47,62.219.3.48,64.113.32.29,64.124.32.84,64.137.162.142,64.137.205.124,64.137.210.30,64.137.210.54,64.137.210.86,64.27.17.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 57"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522112; rev:3093;)
alert ip [65.129.144.43,65.181.123.254,65.19.167.130,65.19.167.131,65.19.167.132,66.155.4.213,66.180.193.219,66.70.217.179,67.205.146.164,67.215.255.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 58"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522114; rev:3093;)
alert ip [69.164.207.234,71.46.220.68,72.12.207.14,72.14.179.10,72.14.182.209,72.174.26.72,72.52.75.27,72.93.243.211,74.50.54.69,75.54.229.204] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 59"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522116; rev:3093;)
alert ip [77.109.139.87,77.246.163.141,77.247.181.165,77.250.227.12,77.81.107.138,78.107.237.16,78.129.137.28,78.131.53.162,78.13.201.140,78.142.175.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 60"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522118; rev:3093;)
alert ip [78.31.164.41,78.41.115.145,78.45.15.253,78.63.161.0,78.70.167.74,79.137.67.116,79.137.79.167,79.137.80.94,79.169.39.161,80.241.60.207] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 61"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522120; rev:3093;)
alert ip [80.67.172.162,80.79.23.7,80.82.67.186,80.85.84.23,81.171.19.32,82.146.58.35,82.165.100.196,82.211.0.201,82.221.101.67,82.221.112.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 62"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522122; rev:3093;)
alert ip [82.221.128.217,82.221.139.25,82.223.27.82,82.247.198.227,83.151.233.181,83.92.47.99,84.0.95.9,84.105.18.164,84.190.180.142,84.19.180.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 63"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522124; rev:3093;)
alert ip [84.19.181.25,84.200.50.18,84.200.82.163,84.209.48.106,84.217.13.138,84.3.0.53,84.48.199.78,84.53.192.243,84.53.225.118,85.119.83.78] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 64"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522126; rev:3093;)
alert ip [85.143.95.50,85.195.107.250,85.248.227.163,85.248.227.164,85.248.227.165,85.90.244.23,85.93.218.204,86.107.110.217,87.118.115.176,87.118.116.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 65"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522128; rev:3093;)
alert ip [87.118.116.90,87.118.122.254,87.118.122.30,87.118.122.50,87.118.83.3,87.118.92.43,87.120.254.189,87.120.254.81,87.120.254.92,87.140.25.245] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 66"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522130; rev:3093;)
alert ip [87.81.148.61,87.98.178.61,88.190.118.95,88.198.125.96,88.198.56.140,88.77.186.64,88.83.40.246,89.144.12.15,89.187.150.12,89.187.150.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 67"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522132; rev:3093;)
alert ip [89.187.150.14,89.187.150.15,89.212.99.66,89.234.157.254,89.236.34.117,89.248.166.157,89.31.57.58,89.31.96.168,89.32.127.178,89.34.237.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 68"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522134; rev:3093;)
alert ip [89.38.208.57,89.45.226.28,91.121.52.156,91.134.232.48,91.146.121.3,91.219.236.232,91.219.237.244,91.221.57.129,91.223.82.156,91.233.106.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 69"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522136; rev:3093;)
alert ip [91.233.106.172,91.250.241.241,92.169.87.4,92.222.38.67,92.222.6.12,92.222.74.226,92.27.153.74,92.63.173.28,93.115.95.201,93.115.95.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 70"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522138; rev:3093;)
alert ip [93.115.95.204,93.115.95.205,93.115.95.206,93.115.95.207,93.115.95.216,93.174.90.30,93.174.93.133,93.174.93.71,93.186.13.12,93.220.94.148] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 71"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522140; rev:3093;)
alert ip [93.64.207.55,94.102.50.42,94.130.28.151,94.142.242.84,94.198.100.17,94.23.239.44,94.242.205.2,94.242.246.23,94.242.246.24,94.242.57.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 72"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522142; rev:3093;)
alert ip [94.242.57.2,95.128.43.164,95.130.10.69,95.130.11.170,95.142.161.63,95.211.118.194,95.211.230.94,96.255.14.191,96.64.149.101,97.74.237.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 73"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522144; rev:3093;)
alert ip [100.11.34.118,100.11.83.28,100.15.39.173,100.16.230.154,100.36.175.42,100.36.19.97,100.38.8.218,101.0.93.66,101.100.141.55,101.100.144.174] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 74"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522146; rev:3093;)
alert ip [101.173.122.229,101.189.42.122,101.55.125.10,103.13.101.81,103.241.61.34,103.250.186.95,103.250.73.12,103.250.73.199,103.250.73.218,103.250.73.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522148; rev:3093;)
alert ip [103.250.73.232,103.250.73.251,103.250.73.5,103.35.56.22,103.73.189.114,103.73.65.32,103.73.67.198,103.85.158.48,104.128.225.205,104.128.226.73] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 76"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522150; rev:3093;)
alert ip [104.129.16.86,104.129.5.252,104.130.169.121,104.131.108.7,104.131.110.204,104.131.11.214,104.131.123.16,104.131.129.30,104.131.137.159,104.131.140.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 77"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522152; rev:3093;)
alert ip [104.131.148.86,104.131.149.84,104.131.181.174,104.131.187.45,104.131.19.119,104.131.204.147,104.131.205.192,104.131.206.23,104.131.245.55,104.131.28.54] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 78"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522154; rev:3093;)
alert ip [104.131.4.237,104.131.66.194,104.131.86.132,104.131.99.72,104.156.224.83,104.156.226.153,104.156.239.41,104.156.60.163,104.156.60.166,104.162.18.199] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 79"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522156; rev:3093;)
alert ip [104.168.167.34,104.168.62.174,104.168.87.167,104.191.31.69,104.192.5.248,104.200.131.232,104.200.16.227,104.200.20.142,104.200.67.249,104.206.168.60] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 80"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522158; rev:3093;)
alert ip [104.206.237.23,104.206.237.24,104.207.157.177,104.223.122.115,104.223.122.213,104.223.122.239,104.223.12.233,104.223.122.69,104.223.48.254,104.223.78.132] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 81"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522160; rev:3093;)
alert ip [104.232.119.93,104.233.123.73,104.233.80.8,104.236.101.108,104.236.10.21,104.236.103.167,104.236.131.15,104.236.151.160,104.236.164.161,104.236.175.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 82"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522162; rev:3093;)
alert ip [104.236.180.124,104.236.183.57,104.236.199.217,104.236.21.215,104.236.215.223,104.236.224.225,104.236.231.197,104.236.233.99,104.236.234.178,104.236.247.218] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 83"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522164; rev:3093;)
alert ip [104.236.33.174,104.236.44.133,104.236.46.10,104.236.52.16,104.236.87.90,104.236.90.134,104.238.136.10,104.238.150.212,104.238.158.127,104.238.159.191] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 84"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522166; rev:3093;)
alert ip [104.238.167.111,104.238.184.251,104.238.188.98,104.244.72.200,104.244.77.143,104.250.141.242,104.250.151.108,104.32.110.210,104.32.21.49,104.37.192.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 85"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522168; rev:3093;)
alert ip [104.37.61.159,104.40.58.52,105.184.110.89,106.186.18.40,106.248.228.2,106.68.157.189,107.136.214.218,107.145.157.164,107.150.18.14,107.150.7.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 86"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522170; rev:3093;)
alert ip [107.158.255.21,107.158.255.22,107.161.172.151,107.161.18.113,107.167.87.242,107.167.93.58,107.170.101.39,107.170.10.34,107.170.107.198,107.170.108.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 87"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522172; rev:3093;)
alert ip [107.170.113.28,107.170.119.31,107.170.143.117,107.170.150.7,107.170.153.80,107.170.158.212,107.170.188.155,107.170.193.14,107.170.232.75,107.170.241.112] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 88"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522174; rev:3093;)
alert ip [107.170.246.123,107.172.23.11,107.179.136.40,107.181.155.131,107.181.166.11,107.181.174.22,107.181.187.199,107.191.103.42,107.191.110.179,107.191.118.171] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 89"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522176; rev:3093;)
alert ip [107.191.126.184,107.191.40.51,107.191.45.209,107.191.46.204,107.191.47.87,107.212.34.52,108.14.251.33,108.161.133.189,108.167.45.153,108.168.65.115] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 90"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522178; rev:3093;)
alert ip [108.240.182.140,108.248.87.242,108.252.225.193,108.26.165.130,108.32.49.20,108.34.154.82,108.34.173.204,108.4.49.181,108.51.145.34,108.5.123.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 91"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522180; rev:3093;)
alert ip [108.52.47.127,108.53.208.157,108.54.199.58,108.58.144.234,108.61.165.0,108.61.165.169,108.61.166.134,108.61.182.74,108.61.208.98,108.61.29.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 92"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522182; rev:3093;)
alert ip [108.61.96.230,108.61.99.149,108.61.99.7,109.104.38.33,109.104.53.242,109.105.109.162,109.107.35.154,109.120.140.127,109.12.117.113,109.128.217.62] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 93"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522184; rev:3093;)
alert ip [109.129.103.61,109.147.247.134,109.147.85.253,109.148.135.48,109.150.115.227,109.156.178.140,109.159.89.26,109.164.236.231,109.188.73.216,109.189.157.63] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 94"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522186; rev:3093;)
alert ip [109.189.78.223,109.190.24.34,109.190.66.149,109.192.151.243,109.192.221.2,109.193.71.229,109.195.103.84,109.195.115.202,109.195.147.248,109.197.193.160] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 95"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522188; rev:3093;)
alert ip [109.197.63.45,109.201.148.8,109.218.182.235,109.228.51.164,109.230.215.24,109.230.215.42,109.230.231.165,109.230.236.89,109.234.36.196,109.235.67.219] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 96"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522190; rev:3093;)
alert ip [109.236.88.9,109.236.90.209,109.238.2.79,109.24.157.46,109.251.138.26,109.255.0.107,109.255.189.135,109.255.4.199,109.49.168.149,109.63.234.176] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 97"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522192; rev:3093;)
alert ip [109.68.174.60,109.68.191.132,109.68.191.133,109.68.191.159,109.70.118.164,109.73.50.56,109.74.194.124,109.74.195.190,109.74.197.251,109.74.200.101] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 98"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522194; rev:3093;)
alert ip [109.74.206.21,109.86.231.201,109.87.25.148,109.88.211.62,109.90.105.212,109.90.194.92,109.90.2.49,109.91.18.210,109.9.189.81,109.92.182.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 99"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522196; rev:3093;)
alert ip [109.95.51.107,110.174.43.136,110.175.89.172,110.4.47.139,111.217.70.205,111.220.142.172,111.69.187.64,111.90.140.240,111.90.140.7,111.90.141.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 100"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522198; rev:3093;)
alert ip [111.90.145.244,111.90.147.202,111.90.147.45,111.90.159.23,113.146.25.87,113.151.17.45,113.20.31.45,113.255.93.146,113.41.194.250,114.198.116.112] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 101"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522200; rev:3093;)
alert ip [115.124.112.235,115.146.127.224,115.162.69.72,115.70.57.112,116.127.71.162,116.255.86.18,116.72.19.109,116.93.119.79,116.98.47.44,118.127.108.136] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 102"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522202; rev:3093;)
alert ip [118.211.103.137,118.211.196.241,119.235.249.136,119.59.127.104,121.216.200.82,121.217.128.119,121.217.216.75,121.223.16.207,121.99.219.228,122.130.149.200] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 103"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522204; rev:3093;)
alert ip [122.173.149.16,122.252.153.13,122.58.16.118,122.61.174.190,123.2.59.76,124.168.121.129,124.171.62.248,124.244.71.219,1.244.227.61,125.143.58.243] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 104"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522206; rev:3093;)
alert ip [125.212.217.197,125.212.218.81,125.212.220.60,125.236.237.47,125.239.0.127,125.30.61.42,126.70.7.146,128.112.228.11,128.119.245.76,128.12.177.59] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 105"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522208; rev:3093;)
alert ip [128.131.169.91,128.153.146.125,128.199.131.168,128.199.132.7,128.199.133.154,128.199.136.79,128.199.138.74,128.199.139.224,128.199.163.108,128.199.179.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 106"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522210; rev:3093;)
alert ip [128.199.189.192,128.199.192.230,128.199.194.112,128.199.194.214,128.199.221.35,128.199.224.88,128.199.228.42,128.199.228.61,128.199.240.193,128.199.252.197] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 107"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522212; rev:3093;)
alert ip [128.199.35.162,128.199.35.5,128.199.52.7,128.199.55.207,128.199.81.48,128.199.85.165,128.199.97.254,128.208.2.233,128.31.0.34,128.39.8.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 108"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522214; rev:3093;)
alert ip [128.52.170.130,128.69.8.101,128.75.22.182,129.100.38.88,129.10.115.230,129.10.115.237,129.10.115.238,129.10.115.239,129.10.115.241,129.10.115.244] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 109"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522216; rev:3093;)
alert ip [129.10.115.245,129.10.115.246,129.10.115.247,129.10.115.248,129.13.131.140,129.21.131.156,129.242.219.85,130.149.14.31,130.180.111.94,130.180.23.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 110"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522218; rev:3093;)
alert ip [130.180.30.254,130.180.63.150,130.180.72.178,130.185.104.50,130.185.250.214,130.185.250.3,130.185.250.76,130.193.15.186,130.225.254.103,130.230.113.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 111"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522220; rev:3093;)
alert ip [130.230.113.229,130.230.113.230,130.230.113.231,130.230.113.232,130.230.113.233,130.230.113.234,130.230.113.235,130.230.113.236,130.230.113.237,130.243.26.64] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 112"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522222; rev:3093;)
alert ip [130.255.10.191,130.255.190.187,130.255.78.232,130.63.173.126,131.130.142.98,131.155.71.124,131.188.40.188,131.188.40.189,131.191.83.25,131.220.141.128] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 113"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522224; rev:3093;)
alert ip [13.124.107.51,131.255.4.48,131.255.4.79,131.255.5.233,131.255.5.239,131.255.5.250,131.255.5.251,131.255.5.66,131.255.7.57,132.216.54.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 114"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522226; rev:3093;)
alert ip [133.130.103.34,1.33.218.249,1.33.65.204,134.102.200.101,134.119.179.55,134.119.222.3,134.119.26.193,134.119.3.164,134.119.3.2,134.119.32.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 115"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522228; rev:3093;)
alert ip [134.130.181.212,134.130.181.43,134.130.181.49,134.19.177.109,134.91.78.143,135.23.121.228,135.23.221.151,135.23.96.205,136.168.201.153,136.243.102.134] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 116"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522230; rev:3093;)
alert ip [136.243.114.62,136.243.1.156,136.243.14.241,136.243.147.28,136.243.149.82,136.243.170.164,136.243.174.97,136.243.176.148,136.243.177.133,136.243.187.165] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 117"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522232; rev:3093;)
alert ip [136.243.214.137,136.243.243.6,136.243.70.199,136.243.90.139,136.29.17.133,136.32.238.141,136.32.72.40,136.32.88.247,136.33.135.41,136.57.59.67] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 118"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522234; rev:3093;)
alert ip [136.58.71.216,136.62.24.118,136.62.41.207,136.62.65.222,136.63.228.142,13.68.112.72,137.135.8.233,137.205.124.35,137.226.111.123,137.59.52.186] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 119"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522236; rev:3093;)
alert ip [137.74.112.46,137.74.116.214,137.74.117.52,137.74.164.213,137.74.198.250,137.74.224.132,137.74.25.175,137.74.40.76,137.74.40.77,138.117.148.45] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 120"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522238; rev:3093;)
alert ip [138.197.0.28,138.197.110.32,138.197.133.255,138.197.133.81,138.197.14.226,138.197.151.119,138.197.152.158,138.197.153.96,138.197.155.116,138.197.162.18] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 121"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522240; rev:3093;)
alert ip [138.197.168.41,138.197.172.27,138.197.196.50,138.197.202.35,138.197.205.50,138.197.210.209,138.197.214.11,138.197.36.234,138.197.46.213,138.197.67.206] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 122"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522242; rev:3093;)
alert ip [138.197.96.48,138.201.106.213,138.201.117.167,138.201.132.17,138.201.132.34,138.201.135.108,138.201.143.186,138.201.149.20,138.201.149.21,138.201.169.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 123"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522244; rev:3093;)
alert ip [138.201.211.234,138.201.211.235,138.201.213.18,138.201.245.87,138.201.247.18,138.201.247.2,138.201.249.231,138.201.250.33,138.201.255.245,138.201.3.75] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 124"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522246; rev:3093;)
alert ip [138.201.49.41,138.201.75.6,138.201.83.171,138.201.91.210,138.201.92.183,138.201.94.249,138.204.171.103,13.85.20.159,138.68.102.40,138.68.134.249] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 125"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522248; rev:3093;)
alert ip [138.68.150.168,138.68.15.191,138.68.159.142,138.68.167.23,138.68.174.81,138.68.243.240,138.68.245.159,138.68.2.89,138.68.46.132,138.68.69.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 126"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522250; rev:3093;)
alert ip [138.68.76.180,138.68.80.108,138.68.80.91,138.68.81.52,138.68.95.222,138.68.96.71,139.133.232.231,139.140.181.151,139.162.103.248,139.162.112.111] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 127"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522252; rev:3093;)
alert ip [139.162.130.249,139.162.142.120,139.162.142.27,139.162.146.177,139.162.150.16,139.162.151.86,139.162.181.19,139.162.185.120,139.162.191.243,139.162.19.233] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 128"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522254; rev:3093;)
alert ip [139.162.232.28,139.162.241.69,139.162.245.120,139.162.248.13,139.162.249.63,139.162.44.128,139.162.56.252,139.162.61.44,139.162.7.40,139.162.81.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 129"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522256; rev:3093;)
alert ip [139.162.9.145,139.162.96.82,13.93.114.153,139.59.0.94,139.59.113.97,139.59.117.110,139.59.117.212,139.59.131.98,139.59.134.207,139.59.145.185] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 130"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522258; rev:3093;)
alert ip [139.59.148.215,139.59.155.174,139.59.16.5,139.59.172.93,139.59.210.198,139.59.2.130,139.59.2.186,139.59.226.185,139.59.229.179,139.59.235.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 131"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522260; rev:3093;)
alert ip [139.59.240.91,139.59.29.107,139.59.29.46,139.59.31.227,139.59.31.76,139.59.36.149,139.59.36.152,139.59.36.57,139.59.37.101,139.59.44.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 132"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522262; rev:3093;)
alert ip [139.59.45.242,139.59.6.172,139.59.64.32,139.59.64.49,139.59.70.114,139.59.7.124,139.59.79.120,140.0.126.72,140.113.128.242,140.113.69.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 133"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522264; rev:3093;)
alert ip [140.121.136.124,140.121.80.170,140.138.144.170,141.0.146.4,141.105.67.58,141.105.70.132,141.136.222.176,141.14.220.177,141.145.121.11,141.20.103.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 134"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522266; rev:3093;)
alert ip [141.20.33.67,141.20.33.68,141.255.161.173,141.255.165.102,141.255.166.142,141.255.166.150,141.255.166.189,141.51.125.16,141.54.159.184,141.70.125.232] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 135"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522268; rev:3093;)
alert ip [14.203.77.193,142.4.211.189,142.4.214.187,142.4.32.196,142.44.156.134,142.44.174.243,142.54.186.178,143.106.60.86,143.176.52.51,144.136.5.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 136"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522270; rev:3093;)
alert ip [144.178.137.152,144.206.238.32,144.2.123.139,144.217.15.100,144.217.15.164,144.217.15.179,144.217.245.140,144.217.245.145,144.217.246.91,144.217.254.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 137"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522272; rev:3093;)
alert ip [144.217.255.69,144.217.56.135,144.217.56.140,144.217.56.141,144.217.56.158,144.217.65.215,144.217.7.136,144.217.80.139,144.217.87.78,144.217.95.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 138"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522274; rev:3093;)
alert ip [144.76.101.199,144.76.105.117,144.76.105.169,144.76.109.138,144.76.11.100,144.76.112.85,144.76.117.169,144.76.128.206,144.76.14.145,144.76.163.93] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 139"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522276; rev:3093;)
alert ip [144.76.172.187,144.76.253.229,144.76.26.175,144.76.30.167,144.76.31.202,144.76.37.242,144.76.41.171,144.76.44.168,144.76.45.74,144.76.48.4] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522278; rev:3093;)
alert ip [144.76.50.37,144.76.61.40,144.76.6.199,144.76.64.66,144.76.69.232,144.76.71.91,144.76.75.130,144.76.75.184,144.76.80.68,144.76.85.183] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 141"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522280; rev:3093;)
alert ip [144.76.91.135,144.76.91.46,144.76.96.7,145.132.191.48,145.132.42.234,145.133.41.132,145.220.0.15,145.239.225.197,145.239.65.59,145.239.76.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 142"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522282; rev:3093;)
alert ip [145.239.82.204,145.239.82.223,145.239.85.191,145.239.87.224,145.255.243.50,146.0.32.122,146.0.32.132,146.0.32.62,146.0.43.121,146.0.43.126] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 143"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522284; rev:3093;)
alert ip [146.0.77.50,146.115.162.91,146.185.141.163,146.185.150.219,146.185.155.218,146.185.157.61,146.185.160.30,146.185.170.35,146.185.171.181,146.185.176.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 144"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522286; rev:3093;)
alert ip [146.185.189.197,146.185.253.101,146.185.69.58,146.199.226.192,146.255.170.243,146.255.170.244,146.255.170.245,146.255.57.228,146.52.122.170,146.52.130.106] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 145"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522288; rev:3093;)
alert ip [146.52.167.241,146.52.207.49,146.52.208.228,146.52.253.105,146.52.72.148,146.60.209.102,147.135.209.40,147.135.210.101,147.147.186.50,147.175.187.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 146"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522290; rev:3093;)
alert ip [147.175.187.180,148.251.11.21,148.251.113.230,148.251.11.39,148.251.14.214,148.251.151.240,148.251.168.226,148.251.176.25,148.251.190.229,148.251.206.134] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 147"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522292; rev:3093;)
alert ip [148.251.214.53,148.251.221.163,148.251.227.14,148.251.238.253,148.251.254.229,148.251.40.40,148.251.42.164,148.251.55.246,148.59.220.246,149.154.152.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 148"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522294; rev:3093;)
alert ip [149.154.157.80,149.154.159.172,149.154.159.87,149.154.71.246,149.172.149.170,149.172.201.153,149.202.101.30,149.202.181.214,149.202.190.14,149.202.192.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 149"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522296; rev:3093;)
alert ip [149.202.2.106,149.202.220.80,149.202.238.198,149.202.238.220,149.202.4.241,149.202.57.214,149.202.58.41,149.210.164.228,149.210.221.48,149.210.226.155] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 150"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522298; rev:3093;)
alert ip [149.255.35.242,149.255.37.90,149.56.12.78,149.56.13.125,149.56.140.193,149.56.141.138,149.56.14.37,149.56.185.56,149.56.204.207,149.56.223.242] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 151"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522300; rev:3093;)
alert ip [149.56.223.244,149.56.233.142,149.56.25.84,149.56.26.237,149.56.45.200,149.86.117.215,149.91.82.97,150.101.243.99,150.146.2.245,150.95.137.40] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 152"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522302; rev:3093;)
alert ip [150.95.173.81,151.1.182.217,151.177.29.27,151.20.242.69,151.20.248.101,151.225.130.246,151.230.29.84,151.236.11.114,151.236.12.126,151.236.218.67] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 153"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522304; rev:3093;)
alert ip [151.236.6.110,151.237.229.131,151.27.116.117,151.32.117.175,151.45.72.30,151.53.20.161,151.80.115.180,151.80.128.12,151.80.141.122,151.80.144.153] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 154"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522306; rev:3093;)
alert ip [151.80.144.253,151.80.145.159,151.80.147.153,151.80.16.34,151.80.40.72,151.80.56.141,151.80.56.62,151.80.59.144,153.120.42.137,153.126.128.94] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 155"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522308; rev:3093;)
alert ip [153.126.158.65,153.126.196.95,153.127.199.124,153.149.98.251,153.202.228.115,153.92.126.234,153.92.127.239,154.35.175.225,154.5.54.64,155.133.38.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 156"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522310; rev:3093;)
alert ip [155.254.49.178,155.4.103.214,155.4.229.135,155.98.5.5,155.98.5.6,157.7.143.145,158.140.206.75,158.255.208.148,158.255.212.178,158.255.215.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 157"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522312; rev:3093;)
alert ip [158.255.4.241,158.255.7.61,158.58.170.183,158.58.170.195,158.58.173.24,158.58.173.78,158.69.102.208,158.69.172.226,158.69.204.36,158.69.205.215] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 158"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522314; rev:3093;)
alert ip [158.69.205.247,158.69.205.92,158.69.207.216,158.69.216.18,158.69.217.34,158.69.247.184,158.69.247.80,158.69.36.152,158.69.48.77,158.69.63.16] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 159"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522316; rev:3093;)
alert ip [158.69.63.178,158.69.92.127,159.148.186.130,159.148.186.144,159.148.186.162,159.148.186.172,159.148.186.196,159.148.186.208,159.148.186.236,159.148.186.240] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 160"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522318; rev:3093;)
alert ip [159.148.186.8,159.148.186.91,159.203.10.141,159.203.10.16,159.203.103.138,159.203.15.100,159.203.17.103,159.203.173.38,159.203.1.86,159.203.193.72] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 161"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522320; rev:3093;)
alert ip [159.203.224.25,159.203.22.51,159.203.234.244,159.203.27.5,159.203.29.240,159.203.32.149,159.203.3.224,159.203.38.250,159.203.41.119,159.203.42.107] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 162"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522322; rev:3093;)
alert ip [159.203.42.254,159.203.45.104,159.203.45.171,159.203.59.106,159.203.7.221,159.203.85.88,159.203.90.174,159.224.64.79,160.16.228.57,161.53.160.104] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 163"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522324; rev:3093;)
alert ip [161.97.251.142,162.213.3.221,162.213.38.245,162.216.16.23,162.218.239.125,162.220.165.185,162.220.217.50,162.220.218.109,162.221.202.230,162.226.56.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 164"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522326; rev:3093;)
alert ip [162.243.134.188,162.243.139.73,162.243.195.118,162.243.200.157,162.243.21.103,162.243.255.143,162.243.8.161,162.244.25.214,162.245.23.144,162.247.73.195] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 165"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522328; rev:3093;)
alert ip [162.247.75.118,162.252.243.20,163.172.110.48,163.172.115.22,163.172.128.13,163.172.129.29,163.172.130.220,163.172.131.164,163.172.131.183,163.172.131.192] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 166"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522330; rev:3093;)
alert ip [163.172.13.165,163.172.131.88,163.172.132.167,163.172.132.178,163.172.133.54,163.172.135.172,163.172.137.4,163.172.137.92,163.172.138.22,163.172.139.104] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 167"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522332; rev:3093;)
alert ip [163.172.139.111,163.172.139.145,163.172.139.170,163.172.141.10,163.172.141.195,163.172.141.33,163.172.142.172,163.172.14.221,163.172.142.92,163.172.143.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 168"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522334; rev:3093;)
alert ip [163.172.143.186,163.172.144.236,163.172.146.169,163.172.146.232,163.172.147.53,163.172.148.176,163.172.149.122,163.172.149.155,163.172.151.234,163.172.152.231] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 169"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522336; rev:3093;)
alert ip [163.172.152.237,163.172.153.12,163.172.153.78,163.172.154.162,163.172.154.245,163.172.156.137,163.172.156.181,163.172.157.124,163.172.157.213,163.172.159.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 170"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522338; rev:3093;)
alert ip [163.172.160.227,163.172.163.104,163.172.163.169,163.172.163.238,163.172.165.6,163.172.167.77,163.172.168.131,163.172.169.253,163.172.170.52,163.172.173.182] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 171"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522340; rev:3093;)
alert ip [163.172.173.184,163.172.173.34,163.172.175.174,163.172.175.232,163.172.176.167,163.172.176.45,163.172.177.114,163.172.178.182,163.172.179.131,163.172.180.59] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 172"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522342; rev:3093;)
alert ip [163.172.181.239,163.172.183.116,163.172.190.110,163.172.191.234,163.172.194.53,163.172.201.62,163.172.209.161,163.172.210.170,163.172.21.117,163.172.212.102] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 173"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522344; rev:3093;)
alert ip [163.172.213.201,163.172.215.236,163.172.215.60,163.172.215.78,163.172.216.195,163.172.223.132,163.172.223.215,163.172.228.191,163.172.25.118,163.172.27.62] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 174"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522346; rev:3093;)
alert ip [163.172.35.211,163.172.36.205,163.172.42.239,163.172.45.220,163.172.53.84,163.172.56.248,163.172.60.190,163.172.61.28,163.172.69.166,163.172.82.124] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 175"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522348; rev:3093;)
alert ip [163.172.82.3,163.172.84.95,163.172.86.92,163.172.89.227,163.172.90.128,163.172.94.119,164.132.209.131,164.132.212.100,164.132.225.248,164.132.226.30] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 176"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522350; rev:3093;)
alert ip [164.132.230.34,164.132.249.244,164.132.38.170,164.132.41.85,164.132.49.205,164.132.77.175,164.215.116.194,164.40.245.204,165.120.218.118,165.227.122.119] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 177"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522352; rev:3093;)
alert ip [165.227.130.126,165.227.130.167,165.227.135.224,165.227.136.69,165.227.154.118,165.227.20.47,165.227.8.231,165.227.8.5,165.227.90.183,165.227.94.10] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 178"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522354; rev:3093;)
alert ip [166.70.15.14,166.70.94.106,167.114.103.19,167.114.113.134,167.114.121.128,167.114.148.149,167.114.160.128,167.114.219.61,167.114.3.166,167.114.35.102] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 179"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522356; rev:3093;)
alert ip [167.114.35.107,167.114.35.28,167.114.67.158,167.114.67.4,167.114.71.189,167.114.7.166,167.114.76.195,167.160.161.167,167.160.185.136,167.160.84.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 180"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522358; rev:3093;)
alert ip [167.160.84.141,167.88.120.159,167.88.41.8,168.150.251.15,168.205.150.148,168.235.146.20,168.235.154.96,168.235.67.30,168.235.69.79,169.239.128.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522360; rev:3093;)
alert ip [171.233.89.98,171.25.193.9,172.10.235.73,172.104.110.120,172.104.131.38,172.104.148.154,172.104.43.169,172.104.62.11,172.104.67.176,172.104.78.197] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 182"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522362; rev:3093;)
alert ip [172.104.85.43,172.104.88.43,172.221.207.95,172.241.140.26,172.245.126.70,172.245.126.96,172.245.219.133,172.245.24.228,172.245.99.10,172.86.144.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 183"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522364; rev:3093;)
alert ip [172.86.148.10,172.92.128.70,172.93.48.155,172.93.51.60,172.93.51.83,172.93.55.183,172.97.103.47,173.160.180.189,173.170.41.8,173.18.41.24] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 184"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522366; rev:3093;)
alert ip [173.199.115.232,173.199.118.247,173.199.124.17,173.206.132.9,173.208.225.60,173.208.225.61,173.212.197.112,173.212.206.230,173.212.228.203,173.212.231.17] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 185"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522368; rev:3093;)
alert ip [173.212.242.110,173.212.244.108,173.228.91.29,173.22.92.184,173.230.128.232,173.230.153.109,173.230.154.90,173.239.79.203,173.239.79.210,173.247.26.92] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 186"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522370; rev:3093;)
alert ip [173.254.236.135,173.255.205.113,173.255.209.181,173.255.217.222,173.255.218.106,173.255.221.96,173.255.228.134,173.255.228.85,173.255.241.235,173.255.245.116] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 187"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522372; rev:3093;)
alert ip [173.255.246.162,173.255.250.126,173.255.250.231,173.31.224.94,173.3.242.35,173.48.183.150,173.48.246.133,173.48.58.162,173.52.78.215,173.59.249.182] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 188"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522374; rev:3093;)
alert ip [173.66.70.16,173.67.9.186,173.68.10.124,173.71.141.91,173.76.173.114,173.79.55.87,173.8.211.74,173.82.151.94,174.0.0.21,174.104.26.125] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 189"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522376; rev:3093;)
alert ip [174.109.111.95,174.111.240.217,174.127.228.138,174.138.81.62,174.141.200.41,174.27.71.92,174.28.49.129,174.34.225.215,174.50.172.90,174.51.114.139] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 190"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522378; rev:3093;)
alert ip [174.55.212.152,174.59.110.190,174.63.80.6,174.68.74.231,174.7.16.21,174.97.19.230,175.138.42.194,175.179.249.253,175.203.71.68,176.10.131.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 191"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522380; rev:3093;)
alert ip [176.10.137.12,176.10.140.175,176.10.217.142,176.10.253.40,176.103.49.29,176.103.56.31,176.103.57.208,176.103.57.235,176.107.177.15,176.107.185.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 192"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522382; rev:3093;)
alert ip [176.112.242.6,176.114.131.136,176.114.248.47,176.115.38.130,176.118.30.217,176.119.98.186,176.121.81.51,176.123.10.167,176.123.10.3,176.123.10.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 193"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522384; rev:3093;)
alert ip [176.123.10.42,176.123.10.67,176.123.10.89,176.123.10.99,176.123.2.254,176.123.26.23,176.123.29.56,176.123.7.197,176.126.242.49,176.14.216.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 194"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522386; rev:3093;)
alert ip [176.15.182.231,176.158.155.120,176.158.236.102,176.159.130.165,176.193.226.229,176.194.189.124,176.195.245.42,176.196.98.66,176.197.158.30,176.198.132.82] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 195"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522388; rev:3093;)
alert ip [176.198.68.117,176.20.196.56,176.20.234.102,176.212.75.157,176.28.9.120,176.31.101.92,176.31.102.212,176.31.103.150,176.31.110.48,176.31.116.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 196"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522390; rev:3093;)
alert ip [176.31.117.6,176.31.120.215,176.31.121.194,176.31.125.116,176.31.163.89,176.31.184.255,176.31.191.26,176.31.200.122,176.31.225.204,176.31.23.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 197"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522392; rev:3093;)
alert ip [176.31.240.78,176.31.255.189,176.31.28.63,176.31.35.149,176.31.43.51,176.31.80.115,176.36.215.251,176.38.177.208,176.46.239.67,176.53.22.142] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 198"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522394; rev:3093;)
alert ip [176.56.237.191,176.58.108.133,176.58.110.66,176.58.113.34,176.58.120.22,176.58.121.159,176.58.96.199,176.63.111.50,176.66.131.31,176.67.169.254] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 199"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522396; rev:3093;)
alert ip [176.9.102.35,176.9.103.8,176.9.104.232,176.9.110.138,176.9.114.182,176.9.1.211,176.9.122.51,176.9.133.154,176.9.140.108,176.9.143.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 200"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522398; rev:3093;)
alert ip [176.9.147.227,176.9.148.176,176.9.155.82,176.9.156.71,176.9.157.222,176.9.158.118,176.9.180.47,176.9.190.240,176.9.208.12,176.9.215.64] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 201"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522400; rev:3093;)
alert ip [176.9.31.215,176.9.38.38,176.9.39.218,176.9.43.26,176.9.46.90,176.9.50.240,176.9.53.52,176.9.54.142,176.9.54.3,176.9.85.141] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 202"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522402; rev:3093;)
alert ip [176.9.8.6,176.9.90.215,176.9.98.109,177.206.97.240,177.234.155.250,177.234.155.98,177.246.231.193,177.251.150.142,177.85.97.121,178.0.110.142] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 203"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522404; rev:3093;)
alert ip [178.12.225.211,178.132.78.148,178.137.126.19,178.140.104.18,178.140.197.96,178.14.113.18,178.150.0.243,178.150.0.249,178.150.100.55,178.157.198.187] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 204"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522406; rev:3093;)
alert ip [178.159.0.38,178.16.208.55,178.16.208.56,178.16.208.57,178.16.208.58,178.16.208.59,178.16.208.60,178.16.208.61,178.16.208.62,178.162.194.210] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 205"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522408; rev:3093;)
alert ip [178.162.194.82,178.162.199.66,178.162.66.212,178.163.100.154,178.165.72.60,178.17.170.149,178.17.170.77,178.17.171.86,178.17.174.2,178.17.174.79] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 206"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522410; rev:3093;)
alert ip [178.174.172.77,178.18.94.247,178.190.84.68,178.19.104.227,178.191.126.207,178.193.211.203,178.198.173.137,178.19.96.114,178.200.31.8,178.200.56.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 207"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522412; rev:3093;)
alert ip [178.200.73.64,178.201.88.59,178.202.140.94,178.203.190.146,178.209.46.173,178.209.52.162,178.213.227.68,178.215.87.31,178.217.184.32,178.238.224.132] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 208"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522414; rev:3093;)
alert ip [178.238.232.110,178.24.159.14,178.24.218.158,178.24.54.98,178.24.72.177,178.24.73.127,178.249.167.2,178.251.228.142,178.251.228.50,178.25.205.60] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 209"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522416; rev:3093;)
alert ip [178.25.217.23,178.252.28.200,178.254.13.92,178.254.20.134,178.254.21.218,178.254.25.6,178.254.30.86,178.254.37.97,178.254.39.85,178.254.40.5] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 210"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522418; rev:3093;)
alert ip [178.254.44.135,178.254.7.88,178.254.9.25,178.255.42.246,178.26.131.140,178.26.131.97,178.27.121.230,178.27.147.35,178.27.162.121,178.27.90.92] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 211"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522420; rev:3093;)
alert ip [178.32.100.87,178.32.138.157,178.32.189.88,178.32.190.15,178.32.192.9,178.32.216.146,178.32.216.97,178.32.217.68,178.32.221.151,178.32.221.207] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 212"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522422; rev:3093;)
alert ip [178.32.222.125,178.32.222.21,178.32.223.87,178.32.34.91,178.32.47.140,178.32.54.103,178.32.61.9,178.32.66.43,178.32.76.95,178.33.115.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 213"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522424; rev:3093;)
alert ip [178.33.183.251,178.45.197.178,178.49.253.215,178.62.104.146,178.62.109.164,178.62.112.71,178.62.122.241,178.62.125.125,178.62.13.27,178.62.173.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 214"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522426; rev:3093;)
alert ip [178.62.18.161,178.62.186.155,178.62.196.71,178.62.197.82,178.62.198.54,178.62.199.226,178.62.201.15,178.62.20.117,178.62.202.59,178.62.203.126] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 215"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522428; rev:3093;)
alert ip [178.62.210.138,178.62.217.134,178.62.221.190,178.62.22.36,178.62.237.106,178.62.24.212,178.62.244.168,178.62.251.184,178.62.252.234,178.62.252.82] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 216"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522430; rev:3093;)
alert ip [178.62.36.64,178.62.43.5,178.62.46.7,178.62.60.37,178.62.66.18,178.62.79.227,178.62.86.206,178.62.86.96,178.62.88.111,178.62.9.153] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 217"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522432; rev:3093;)
alert ip [178.62.93.173,178.62.93.36,178.62.94.243,178.62.98.217,178.63.116.157,178.63.138.17,178.63.154.93,178.63.162.212,178.63.18.25,178.63.19.103] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 218"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522434; rev:3093;)
alert ip [178.63.25.10,178.63.27.82,178.63.65.179,178.63.78.8,178.63.85.14,178.66.1.187,178.73.210.118,178.75.148.206,178.78.213.214,178.79.134.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 219"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522436; rev:3093;)
alert ip [178.79.136.230,178.79.139.17,178.79.157.60,178.79.158.221,178.79.159.147,178.79.159.224,178.79.160.57,178.79.161.152,178.79.161.177,178.79.163.169] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 220"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522438; rev:3093;)
alert ip [178.79.165.21,178.79.169.98,178.79.173.147,178.79.177.148,178.83.171.83,178.83.190.108,178.84.83.252,178.85.43.158,179.34.227.81,179.43.158.176] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 221"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522440; rev:3093;)
alert ip [179.43.168.166,179.43.169.14,179.43.183.102,179.43.188.206,179.43.189.210,179.48.248.17,180.181.117.164,180.181.144.13,180.26.33.202,181.1.2.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 222"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522442; rev:3093;)
alert ip [181.30.14.126,18.181.5.37,181.93.5.174,182.171.143.55,182.171.233.68,182.171.77.82,18.220.148.128,183.77.197.79,184.100.125.176,184.100.144.118] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 223"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522444; rev:3093;)
alert ip [184.100.231.37,184.106.109.244,184.146.26.218,184.152.4.239,184.160.119.133,184.167.146.119,184.183.5.203,184.56.173.16,184.60.135.64,184.90.73.82] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 224"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522446; rev:3093;)
alert ip [185.100.84.251,185.100.85.132,185.100.85.175,185.100.85.207,185.100.85.244,185.100.86.249,185.100.87.239,185.100.87.43,185.101.218.220,185.101.98.108] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 225"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522448; rev:3093;)
alert ip [185.103.135.19,185.103.158.97,185.103.243.74,185.104.184.51,185.104.185.170,185.104.248.164,185.10.68.118,185.10.68.159,185.107.224.208,185.109.146.148] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 226"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522450; rev:3093;)
alert ip [185.111.219.109,185.111.219.11,185.112.157.126,185.112.82.102,185.117.118.132,185.117.88.92,185.12.28.116,185.123.102.38,185.125.217.66,185.125.33.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 227"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522452; rev:3093;)
alert ip [185.128.40.90,185.129.249.124,185.129.60.131,185.133.210.188,185.13.38.197,185.13.39.197,185.140.54.65,185.141.25.172,185.14.185.118,185.145.128.50] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 228"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522454; rev:3093;)
alert ip [185.145.130.73,185.145.131.165,185.146.228.150,185.146.228.151,185.148.145.115,185.148.145.140,185.148.145.71,185.148.145.74,185.150.189.170,185.150.189.175] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 229"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522456; rev:3093;)
alert ip [185.150.190.10,185.150.190.24,185.150.191.56,185.15.244.124,185.153.198.118,185.153.198.222,185.155.96.235,185.155.96.249,185.156.173.148,185.157.160.48] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 230"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522458; rev:3093;)
alert ip [185.157.232.34,185.157.233.42,185.15.72.62,185.15.73.117,185.159.128.83,185.15.92.76,185.15.94.14,185.15.94.17,185.16.172.155,185.16.173.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 231"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522460; rev:3093;)
alert ip [185.16.173.86,185.162.10.157,185.163.45.150,185.163.45.244,185.165.168.168,185.165.168.170,185.165.168.73,185.170.112.183,185.181.229.77,185.182.50.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 232"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522462; rev:3093;)
alert ip [185.183.107.194,185.183.107.30,185.185.40.111,185.186.244.60,185.189.113.90,185.189.14.42,185.19.123.237,185.198.56.139,185.202.196.180,185.20.227.66] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 233"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522464; rev:3093;)
alert ip [185.203.117.50,185.206.145.235,185.206.36.169,185.208.210.20,185.208.210.29,185.208.210.30,185.21.100.163,185.21.101.50,185.21.216.157,185.21.216.183] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 234"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522466; rev:3093;)
alert ip [185.21.216.189,185.21.216.195,185.21.216.198,185.21.217.13,185.21.217.29,185.21.217.33,185.214.71.164,185.216.33.126,185.217.0.69,185.217.0.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 235"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522468; rev:3093;)
alert ip [185.217.0.97,185.22.173.162,185.22.67.211,185.25.216.237,185.25.48.76,185.26.156.28,185.26.156.45,185.26.156.50,185.29.156.231,185.32.160.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 236"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522470; rev:3093;)
alert ip [185.32.221.201,185.32.221.228,185.35.138.92,185.37.145.44,185.37.226.197,185.37.72.202,185.40.31.122,185.41.154.130,185.44.76.144,185.44.76.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 237"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522472; rev:3093;)
alert ip [185.46.201.244,185.47.63.128,185.4.92.67,185.56.89.141,185.58.21.199,185.5.9.188,185.61.148.121,185.61.148.189,185.61.149.116,185.61.150.240] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522474; rev:3093;)
alert ip [185.6.29.55,185.63.253.130,185.65.244.235,185.69.52.19,185.69.53.188,185.72.178.72,185.72.244.37,185.72.247.145,185.7.254.67,185.72.66.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 239"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522476; rev:3093;)
alert ip [185.72.66.252,185.73.220.8,185.73.240.205,185.76.145.109,185.77.129.35,185.78.67.40,185.80.222.105,185.80.222.158,185.80.222.164,185.81.109.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 240"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522478; rev:3093;)
alert ip [185.81.164.254,185.81.96.14,185.82.201.54,185.82.202.28,185.82.203.209,185.82.217.70,185.8.236.131,185.8.237.45,185.8.238.139,185.86.148.150] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 241"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522480; rev:3093;)
alert ip [185.86.149.205,185.86.149.230,185.86.149.75,185.86.149.85,185.86.150.78,185.8.63.38,185.86.79.46,185.87.185.221,185.87.186.27,185.87.50.190] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 242"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522482; rev:3093;)
alert ip [185.90.61.159,185.90.61.23,185.90.61.35,185.9.19.83,185.92.68.9,185.94.193.148,185.94.193.154,185.94.193.158,185.94.193.194,185.94.193.198] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 243"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522484; rev:3093;)
alert ip [185.96.180.164,185.96.180.29,185.96.88.164,185.96.88.29,185.97.32.34,185.97.32.36,185.99.134.220,186.120.225.119,186.203.12.18,186.222.7.86] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 244"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522486; rev:3093;)
alert ip [187.163.84.205,187.60.93.196,187.63.100.24,188.107.7.8,188.114.140.245,188.118.198.244,188.118.217.236,188.120.234.26,188.120.243.128,188.120.243.32] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 245"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522488; rev:3093;)
alert ip [188.121.184.145,188.134.5.47,188.134.5.92,188.134.6.66,188.138.102.98,188.138.112.60,188.138.61.165,188.138.70.162,188.138.75.101,188.141.73.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 246"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522490; rev:3093;)
alert ip [188.142.200.211,188.143.121.152,188.164.154.18,188.165.0.171,188.165.106.249,188.165.138.72,188.165.139.175,188.165.142.97,188.165.145.157,188.165.194.195] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 247"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522492; rev:3093;)
alert ip [188.165.19.61,188.165.212.152,188.165.213.156,188.165.218.31,188.165.220.21,188.165.222.39,188.165.228.38,188.165.228.64,188.165.236.18,188.165.27.75] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 248"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522494; rev:3093;)
alert ip [188.165.28.152,188.165.28.25,188.165.4.224,188.165.50.244,188.165.5.14,188.165.5.67,188.165.58.241,188.165.59.43,188.165.6.66,188.166.122.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 249"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522496; rev:3093;)
alert ip [188.166.133.133,188.166.158.100,188.166.168.73,188.166.16.91,188.166.178.56,188.166.19.224,188.166.20.124,188.166.209.214,188.166.219.207,188.166.23.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 250"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522498; rev:3093;)
alert ip [188.166.24.205,188.166.245.217,188.166.246.106,188.166.255.209,188.166.33.15,188.166.4.109,188.166.41.210,188.166.48.132,188.166.50.222,188.166.56.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 251"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522500; rev:3093;)
alert ip [188.166.67.231,188.166.8.152,188.166.87.161,188.166.94.214,188.168.34.90,188.172.153.42,188.174.161.111,188.174.172.50,188.174.178.230,188.181.93.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522502; rev:3093;)
alert ip [188.192.145.3,188.192.156.190,188.192.196.221,188.192.245.163,188.193.109.132,188.193.21.38,188.193.233.73,188.193.2.6,188.194.123.108,188.194.93.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 253"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522504; rev:3093;)
alert ip [188.195.172.223,188.195.173.25,188.195.52.10,18.82.0.86,18.82.1.29,188.213.170.104,188.213.28.222,188.213.49.133,188.213.49.55,188.214.128.111] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 254"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522506; rev:3093;)
alert ip [188.214.128.64,188.214.129.21,188.214.30.153,188.214.30.159,188.214.30.220,188.214.30.98,188.221.111.222,188.221.78.241,188.222.106.239,188.226.130.88] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 255"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522508; rev:3093;)
alert ip [188.226.148.15,188.226.149.124,188.226.221.243,188.226.222.19,188.226.237.154,188.226.247.86,188.226.71.132,188.227.201.133,188.230.91.173,18.82.3.136] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 256"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522510; rev:3093;)
alert ip [18.82.3.196,18.82.3.205,188.240.208.219,188.240.208.89,188.241.58.10,188.242.134.102,188.243.225.14,188.243.26.62,188.243.68.220,188.243.99.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 257"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522512; rev:3093;)
alert ip [188.244.43.25,188.246.204.67,188.25.182.181,188.25.243.6,188.32.115.6,188.32.242.244,188.36.77.241,188.40.100.199,188.40.107.205,188.40.109.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 258"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522514; rev:3093;)
alert ip [188.40.110.214,188.40.128.246,188.40.140.87,188.40.159.122,188.40.166.29,188.40.206.5,188.40.235.215,188.40.248.57,188.40.41.115,188.40.44.119] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 259"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522516; rev:3093;)
alert ip [188.40.49.86,188.40.51.232,188.40.76.115,188.40.91.87,188.4.217.205,188.42.216.83,188.42.253.7,188.42.254.47,188.64.45.105,188.68.33.125] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 260"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522518; rev:3093;)
alert ip [188.68.36.209,188.68.57.188,188.77.220.152,188.78.204.44,188.93.213.75,188.97.167.239,188.98.6.187,188.98.6.93,188.99.61.195,189.124.193.119] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 261"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522520; rev:3093;)
alert ip [189.207.214.180,189.60.72.157,189.62.119.168,190.10.8.152,190.10.8.68,190.111.29.98,190.1.228.61,190.123.47.116,190.156.200.202,190.17.26.56] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 262"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522522; rev:3093;)
alert ip [190.17.6.56,190.210.98.90,190.22.73.183,190.56.60.64,190.97.165.141,191.101.31.84,191.176.234.122,191.178.250.236,191.191.97.145,191.34.135.65] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 263"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522524; rev:3093;)
alert ip [192.110.160.146,192.111.150.62,192.124.250.83,192.155.83.101,192.155.95.222,192.157.239.243,192.161.235.132,192.162.133.3,192.162.141.53,192.162.26.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 264"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522526; rev:3093;)
alert ip [192.162.26.38,192.162.26.42,192.163.224.51,192.165.67.254,192.166.218.151,192.166.218.216,192.166.219.194,192.169.166.157,192.169.168.39,192.171.61.113] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 265"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522528; rev:3093;)
alert ip [192.173.158.64,192.184.81.160,192.184.82.128,192.184.85.92,192.187.126.204,192.195.83.134,192.210.192.229,192.210.203.16,192.211.49.217,192.222.191.249] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 266"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522530; rev:3093;)
alert ip [192.222.248.192,192.227.143.25,192.227.243.249,192.228.204.196,192.240.123.2,192.241.134.62,192.241.148.108,192.241.153.159,192.241.180.163,192.241.180.27] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 267"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522532; rev:3093;)
alert ip [192.241.187.237,192.241.189.130,192.241.195.178,192.241.197.81,192.241.206.171,192.241.210.101,192.241.216.120,192.241.233.203,192.249.63.151,192.30.32.44] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 268"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522534; rev:3093;)
alert ip [192.3.148.27,192.3.239.245,192.33.193.24,192.36.27.6,192.36.27.7,192.36.38.33,192.42.113.102,192.42.115.101,192.42.115.102,192.42.116.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 269"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522536; rev:3093;)
alert ip [192.44.30.40,192.52.167.70,192.52.167.71,192.52.183.232,192.52.2.49,192.71.245.137,192.71.245.36,192.81.132.46,192.81.214.126,192.81.217.126] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 270"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522538; rev:3093;)
alert ip [192.81.218.137,192.81.250.118,192.87.28.28,192.87.28.82,192.95.22.146,192.95.25.202,192.95.27.143,192.99.10.202,192.99.13.48,192.99.154.234] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 271"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522540; rev:3093;)
alert ip [192.99.246.101,192.99.54.179,192.99.54.193,192.99.54.5,192.99.57.111,192.99.59.70,192.99.6.28,192.99.63.44,192.99.69.17,192.99.9.138] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 272"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522542; rev:3093;)
alert ip [193.0.213.42,193.104.220.35,193.104.220.54,193.104.254.166,193.105.134.42,193.105.134.56,193.105.134.57,193.10.5.153,193.105.73.80,193.106.166.105] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 273"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522544; rev:3093;)
alert ip [193.108.249.215,193.11.112.188,193.111.140.153,193.111.141.160,193.11.114.43,193.11.114.45,193.11.114.46,193.11.114.69,193.111.26.37,193.11.164.243] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 274"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522546; rev:3093;)
alert ip [193.11.166.194,193.124.182.191,193.124.191.59,193.138.118.8,193.138.118.94,193.150.121.78,193.150.14.60,193.165.137.202,193.165.189.6,193.183.98.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 275"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522548; rev:3093;)
alert ip [193.190.168.51,193.190.168.53,193.19.118.171,193.200.241.195,193.224.163.43,193.227.196.10,193.228.143.17,193.228.143.225,193.23.244.244,193.233.60.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 276"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522550; rev:3093;)
alert ip [193.233.60.90,193.24.209.70,193.35.52.53,193.37.152.133,193.37.152.199,193.42.156.106,193.70.112.165,193.70.15.58,193.70.38.152,193.70.39.124] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 277"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522552; rev:3093;)
alert ip [193.70.43.102,193.70.43.20,193.70.43.76,193.70.73.242,193.70.90.199,193.7.177.223,194.104.0.100,194.109.206.212,194.1.238.115,194.126.175.157] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 278"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522554; rev:3093;)
alert ip [194.150.168.108,194.187.205.151,194.187.207.21,194.187.207.45,194.187.249.116,194.42.108.5,194.63.139.230,194.67.214.123,194.67.219.154,194.88.143.66] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 279"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522556; rev:3093;)
alert ip [194.96.126.205,195.113.199.99,195.12.190.38,195.123.209.96,195.123.210.38,195.12.48.109,195.12.48.212,195.12.48.76,195.12.48.77,195.12.48.78] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 280"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522558; rev:3093;)
alert ip [195.133.48.81,195.13.50.211,195.148.124.199,195.154.162.172,195.154.163.119,195.154.164.243,195.154.164.34,195.154.165.64,195.154.171.24,195.154.177.231] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 281"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522560; rev:3093;)
alert ip [195.154.181.146,195.154.200.129,195.154.209.91,195.154.221.65,195.154.226.249,195.154.235.34,195.154.237.147,195.154.240.145,195.154.241.125,195.154.242.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 282"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522562; rev:3093;)
alert ip [195.154.250.239,195.154.251.25,195.154.252.88,195.154.253.226,195.154.255.174,195.16.89.145,195.169.125.226,195.170.63.164,195.176.247.88,195.180.11.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 283"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522564; rev:3093;)
alert ip [195.181.208.180,195.181.211.88,195.181.223.225,195.181.246.187,195.191.158.17,195.191.233.221,195.200.236.197,195.216.94.52,195.22.127.160,195.225.211.26] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 284"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522566; rev:3093;)
alert ip [195.228.75.149,195.230.168.83,195.234.152.86,195.238.190.101,195.251.252.226,195.28.182.237,195.30.107.220,195.42.115.162,195.62.52.120,195.62.53.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 285"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522568; rev:3093;)
alert ip [195.71.68.84,195.88.208.149,195.91.211.69,195.91.244.98,198.100.144.33,198.100.147.184,198.100.148.112,198.100.148.146,198.101.8.214,198.105.223.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 286"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522570; rev:3093;)
alert ip [198.12.118.14,198.147.22.82,198.148.81.167,198.154.106.54,198.167.223.44,198.199.118.134,198.199.64.217,198.199.90.205,198.204.240.82,198.211.104.110] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 287"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522572; rev:3093;)
alert ip [198.211.120.25,198.211.124.214,198.211.125.242,198.23.161.150,198.233.204.165,198.244.104.174,198.245.50.175,198.245.50.57,198.252.121.79,198.255.94.114] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 288"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522574; rev:3093;)
alert ip [198.27.109.36,198.27.191.62,198.27.64.215,198.27.66.209,198.27.69.201,198.27.80.201,198.27.86.221,198.46.153.51,198.48.130.25,198.50.128.229] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 289"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522576; rev:3093;)
alert ip [198.50.128.234,198.50.135.213,198.50.146.252,198.50.147.70,198.50.191.95,198.50.236.124,198.51.75.52,198.58.102.234,198.58.110.223,198.71.81.66] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 290"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522578; rev:3093;)
alert ip [198.72.229.35,198.74.56.191,198.74.57.57,198.74.60.26,198.74.61.51,198.96.155.9,198.98.50.212,198.98.62.56,199.115.205.248,199.15.250.210] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 291"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522580; rev:3093;)
alert ip [199.175.49.147,199.181.238.127,199.184.246.250,199.188.194.53,199.189.62.251,199.19.213.176,199.195.249.221,199.19.85.252,199.200.15.10,199.231.85.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 292"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522582; rev:3093;)
alert ip [199.241.29.223,199.254.238.53,199.255.223.88,200.122.181.15,200.73.251.82,200.8.206.216,201.17.58.90,201.214.174.246,202.129.80.154,202.53.47.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 293"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522584; rev:3093;)
alert ip [203.141.154.202,203.186.69.98,203.206.25.146,203.220.189.110,203.7.77.255,204.13.164.110,204.152.220.247,204.152.220.248,204.186.244.66,204.27.63.234] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 294"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522586; rev:3093;)
alert ip [204.44.75.210,204.83.204.143,204.9.50.25,205.178.25.71,205.185.124.82,205.204.69.19,206.174.113.156,206.192.252.17,206.221.184.158,206.223.203.129] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 295"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522588; rev:3093;)
alert ip [206.248.134.68,206.40.118.229,206.55.74.1,206.63.229.144,207.154.208.184,207.154.208.75,207.154.217.3,207.154.226.140,207.154.239.150,207.154.248.123] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 296"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522590; rev:3093;)
alert ip [207.181.237.93,207.236.124.177,207.244.75.198,207.6.121.227,208.113.133.247,208.113.165.162,208.113.166.5,208.118.235.48,208.38.243.107,208.64.220.46] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 297"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522592; rev:3093;)
alert ip [208.79.209.124,208.80.154.39,208.83.223.34,208.94.242.26,208.95.3.28,209.102.247.122,209.126.71.233,209.141.34.240,209.141.35.232,209.141.36.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 298"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522594; rev:3093;)
alert ip [209.141.40.22,209.141.49.38,209.141.50.138,209.141.52.13,209.141.60.229,209.171.163.168,209.181.61.219,209.197.145.194,209.208.79.5,209.240.109.238] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 299"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522596; rev:3093;)
alert ip [209.44.114.178,209.58.160.138,209.58.178.49,209.58.180.90,209.6.79.180,209.90.224.5,209.95.48.163,210.1.204.177,210.152.241.60,210.185.115.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 300"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522598; rev:3093;)
alert ip [210.223.103.24,210.3.102.154,210.3.102.165,2.104.52.160,210.54.35.24,2.110.219.47,2.110.60.68,212.10.111.106,212.10.111.112,212.10.153.81] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 301"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522600; rev:3093;)
alert ip [212.107.138.107,212.110.189.186,212.111.40.177,212.111.41.143,212.114.228.30,212.117.180.107,212.117.180.33,212.117.180.45,212.119.243.30,212.129.0.231] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 302"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522602; rev:3093;)
alert ip [212.129.19.196,212.129.34.13,212.129.42.9,212.129.4.84,212.129.49.59,212.129.62.232,212.159.100.232,212.159.112.196,212.159.177.198,212.159.79.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522604; rev:3093;)
alert ip [212.16.170.158,212.17.102.77,212.181.206.122,212.186.197.229,212.186.71.38,212.186.79.250,212.187.200.170,212.198.84.177,212.201.68.152,212.224.76.148] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 304"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522606; rev:3093;)
alert ip [212.224.78.234,212.224.95.161,212.224.95.231,212.227.8.137,212.232.29.101,212.237.35.67,212.237.56.227,212.238.160.33,212.238.208.48,212.24.104.216] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 305"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522608; rev:3093;)
alert ip [212.24.105.154,212.24.106.116,212.24.110.13,212.24.111.7,212.251.211.254,212.3.112.226,212.47.227.58,212.47.227.71,212.47.227.75,212.47.229.138] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 306"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522610; rev:3093;)
alert ip [212.47.229.2,212.47.230.49,212.47.230.5,212.47.231.241,212.47.232.236,212.47.232.3,212.47.233.134,212.47.233.235,212.47.233.45,212.47.233.86] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 307"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522612; rev:3093;)
alert ip [212.47.234.192,212.47.234.212,212.47.235.80,212.47.236.95,212.47.237.191,212.47.237.32,212.47.238.193,212.47.238.65,212.47.239.101,212.47.239.151] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 308"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522614; rev:3093;)
alert ip [212.47.239.163,212.47.239.187,212.47.239.83,212.47.240.10,212.47.240.189,212.47.241.21,212.47.243.166,212.47.244.114,212.47.244.38,212.47.244.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 309"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522616; rev:3093;)
alert ip [212.47.245.76,212.47.246.18,212.47.246.211,212.47.246.229,212.47.248.10,212.47.248.113,212.47.250.57,212.47.252.91,212.50.120.191,212.51.134.123] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 310"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522618; rev:3093;)
alert ip [212.51.139.25,212.51.143.146,212.51.143.20,212.51.147.191,212.51.150.184,212.51.151.250,212.51.156.224,212.51.156.78,212.51.159.148,212.60.126.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 311"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522620; rev:3093;)
alert ip [212.60.130.72,212.69.166.122,212.71.253.226,212.7.217.52,212.74.233.18,212.74.233.21,212.74.254.243,212.83.143.46,212.83.154.33,212.83.158.20] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 312"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522622; rev:3093;)
alert ip [212.83.158.5,212.83.165.54,212.83.174.26,212.83.176.58,212.86.53.174,212.89.225.242,212.96.63.171,213.108.108.235,213.109.56.200,213.112.199.150] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 313"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522624; rev:3093;)
alert ip [213.113.116.117,213.113.214.106,213.113.52.10,213.114.144.249,213.114.154.207,213.114.155.106,213.114.226.17,213.114.231.7,213.124.169.159,213.124.179.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 314"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522626; rev:3093;)
alert ip [213.131.6.186,213.133.99.156,213.135.198.106,213.136.71.21,213.136.77.251,213.136.80.109,213.136.81.89,213.136.82.192,213.136.94.10,213.137.18.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 315"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522628; rev:3093;)
alert ip [213.138.100.68,213.138.102.209,213.138.109.144,213.138.113.232,213.140.92.199,213.141.138.174,213.141.150.19,213.144.146.77,213.144.157.75,213.152.161.30] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 316"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522630; rev:3093;)
alert ip [213.152.161.40,213.153.84.215,213.157.15.235,213.162.132.85,213.163.70.234,213.167.242.183,213.169.148.151,213.17.124.178,213.183.48.84,213.183.56.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 317"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522632; rev:3093;)
alert ip [213.184.126.2,213.184.126.242,213.184.127.226,213.188.245.139,213.195.109.234,213.197.22.124,213.202.233.36,213.202.247.35,213.21.26.171,213.21.26.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 318"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522634; rev:3093;)
alert ip [213.226.180.166,213.233.226.123,213.239.197.25,213.239.205.239,213.239.211.41,213.239.212.20,213.239.216.222,213.239.217.18,213.239.217.68,213.239.249.71] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 319"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522636; rev:3093;)
alert ip [213.243.172.46,213.246.56.79,213.246.56.95,213.251.226.175,213.254.32.26,213.32.119.219,213.32.21.55,213.32.241.238,213.32.55.195,213.32.66.192] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 320"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522638; rev:3093;)
alert ip [213.32.68.101,213.32.90.15,213.45.170.44,213.47.176.238,213.64.65.106,213.66.28.170,2.137.20.68,213.73.99.182,213.89.134.172,2.139.216.169] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 321"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522640; rev:3093;)
alert ip [213.93.31.148,213.95.86.180,213.99.222.33,216.12.171.170,216.127.173.78,216.127.187.29,216.158.226.216,216.185.144.100,216.19.178.143,216.195.133.27] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 322"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522642; rev:3093;)
alert ip [216.218.222.10,216.218.222.14,216.24.174.245,216.24.242.34,216.244.85.211,216.252.162.19,216.51.232.227,216.55.181.21,217.103.193.83,217.106.239.149] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 323"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522644; rev:3093;)
alert ip [217.107.193.10,217.112.131.24,217.112.131.98,217.113.158.52,217.115.127.58,217.11.57.226,217.117.227.226,217.12.199.108,217.12.199.190,217.12.199.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 324"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522646; rev:3093;)
alert ip [217.12.202.111,217.12.202.116,217.12.202.40,217.12.202.53,217.12.202.58,217.12.203.46,217.12.204.120,217.12.204.149,217.12.204.174,217.12.208.117] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 325"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522648; rev:3093;)
alert ip [217.12.210.207,217.12.210.95,217.122.175.19,217.12.223.214,217.12.223.215,217.12.223.216,217.12.223.217,217.12.223.218,217.147.214.107,217.150.227.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 326"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522650; rev:3093;)
alert ip [217.155.10.18,217.155.40.118,217.160.13.173,217.160.141.52,217.160.15.247,217.160.178.10,217.172.172.8,217.172.190.251,217.182.102.242,217.182.231.53] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 327"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522652; rev:3093;)
alert ip [217.182.73.4,217.182.75.181,217.182.75.36,217.182.85.154,217.182.86.44,217.182.90.137,217.182.94.173,217.197.240.244,217.197.83.162,217.197.86.173] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 328"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522654; rev:3093;)
alert ip [217.197.91.145,217.20.112.213,217.20.130.72,217.209.179.202,217.210.64.254,217.22.141.89,217.224.41.172,217.228.210.7,217.23.15.200,217.235.159.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 329"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522656; rev:3093;)
alert ip [217.235.69.101,217.235.76.75,217.23.7.103,217.238.228.212,217.238.239.185,217.249.80.63,217.251.89.171,217.63.200.51,217.64.127.174,217.69.144.94] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 330"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522658; rev:3093;)
alert ip [217.79.178.60,217.79.179.177,217.79.182.95,217.79.190.25,217.81.247.55,217.84.98.50,217.85.173.59,217.85.180.233,217.8.61.67,217.86.254.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 331"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522660; rev:3093;)
alert ip [217.86.26.49,217.87.104.63,217.92.54.146,217.95.26.97,2.190.11.52,219.111.151.219,219.117.206.46,219.117.241.101,220.135.161.179,220.233.123.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 332"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522662; rev:3093;)
alert ip [220.240.152.221,220.240.80.150,220.253.12.10,221.121.153.184,221.39.78.201,222.10.49.182,222.12.87.83,222.152.75.99,2.225.231.92,2.230.164.254] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522664; rev:3093;)
alert ip [223.16.90.167,223.197.177.165,223.197.177.49,2.234.130.233,2.235.216.169,2.236.9.67,2.242.70.119,23.105.70.174,2.31.69.65,23.226.231.158] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 334"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522666; rev:3093;)
alert ip [23.227.199.226,23.235.4.101,23.236.50.86,23.239.10.144,23.239.113.101,23.239.145.125,23.239.22.19,23.239.2.7,23.239.27.28,23.239.30.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 335"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522668; rev:3093;)
alert ip [23.240.32.151,23.244.69.180,23.253.57.42,23.254.128.38,23.254.165.250,23.254.166.222,23.254.167.231,23.81.66.90,23.91.124.124,23.92.138.206] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 336"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522670; rev:3093;)
alert ip [23.92.19.113,23.92.21.74,23.92.222.214,23.92.83.233,23.95.113.5,23.97.172.229,24.108.240.199,24.117.231.229,24.130.221.118,24.130.248.235] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 337"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522672; rev:3093;)
alert ip [24.14.136.134,24.147.89.4,24.148.59.185,24.151.1.51,24.154.185.97,24.157.146.7,24.163.106.7,24.17.211.5,24.209.62.187,24.21.143.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 338"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522674; rev:3093;)
alert ip [24.2.216.29,24.22.246.162,24.22.64.232,24.248.203.49,24.30.59.18,24.3.140.142,24.35.77.155,24.40.143.53,24.54.152.124,24.61.42.21] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 339"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522676; rev:3093;)
alert ip [24.6.174.94,24.71.168.153,24.77.115.137,24.80.227.241,24.85.72.185,24.8.76.174,24.96.173.104,24.98.72.86,2.7.154.187,27.50.87.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 340"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522678; rev:3093;)
alert ip [27.64.121.247,2.92.133.8,2.93.9.1,31.129.166.78,31.130.48.109,31.132.156.136,31.135.243.138,31.14.138.27,31.15.66.218,31.16.110.107] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 341"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522680; rev:3093;)
alert ip [31.16.53.18,31.170.105.77,31.170.82.41,31.171.155.102,31.171.155.103,31.171.155.108,31.171.155.29,31.171.244.193,31.17.179.130,31.178.139.138] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 342"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522682; rev:3093;)
alert ip [31.179.132.42,31.179.24.189,31.18.14.162,31.18.152.33,31.184.198.152,31.184.198.183,31.192.174.73,31.192.204.204,31.201.243.214,31.204.128.24] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 343"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522684; rev:3093;)
alert ip [31.207.227.140,31.208.41.41,31.208.8.205,31.209.52.65,31.214.157.83,31.220.45.216,31.220.7.143,31.28.168.174,31.31.73.200,31.31.73.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 344"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522686; rev:3093;)
alert ip [31.31.74.177,31.31.74.47,31.31.77.176,31.31.78.49,31.41.219.228,31.43.129.239,31.47.252.177,31.54.71.247,31.7.186.142,34.201.82.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 345"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522688; rev:3093;)
alert ip [34.202.25.15,34.214.31.61,34.250.125.1,34.250.46.74,34.251.131.79,34.251.231.72,34.251.248.90,35.157.59.169,35.163.47.243,35.164.117.159] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 346"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522690; rev:3093;)
alert ip [35.164.54.193,35.188.143.6,35.188.21.171,35.190.152.35,35.202.23.233,36.55.243.60,37.113.173.117,37.120.104.214,37.120.160.12,37.120.166.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 347"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522692; rev:3093;)
alert ip [37.120.169.95,37.120.172.242,37.120.173.146,37.120.174.249,37.120.178.124,37.120.178.6,37.120.184.45,37.120.185.98,37.120.8.167,37.122.208.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 348"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522694; rev:3093;)
alert ip [37.123.113.29,37.134.197.41,37.139.24.90,37.14.196.72,37.145.226.109,37.147.101.131,37.15.122.94,37.153.1.10,37.153.16.134,37.157.195.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 349"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522696; rev:3093;)
alert ip [37.157.195.87,37.157.196.142,37.187.0.83,37.187.101.179,37.187.101.180,37.187.102.108,37.187.102.186,37.187.102.202,37.187.103.156,37.187.104.111] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 350"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522698; rev:3093;)
alert ip [37.187.104.178,37.187.105.65,37.187.105.68,37.187.107.91,37.187.110.237,37.187.111.205,37.187.112.64,37.187.115.157,37.187.115.47,37.187.120.37] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 351"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522700; rev:3093;)
alert ip [37.187.1.29,37.187.130.226,37.187.16.175,37.187.16.43,37.187.176.64,37.187.17.67,37.187.177.2,37.187.180.112,37.187.180.18,37.187.180.4] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 352"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522702; rev:3093;)
alert ip [37.187.20.59,37.187.20.79,37.187.21.157,37.187.21.28,37.187.22.131,37.187.2.230,37.187.22.87,37.187.23.169,37.187.23.232,37.187.239.8] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 353"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522704; rev:3093;)
alert ip [37.187.30.2,37.187.30.78,37.187.3.106,37.187.31.39,37.187.4.8,37.187.4.81,37.187.51.225,37.187.72.24,37.187.78.210,37.187.90.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 354"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522706; rev:3093;)
alert ip [37.187.90.149,37.187.96.183,37.187.96.78,37.187.96.84,37.187.97.31,37.187.97.95,37.187.98.185,37.187.99.84,37.191.156.74,37.191.160.173] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 355"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522708; rev:3093;)
alert ip [37.191.229.34,37.191.234.150,37.193.70.65,37.200.98.117,37.200.99.251,37.201.127.126,37.201.135.18,37.201.175.13,37.201.46.246,37.205.11.149] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 356"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522710; rev:3093;)
alert ip [37.205.8.191,37.205.9.131,37.209.119.10,37.218.247.217,37.220.18.41,37.221.162.226,37.221.171.234,37.221.196.137,37.221.196.31,37.221.198.199] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 357"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522712; rev:3093;)
alert ip [37.221.213.59,37.228.129.56,37.228.134.103,37.229.212.29,37.230.119.37,37.233.99.157,37.235.48.247,37.235.49.124,37.235.49.138,37.235.49.34] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 358"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522714; rev:3093;)
alert ip [37.235.52.67,37.235.55.83,37.235.56.180,37.235.60.77,37.24.229.143,37.247.49.139,37.252.185.87,37.252.190.176,37.35.107.238,37.4.236.212] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 359"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522716; rev:3093;)
alert ip [37.48.120.47,37.48.122.22,37.48.71.227,37.48.83.229,37.58.57.231,37.59.102.148,37.59.107.185,37.59.118.7,37.59.119.118,37.59.125.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 360"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522718; rev:3093;)
alert ip [37.59.127.105,37.59.29.31,37.59.37.59,37.59.39.161,37.59.40.193,37.59.51.217,37.59.72.132,37.61.209.150,37.8.236.184,37.97.185.116] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 361"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522720; rev:3093;)
alert ip [37.97.202.76,38.131.227.141,38.229.70.51,38.229.70.52,38.229.70.53,38.229.70.54,38.229.70.61,38.229.79.2,40.134.93.214,40.83.147.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 362"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522722; rev:3093;)
alert ip [42.112.16.193,42.112.16.194,42.112.16.198,42.112.16.200,42.112.16.42,42.112.20.116,42.124.36.252,43.231.114.52,43.240.12.58,43.252.37.14] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 363"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522724; rev:3093;)
alert ip [43.255.32.133,45.123.118.101,45.20.67.1,45.249.61.131,45.249.61.132,45.249.90.26,45.32.117.1,45.32.146.85,45.32.151.73,45.32.154.242] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 364"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522726; rev:3093;)
alert ip [45.32.158.56,45.32.167.8,45.32.171.227,45.32.195.199,45.32.207.172,45.32.219.222,45.32.234.214,45.32.238.101,45.32.240.31,45.32.245.73] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 365"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522728; rev:3093;)
alert ip [45.32.246.15,45.32.250.46,45.32.30.178,45.32.31.42,45.32.36.228,45.32.40.253,45.33.100.121,45.33.111.116,45.33.121.242,45.33.124.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 366"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522730; rev:3093;)
alert ip [45.33.34.211,45.33.60.105,45.33.60.47,45.33.75.28,45.33.83.135,45.33.90.50,45.34.143.4,45.35.72.85,45.50.173.159,45.50.77.52] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 367"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522732; rev:3093;)
alert ip [45.55.108.110,45.55.12.23,45.55.129.39,45.55.167.33,45.55.182.63,45.55.19.132,45.55.194.175,45.55.236.19,45.55.8.14,45.56.76.112] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 368"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522734; rev:3093;)
alert ip [45.56.89.8,45.56.99.84,45.58.192.155,45.58.49.251,45.58.60.127,45.62.116.32,45.62.211.6,45.62.233.205,45.62.235.202,45.62.235.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 369"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522736; rev:3093;)
alert ip [45.62.235.44,45.62.243.158,45.62.243.36,45.63.14.225,45.63.24.140,45.63.24.164,45.63.25.179,45.63.25.235,45.63.26.48,45.63.28.115] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 370"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522738; rev:3093;)
alert ip [45.63.67.113,45.63.77.230,45.63.8.229,45.63.89.53,45.63.9.89,45.76.10.133,45.76.107.140,45.76.119.205,45.76.131.160,45.76.140.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 371"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522740; rev:3093;)
alert ip [45.76.142.198,45.76.149.112,45.76.177.51,45.76.192.217,45.76.196.74,45.76.26.158,45.76.32.13,45.76.39.74,45.76.42.132,45.76.42.26] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 372"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522742; rev:3093;)
alert ip [45.76.5.206,45.76.6.23,45.76.80.29,45.76.82.223,45.76.86.86,45.76.89.215,45.76.92.117,45.76.94.126,45.76.94.181,45.76.95.199] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 373"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522744; rev:3093;)
alert ip [45.77.0.145,45.77.114.107,45.77.53.109,45.77.56.54,45.77.61.195,45.77.62.230,45.77.64.193,45.77.66.39,45.79.106.154,45.79.106.247] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 374"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522746; rev:3093;)
alert ip [45.79.108.96,45.79.109.55,45.79.138.8,45.79.181.153,45.79.184.114,45.79.189.111,45.79.218.205,45.79.67.237,45.79.76.174,45.79.84.186] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 375"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522748; rev:3093;)
alert ip [45.79.85.112,45.79.88.43,45.79.89.133,45.79.92.94,45.79.95.244,45.79.99.101,46.101.100.94,46.101.101.102,46.101.102.71,46.101.104.245] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 376"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522750; rev:3093;)
alert ip [46.101.131.100,46.101.141.15,46.101.142.174,46.101.149.105,46.101.151.222,46.101.152.147,46.101.169.151,46.101.170.138,46.101.183.160,46.101.192.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 377"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522752; rev:3093;)
alert ip [46.101.216.71,46.101.220.187,46.101.231.44,46.101.37.23,46.101.6.132,46.101.9.51,46.101.98.130,46.105.121.81,46.105.123.162,46.105.185.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 378"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522754; rev:3093;)
alert ip [46.105.227.109,46.105.63.44,46.105.84.178,46.105.95.112,46.124.76.233,46.127.12.33,46.127.20.181,46.127.31.29,46.127.3.164,46.128.114.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 379"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522756; rev:3093;)
alert ip [46.128.251.202,46.128.34.32,46.128.60.60,46.128.6.254,46.142.48.128,46.144.166.250,46.148.18.34,46.148.212.113,46.151.27.101,46.161.146.75] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 380"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522758; rev:3093;)
alert ip [46.162.192.166,46.163.76.170,46.163.78.14,46.163.81.190,46.164.242.169,46.165.197.96,46.165.221.166,46.165.221.207,46.165.242.166,46.165.250.224] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 381"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522760; rev:3093;)
alert ip [46.165.253.180,46.165.254.40,46.166.162.34,46.166.165.118,46.166.165.129,46.166.165.57,46.166.165.87,46.166.167.46,46.167.245.43,46.167.245.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 382"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522762; rev:3093;)
alert ip [46.173.38.149,46.17.42.50,46.17.63.214,46.182.132.129,46.182.142.222,46.182.18.111,46.182.18.223,46.182.18.245,46.182.19.151,46.182.208.28] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 383"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522764; rev:3093;)
alert ip [46.188.4.37,46.188.44.25,46.19.137.186,46.19.143.139,46.20.246.119,46.20.35.114,46.208.95.155,46.21.144.10,46.21.147.19,46.219.2.21] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 384"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522766; rev:3093;)
alert ip [46.22.209.99,46.22.212.230,46.227.96.218,46.228.18.237,46.229.238.172,46.23.70.195,46.23.72.81,46.238.12.208,46.23.85.31,46.239.108.194] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 385"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522768; rev:3093;)
alert ip [46.242.3.30,46.244.143.143,46.246.26.104,46.246.39.219,46.246.93.70,46.249.27.184,46.249.37.109,46.249.37.143,46.251.85.30,46.252.26.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 386"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522770; rev:3093;)
alert ip [46.28.109.231,46.28.110.219,46.28.110.244,46.28.204.20,46.28.205.187,46.28.205.75,46.28.207.107,46.28.207.69,46.28.64.234,46.28.68.150] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 387"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522772; rev:3093;)
alert ip [46.28.68.157,46.28.69.53,46.29.248.136,46.36.39.134,46.38.231.209,46.38.233.242,46.38.234.158,46.38.237.221,46.38.241.16,46.38.250.39] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 388"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522774; rev:3093;)
alert ip [46.38.251.194,46.38.48.225,46.38.51.18,46.39.102.250,46.39.183.60,46.39.227.136,46.39.251.87,46.39.253.63,46.4.0.89,46.4.103.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 389"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522776; rev:3093;)
alert ip [46.4.111.124,46.41.132.84,46.4.122.173,46.4.124.165,46.4.125.2,46.4.144.81,46.41.59.223,46.4.174.52,46.4.183.122,46.4.25.214] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 390"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522778; rev:3093;)
alert ip [46.4.253.194,46.4.34.242,46.43.50.92,46.4.40.67,46.4.49.201,46.4.57.151,46.4.58.90,46.4.77.210,46.4.78.3,46.4.81.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 391"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522780; rev:3093;)
alert ip [46.5.233.143,46.59.151.24,46.59.156.138,46.59.209.134,46.59.219.11,46.59.220.98,46.59.72.157,46.59.99.37,46.6.100.154,46.6.79.80] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 392"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522782; rev:3093;)
alert ip [46.6.82.38,46.7.12.146,46.72.216.20,46.7.90.69,46.83.59.214,46.83.63.158,46.84.27.129,46.84.64.91,46.84.66.213,46.87.74.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 393"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522784; rev:3093;)
alert ip [46.91.217.213,46.9.195.188,46.93.224.82,46.93.90.218,47.150.71.57,47.151.150.13,47.152.227.184,47.154.80.129,47.184.12.62,47.211.130.217] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 394"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522786; rev:3093;)
alert ip [47.21.17.46,47.33.13.234,47.34.248.45,47.36.210.167,47.40.229.162,47.52.119.59,47.55.183.10,47.89.178.105,47.89.179.48,47.89.185.247] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 395"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522788; rev:3093;)
alert ip [47.89.191.36,47.89.22.90,47.90.204.139,47.90.204.154,49.212.166.38,50.0.60.210,50.111.33.100,50.116.10.242,50.116.21.172,50.116.39.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 396"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522790; rev:3093;)
alert ip [50.116.40.6,50.116.47.139,50.116.48.133,50.116.49.46,50.116.5.153,50.116.56.48,50.116.7.64,50.193.143.42,50.193.202.38,50.1.99.207] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 397"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522792; rev:3093;)
alert ip [50.244.200.221,50.31.252.11,50.31.252.43,50.38.36.6,50.53.113.124,50.65.176.4,50.66.85.45,50.7.115.12,50.7.115.67,50.7.116.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 398"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522794; rev:3093;)
alert ip [50.7.151.127,50.7.151.32,50.7.151.47,50.7.176.2,50.7.177.26,50.7.178.146,50.7.178.34,50.7.178.98,50.7.179.202,50.7.179.251] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 399"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522796; rev:3093;)
alert ip [50.7.184.58,50.7.186.38,50.74.108.76,50.76.49.97,50.7.74.171,50.7.74.172,50.89.199.56,5.101.102.82,5.101.103.70,5.10.178.94] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 400"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522798; rev:3093;)
alert ip [5.104.106.38,5.104.90.29,51.141.6.250,51.15.11.64,51.15.128.190,51.15.129.69,51.15.130.249,51.15.130.76,51.15.131.121,51.15.131.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 401"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522800; rev:3093;)
alert ip [51.15.13.245,51.15.133.16,51.15.135.5,51.15.137.146,51.15.137.183,51.15.138.145,51.15.139.200,51.15.141.181,51.15.142.10,51.15.142.73] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 402"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522802; rev:3093;)
alert ip [51.15.143.126,51.15.143.178,51.15.143.20,51.15.143.239,51.15.166.221,51.15.171.97,51.15.177.148,51.15.193.126,51.15.3.40,51.15.34.125] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 403"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522804; rev:3093;)
alert ip [51.15.34.165,51.15.36.164,51.15.36.183,51.15.36.42,51.15.37.171,51.15.37.252,51.15.37.97,51.15.38.13,51.15.38.131,51.15.39.53] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 404"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522806; rev:3093;)
alert ip [51.15.39.65,51.15.40.11,51.15.4.10,51.15.41.61,51.15.42.19,51.15.44.251,51.15.44.54,51.15.4.55,51.15.45.92,51.15.46.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 405"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522808; rev:3093;)
alert ip [51.15.46.240,51.15.46.45,51.15.46.47,51.15.47.17,51.15.47.62,51.15.48.254,51.15.49.157,51.15.49.8,51.15.50.109,51.15.50.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 406"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522810; rev:3093;)
alert ip [51.15.51.7,51.15.52.120,51.15.52.244,51.15.53.199,51.15.53.75,51.15.54.132,51.15.54.182,51.15.55.114,51.15.56.101,51.15.56.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 407"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522812; rev:3093;)
alert ip [51.15.56.123,51.15.56.40,51.15.58.152,51.15.58.212,51.15.59.29,51.15.60.102,51.15.60.93,51.15.61.46,51.15.61.7,51.15.62.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 408"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522814; rev:3093;)
alert ip [51.15.62.52,51.15.65.104,51.15.66.23,51.15.66.75,51.15.67.196,51.15.67.36,51.15.67.77,51.15.68.208,51.15.69.160,51.15.69.4] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 409"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522816; rev:3093;)
alert ip [51.15.69.92,51.15.71.243,51.15.71.41,51.15.72.156,51.15.72.209,51.15.72.230,51.15.72.253,51.15.73.133,51.15.73.178,51.15.74.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 410"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522818; rev:3093;)
alert ip [51.15.76.141,51.15.76.56,51.15.77.102,51.15.77.244,51.15.77.25,51.15.78.0,51.15.78.99,51.15.8.23,51.15.9.100,5.11.66.213] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 411"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522820; rev:3093;)
alert ip [51.174.197.117,51.175.193.142,51.175.4.172,51.175.50.162,51.175.64.222,5.12.14.91,51.254.101.176,51.254.101.242,51.254.115.225,51.254.120.82] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 412"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522822; rev:3093;)
alert ip [51.254.124.210,51.254.131.226,51.254.135.213,51.254.136.195,51.254.164.50,51.254.202.160,51.254.209.197,51.254.218.247,51.254.220.21,51.254.221.144] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 413"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522824; rev:3093;)
alert ip [51.254.35.151,51.254.38.249,51.254.45.43,51.255.113.29,51.255.168.229,51.255.169.10,51.255.175.53,51.255.198.77,51.255.203.235,51.255.206.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 414"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522826; rev:3093;)
alert ip [51.255.211.235,51.255.39.110,51.255.40.231,51.255.41.65,51.255.41.91,51.255.44.183,51.255.48.78,51.255.50.238,51.255.50.60,51.255.75.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 415"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522828; rev:3093;)
alert ip [51.255.95.102,5.13.235.160,5.135.115.34,5.135.145.195,5.135.152.143,5.135.152.66,5.135.155.121,5.135.159.128,5.135.162.217,5.135.162.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 416"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522830; rev:3093;)
alert ip [5.135.163.78,5.135.176.38,5.135.178.184,5.135.181.213,5.135.182.130,5.135.184.24,5.135.185.145,5.135.186.73,5.135.188.128,5.135.191.185] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 417"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522832; rev:3093;)
alert ip [5.135.199.13,5.135.234.164,5.135.43.38,5.135.65.145,5.141.9.164,5.141.95.84,5.145.46.166,5.146.129.127,5.147.113.133,5.147.125.93] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 418"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522834; rev:3093;)
alert ip [5.147.152.177,5.147.172.122,5.147.248.158,5.148.175.35,5.148.180.48,5.150.221.137,5.150.233.239,5.15.205.85,51.52.35.169,5.158.176.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 419"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522836; rev:3093;)
alert ip [5.164.247.4,5.165.33.31,5.167.155.131,5.172.146.219,5.186.143.227,5.187.48.62,5.187.49.158,5.189.132.79,5.189.138.9,5.189.139.38] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 420"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522838; rev:3093;)
alert ip [5.189.140.21,5.189.142.118,5.189.143.28,5.189.150.139,5.189.153.185,5.189.159.21,5.189.164.230,5.189.169.190,5.189.181.61,5.189.183.90] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 421"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522840; rev:3093;)
alert ip [5.19.162.103,5.19.184.37,5.19.204.140,51.9.208.170,5.196.20.5,5.196.20.85,5.196.222.56,5.196.23.64,5.196.239.114,5.196.26.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 422"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522842; rev:3093;)
alert ip [5.196.29.217,5.196.58.96,5.196.71.24,5.196.72.233,5.196.88.122,5.199.133.193,5.199.142.112,5.199.142.236,5.199.167.207,5.200.23.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 423"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522844; rev:3093;)
alert ip [5.206.225.118,52.10.125.140,52.165.217.243,52.169.10.90,52.173.146.98,52.183.47.155,52.208.34.152,52.209.187.176,52.210.94.70,52.214.216.237] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 424"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522846; rev:3093;)
alert ip [52.215.92.62,52.242.26.186,52.27.7.31,5.228.12.221,5.230.145.65,52.35.11.2,52.36.85.58,52.39.6.26,52.42.94.200,52.48.130.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 425"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522848; rev:3093;)
alert ip [5.249.145.164,5.249.149.153,5.249.159.198,5.249.159.209,52.51.121.89,5.2.54.152,5.255.61.130,5.255.82.75,5.255.86.131,5.255.90.162] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 426"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522850; rev:3093;)
alert ip [52.56.124.204,52.59.252.78,52.60.215.15,52.63.134.148,52.66.117.126,52.66.79.102,52.6.9.146,5.2.70.162,5.2.73.217,5.2.74.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 427"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522852; rev:3093;)
alert ip [5.2.75.42,5.28.106.163,52.90.84.21,5.29.115.159,52.91.227.251,5.34.180.231,5.34.183.205,5.39.218.131,5.39.33.176,5.39.33.178] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 428"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522854; rev:3093;)
alert ip [5.39.64.7,5.39.77.208,5.39.80.135,5.39.80.28,5.39.81.102,5.39.82.192,5.39.83.217,5.39.83.27,5.39.86.206,5.39.89.124] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 429"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522856; rev:3093;)
alert ip [5.39.91.86,5.39.92.199,5.39.94.169,5.39.95.142,54.153.249.26,54.179.98.204,54.187.239.16,54.201.201.93,54.202.82.18,54.218.172.0] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 430"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522858; rev:3093;)
alert ip [54.233.155.67,54.241.9.145,54.244.208.214,54.245.9.252,54.36.38.63,5.44.101.190,5.45.100.22,5.45.107.56,5.45.108.48,5.45.109.62] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 431"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522860; rev:3093;)
alert ip [5.45.111.145,5.45.97.127,54.71.227.111,54.86.232.140,54.88.165.229,54.92.68.99,54.94.154.154,54.94.85.201,5.51.106.108,5.51.204.241] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 432"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522862; rev:3093;)
alert ip [5.57.243.84,5.61.239.34,5.61.34.63,5.79.74.220,5.79.75.37,5.79.86.15,58.176.161.172,5.8.54.12,5.8.54.27,58.93.43.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 433"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522864; rev:3093;)
alert ip [58.96.66.25,5.9.102.198,5.9.110.236,5.9.112.137,5.9.121.207,5.9.121.79,5.9.121.87,5.9.122.110,5.9.129.218,5.9.140.173] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 434"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522866; rev:3093;)
alert ip [5.9.142.76,5.9.147.226,5.9.149.100,5.9.149.55,5.9.149.70,5.9.150.40,5.9.153.114,5.9.156.17,5.9.171.38,5.9.181.162] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 435"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522868; rev:3093;)
alert ip [5.9.188.182,5.9.191.52,5.9.212.204,5.9.239.228,5.9.253.234,5.9.25.79,5.9.39.113,5.9.40.121,5.9.43.3,5.9.50.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 436"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522870; rev:3093;)
alert ip [5.9.56.12,5.9.58.137,5.9.61.207,5.9.62.17,5.9.7.130,5.9.79.142,5.9.79.154,5.9.81.41,5.9.83.204,5.9.88.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 437"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522872; rev:3093;)
alert ip [5.9.98.43,60.112.213.201,60.225.57.95,60.234.102.113,60.48.251.22,61.68.248.113,61.68.41.40,61.68.46.18,62.102.148.172,62.103.152.170] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 438"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522874; rev:3093;)
alert ip [62.103.152.219,62.103.152.227,62.103.152.228,62.108.196.73,62.109.20.48,62.109.4.115,62.113.216.173,62.113.216.177,62.113.227.124,62.113.241.182] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 439"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522876; rev:3093;)
alert ip [62.113.241.207,62.113.254.114,62.12.115.107,62.138.10.60,62.138.10.61,62.138.10.62,62.138.7.171,62.138.7.231,62.141.36.150,62.141.48.175] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 440"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522878; rev:3093;)
alert ip [62.141.51.90,62.141.52.185,62.141.54.86,62.143.28.23,62.149.2.188,62.152.43.203,62.157.77.139,62.167.72.32,62.168.3.212,62.173.154.153] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 441"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522880; rev:3093;)
alert ip [62.176.239.229,62.180.109.11,62.194.12.77,62.194.76.2,62.197.207.182,62.199.169.123,62.210.105.47,62.210.107.86,62.210.109.48,62.210.123.24] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 442"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522882; rev:3093;)
alert ip [62.210.125.130,62.210.132.56,62.210.137.230,62.210.138.3,62.210.170.143,62.210.180.21,62.210.190.5,62.210.203.90,62.210.206.159,62.210.206.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 443"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522884; rev:3093;)
alert ip [62.210.206.53,62.210.213.17,62.210.217.207,62.210.244.146,62.210.24.46,62.210.247.178,62.210.254.132,62.210.36.16,62.210.36.46,62.210.69.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 444"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522886; rev:3093;)
alert ip [62.210.69.236,62.210.74.110,62.210.75.84,62.210.76.88,62.210.82.244,62.210.84.34,62.210.90.164,62.210.90.75,62.210.92.11,62.210.93.142] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 445"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522888; rev:3093;)
alert ip [62.212.72.243,62.213.214.207,62.214.6.61,62.216.5.120,62.216.54.29,62.217.124.253,62.219.182.42,62.219.46.133,62.220.148.87,62.220.148.97] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 446"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522890; rev:3093;)
alert ip [62.224.109.251,62.224.67.233,62.235.105.147,62.242.177.175,62.245.57.78,62.249.170.186,62.251.50.232,62.251.89.74,62.37.150.20,62.4.15.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 447"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522892; rev:3093;)
alert ip [62.6.132.155,62.64.191.92,62.65.107.36,62.68.14.206,62.72.82.222,62.75.147.82,62.75.203.76,62.75.255.37,62.78.245.129,64.137.144.195] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 448"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522894; rev:3093;)
alert ip [64.137.162.93,64.137.163.132,64.137.166.21,64.137.181.8,64.137.191.74,64.137.193.88,64.137.193.91,64.137.193.92,64.137.195.214,64.137.203.62] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 449"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522896; rev:3093;)
alert ip [64.137.212.51,64.137.220.124,64.137.227.206,64.137.230.59,64.137.240.201,64.137.242.125,64.137.243.27,64.137.243.67,64.137.247.191,64.137.249.201] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 450"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522898; rev:3093;)
alert ip [64.178.138.94,64.228.188.98,64.237.51.46,64.33.179.214,64.91.6.244,64.94.238.142,65.102.134.108,65.183.146.221,65.183.218.89,65.19.167.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 451"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522900; rev:3093;)
alert ip [65.19.167.134,65.19.178.177,65.19.178.241,65.24.56.15,65.50.203.5,65.94.17.75,66.111.2.20,66.111.2.34,66.111.62.85,66.148.116.90] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 452"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522902; rev:3093;)
alert ip [66.170.11.203,66.172.12.174,66.175.217.78,66.175.221.24,66.175.223.145,66.186.230.154,66.191.220.212,66.215.142.69,66.228.39.82,66.228.39.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 453"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522904; rev:3093;)
alert ip [66.228.51.186,66.234.218.247,66.235.24.122,66.240.174.9,66.242.92.203,66.246.75.167,66.24.84.54,66.55.215.216,66.55.64.181,66.55.67.28] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 454"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522906; rev:3093;)
alert ip [66.70.211.20,66.90.101.117,67.10.7.28,67.160.203.232,67.162.129.215,67.162.205.205,67.165.240.50,67.170.176.90,67.180.116.128,67.186.115.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 455"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522908; rev:3093;)
alert ip [67.188.115.214,67.205.128.47,67.205.130.27,67.205.137.40,67.207.83.202,67.22.162.61,67.227.198.183,67.227.240.79,67.241.73.26,67.249.138.113] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 456"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522910; rev:3093;)
alert ip [67.254.247.220,67.2.57.141,67.43.0.209,68.102.158.81,68.104.222.58,68.105.130.111,68.112.152.187,68.118.104.181,68.129.4.212,68.148.246.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 457"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522912; rev:3093;)
alert ip [68.151.164.43,68.168.108.152,68.172.40.110,68.174.152.193,68.196.189.216,68.201.5.172,68.203.1.218,68.203.91.245,68.206.20.134,68.2.206.4] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 458"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522914; rev:3093;)
alert ip [68.224.246.169,68.224.252.210,68.230.137.166,68.231.202.157,68.42.193.252,68.61.169.59,68.69.166.68,68.8.163.148,68.82.19.43,68.83.2.168] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 459"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522916; rev:3093;)
alert ip [69.115.102.229,69.115.145.16,69.11.9.116,69.136.179.201,69.138.251.81,69.143.186.130,69.156.146.183,69.16.137.20,69.162.107.5,69.163.35.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 460"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522918; rev:3093;)
alert ip [69.164.195.92,69.164.198.32,69.164.210.140,69.164.210.142,69.164.211.18,69.164.212.180,69.164.214.250,69.164.216.230,69.164.216.82,69.164.221.153] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 461"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522920; rev:3093;)
alert ip [69.164.221.65,69.164.221.78,69.172.169.175,69.174.176.16,69.181.73.164,69.193.72.100,69.202.208.57,69.251.207.212,69.28.82.48,69.30.215.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 462"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522922; rev:3093;)
alert ip [69.30.218.186,69.61.35.184,69.62.162.178,69.64.46.27,69.84.70.38,69.85.115.246,69.85.92.224,69.90.132.10,69.90.132.11,69.90.132.248] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 463"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522924; rev:3093;)
alert ip [69.90.151.229,69.93.127.57,69.93.99.14,70.115.155.92,70.119.125.160,70.124.157.109,70.160.231.36,70.164.197.204,70.173.177.224,70.187.153.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 464"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522926; rev:3093;)
alert ip [70.38.31.121,70.59.88.17,70.63.170.86,70.67.185.41,70.78.109.149,70.79.195.48,70.92.77.22,70.95.78.84,71.10.114.10,71.125.33.223] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 465"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522928; rev:3093;)
alert ip [71.14.188.3,71.161.106.188,71.165.151.35,71.172.62.72,71.19.144.184,71.19.149.21,71.19.154.138,71.19.155.187,71.19.157.127,71.19.157.213] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 466"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522930; rev:3093;)
alert ip [71.191.89.250,71.202.232.139,71.202.61.123,71.204.171.134,71.204.188.148,71.238.214.21,71.245.80.14,71.248.178.98,71.39.169.105,71.54.138.21] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 467"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522932; rev:3093;)
alert ip [71.57.153.248,71.82.236.51,71.8.59.240,71.86.238.225,72.11.61.169,72.11.62.32,72.12.96.84,72.14.177.164,72.14.183.14,72.14.190.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 468"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522934; rev:3093;)
alert ip [72.174.129.181,72.174.70.108,72.179.146.98,72.197.6.110,72.234.155.136,72.238.131.236,72.38.1.135,72.42.158.117,72.46.49.24,72.5.72.227] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 469"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522936; rev:3093;)
alert ip [72.66.111.33,72.69.168.215,72.83.36.237,73.110.152.214,73.146.11.203,73.153.100.155,73.158.169.40,73.160.247.47,73.168.232.114,73.170.141.73] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 470"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522938; rev:3093;)
alert ip [73.170.159.10,73.176.222.34,73.193.242.57,73.197.11.4,73.201.115.116,73.201.16.196,73.202.4.42,73.225.68.25,73.233.243.74,73.24.36.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 471"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522940; rev:3093;)
alert ip [73.245.139.113,73.246.41.113,73.25.143.5,73.252.227.171,73.254.86.153,73.40.36.170,73.43.58.31,73.45.37.75,73.58.226.233,73.89.148.177] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 472"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522942; rev:3093;)
alert ip [73.89.87.77,74.103.247.168,74.115.25.12,74.116.186.120,74.121.182.206,74.139.147.78,74.140.170.197,74.207.231.186,74.207.236.197,74.207.237.44] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 473"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522944; rev:3093;)
alert ip [74.207.242.7,74.208.220.222,74.208.234.191,74.208.247.181,74.208.78.130,74.221.46.242,74.222.20.106,74.57.235.186,74.71.234.81,74.86.24.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 474"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522946; rev:3093;)
alert ip [74.88.96.7,74.91.21.2,75.119.251.14,75.127.15.73,75.127.96.101,75.134.154.177,75.135.123.77,75.144.22.203,75.155.22.50,75.161.120.237] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 475"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522948; rev:3093;)
alert ip [75.166.226.179,75.169.5.197,75.176.45.87,75.182.207.22,75.182.90.20,75.87.191.70,76.10.157.58,76.102.13.241,76.105.231.45,76.118.18.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 476"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522950; rev:3093;)
alert ip [76.119.135.44,76.12.219.104,76.126.253.76,76.127.209.65,76.14.112.233,76.167.215.227,76.182.208.232,76.19.132.163,76.217.12.234,76.244.38.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 477"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522952; rev:3093;)
alert ip [76.244.39.154,76.251.164.153,76.255.206.36,76.26.203.243,76.73.234.173,76.85.96.65,76.98.28.62,77.102.174.224,77.102.66.183,77.120.122.102] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 478"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522954; rev:3093;)
alert ip [77.120.122.131,77.120.94.233,77.129.60.166,77.139.132.109,77.140.150.239,77.140.201.83,77.140.93.127,77.148.42.134,77.161.34.157,77.166.206.198] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 479"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522956; rev:3093;)
alert ip [77.170.230.163,77.174.168.42,77.177.30.182,77.178.71.4,77.179.213.231,77.180.116.249,77.180.119.47,77.180.40.15,77.181.119.74,77.185.251.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 480"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522958; rev:3093;)
alert ip [77.187.165.8,77.198.99.139,77.20.129.236,77.203.13.57,77.21.150.101,77.21.35.84,77.2.186.111,77.23.37.2,77.23.56.30,77.238.69.216] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 481"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522960; rev:3093;)
alert ip [77.243.191.50,77.244.37.157,77.246.163.142,77.246.193.59,77.248.157.83,77.250.55.228,77.251.239.123,77.27.140.228,77.37.142.179,77.37.160.18] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 482"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522962; rev:3093;)
alert ip [77.37.162.132,77.37.218.145,77.43.219.246,77.47.119.55,77.47.40.159,77.47.47.126,77.48.73.246,77.56.224.131,77.57.114.44,77.57.126.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 483"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522964; rev:3093;)
alert ip [77.64.230.73,77.66.12.185,77.68.11.42,77.68.42.132,77.70.5.60,77.70.63.220,77.72.150.150,77.73.64.51,77.73.67.139,77.74.96.43] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 484"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522966; rev:3093;)
alert ip [77.75.166.43,77.78.163.128,77.7.96.234,77.81.104.124,77.87.49.6,77.87.50.6,77.94.116.249,78.107.239.213,78.108.77.86,78.109.23.1] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 485"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522968; rev:3093;)
alert ip [78.118.163.95,78.120.51.57,78.124.107.98,78.130.128.106,78.130.195.135,78.13.71.147,78.142.140.242,78.142.145.141,78.142.19.11,78.142.19.215] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 486"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522970; rev:3093;)
alert ip [78.142.19.226,78.156.110.135,78.156.114.237,78.156.117.236,78.192.124.148,78.192.89.9,78.193.140.4,78.193.218.97,78.193.40.205,78.193.40.254] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 487"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522972; rev:3093;)
alert ip [78.194.220.54,78.194.2.61,78.194.37.29,78.200.39.175,78.213.146.86,78.215.220.29,78.219.4.95,78.24.75.53,78.247.96.188,78.27.109.107] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 488"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522974; rev:3093;)
alert ip [78.34.249.163,78.34.65.120,78.35.204.169,78.35.56.203,78.36.44.54,78.43.30.83,78.43.32.13,78.43.34.2,78.46.112.219,78.46.127.239] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 489"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522976; rev:3093;)
alert ip [78.46.139.153,78.46.139.182,78.46.141.74,78.46.145.58,78.46.151.11,78.46.162.123,78.46.185.124,78.46.189.152,78.46.193.41,78.46.203.18] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 490"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522978; rev:3093;)
alert ip [78.46.209.112,78.46.220.130,78.46.221.48,78.46.223.134,78.46.233.214,78.46.239.183,78.46.247.36,78.46.249.71,78.46.253.198,78.46.37.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 491"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522980; rev:3093;)
alert ip [78.46.37.26,78.46.38.250,78.46.44.222,78.46.45.242,78.46.51.124,78.46.53.11,78.46.60.30,78.46.64.245,78.46.82.123,78.46.90.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 492"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522982; rev:3093;)
alert ip [78.46.95.20,78.46.99.169,78.47.117.28,78.47.134.195,78.47.134.196,78.47.142.211,78.47.158.122,78.47.162.163,78.47.167.67,78.47.174.155] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 493"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522984; rev:3093;)
alert ip [78.47.176.74,78.47.18.110,78.47.221.71,78.47.224.202,78.47.224.219,78.47.229.107,78.47.239.80,78.47.35.35,78.47.61.129,78.47.61.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 494"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522986; rev:3093;)
alert ip [78.47.70.123,78.47.9.21,78.47.98.200,78.49.109.5,78.49.115.119,78.49.9.91,78.50.161.130,78.51.79.138,78.52.105.103,78.53.55.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 495"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522988; rev:3093;)
alert ip [78.55.15.45,78.55.194.217,78.55.80.168,78.56.124.16,78.56.40.22,78.84.251.67,78.90.15.229,78.90.227.228,78.94.141.202,78.94.186.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 496"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522990; rev:3093;)
alert ip [78.94.74.236,78.94.92.170,79.111.0.58,79.111.23.100,79.120.10.98,79.120.41.147,79.120.85.102,79.124.58.78,79.124.60.246,79.124.7.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 497"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522992; rev:3093;)
alert ip [79.132.85.150,79.133.210.11,79.136.153.114,79.136.39.109,79.136.43.29,79.136.70.125,79.136.70.93,79.137.106.154,79.137.112.4,79.137.112.5] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 498"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522994; rev:3093;)
alert ip [79.137.116.43,79.137.33.131,79.137.33.24,79.137.35.149,79.137.39.39,79.137.70.81,79.140.41.117,79.140.41.118,79.140.41.13,79.143.178.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 499"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522996; rev:3093;)
alert ip [79.143.183.44,79.143.186.17,79.143.191.22,79.161.248.2,79.172.18.18,79.172.193.32,79.172.204.36,79.172.28.205,79.194.172.217,79.194.87.56] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 500"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522998; rev:3093;)
alert ip [79.194.94.47,79.195.91.6,79.196.254.35,79.205.62.110,79.208.139.197,79.210.105.152,79.211.250.142,79.215.237.119,79.217.46.88,79.217.94.117] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 501"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523000; rev:3093;)
alert ip [79.218.71.143,79.219.217.191,79.225.88.54,79.226.48.28,79.227.188.114,79.231.218.192,79.232.209.58,79.232.88.62,79.233.223.52,79.234.191.179] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 502"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523002; rev:3093;)
alert ip [79.237.12.160,79.240.236.253,79.243.104.218,79.247.169.250,79.250.140.151,79.251.253.10,79.252.118.111,79.252.207.114,79.253.74.57,79.30.186.6] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 503"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523004; rev:3093;)
alert ip [79.98.104.68,79.98.105.18,79.98.108.57,79.98.220.119,80.100.206.150,80.100.250.244,80.100.44.12,80.108.195.250,80.109.112.130,80.109.127.173] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 504"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523006; rev:3093;)
alert ip [80.119.137.65,80.127.107.154,80.127.107.179,80.127.117.180,80.127.118.93,80.127.137.14,80.127.137.19,80.127.151.162,80.127.152.4,80.128.158.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 505"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523008; rev:3093;)
alert ip [80.12.94.184,80.130.35.112,80.131.139.4,80.131.250.156,80.132.187.84,80.135.188.23,80.137.64.222,80.140.45.226,80.143.170.167,80.144.48.145] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 506"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523010; rev:3093;)
alert ip [80.147.33.157,80.169.241.76,80.186.207.144,80.195.23.109,80.203.137.23,80.209.253.48,80.218.186.191,80.218.245.212,80.218.37.232,80.219.119.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 507"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523012; rev:3093;)
alert ip [80.219.136.45,80.220.89.55,80.223.174.207,80.229.140.239,80.229.152.228,80.232.242.31,80.233.134.147,80.233.134.149,80.237.231.134,80.238.105.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 508"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523014; rev:3093;)
alert ip [80.240.216.253,80.241.213.87,80.241.220.57,80.241.222.169,80.243.104.182,80.244.241.254,80.244.243.158,80.248.208.131,80.252.24.116,80.255.0.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 509"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523016; rev:3093;)
alert ip [80.255.6.11,80.255.6.92,80.56.77.242,80.60.245.234,80.64.65.25,80.66.135.123,80.68.92.249,80.71.133.119,80.73.242.142,80.7.54.187] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 510"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523018; rev:3093;)
alert ip [80.81.12.29,80.81.17.31,80.81.243.27,80.85.84.222,80.85.84.72,80.90.250.69,80.99.48.193,81.0.226.3,81.102.219.11,81.103.36.9] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 511"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523020; rev:3093;)
alert ip [81.105.101.129,81.108.197.189,81.132.255.225,81.141.6.226,81.143.236.158,81.165.85.244,81.166.86.51,81.169.130.214,81.169.136.206,81.169.138.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 512"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523022; rev:3093;)
alert ip [81.169.141.222,81.169.152.100,81.169.166.74,81.169.175.164,81.169.211.90,81.169.222.158,81.169.243.74,81.169.246.204,81.169.248.93,81.170.148.194] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 513"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523024; rev:3093;)
alert ip [81.170.217.242,81.171.19.175,81.17.16.43,81.17.17.130,81.17.17.131,81.17.30.33,81.17.30.44,81.17.30.48,81.174.151.215,81.174.156.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 514"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523026; rev:3093;)
alert ip [81.174.231.18,81.177.22.73,81.182.31.72,81.189.17.180,81.19.3.71,81.193.75.91,81.197.116.202,81.200.59.162,81.218.109.195,81.218.138.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 515"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523028; rev:3093;)
alert ip [81.218.91.154,81.2.197.33,81.2.209.10,81.221.144.163,81.22.255.146,81.2.237.218,81.225.209.79,81.2.254.143,81.227.128.7,81.228.192.157] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 516"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523030; rev:3093;)
alert ip [81.228.199.75,81.230.166.145,81.233.10.199,81.236.177.247,81.241.121.149,81.245.124.251,81.249.244.44,81.25.54.131,81.30.158.213,81.30.158.81] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 517"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523032; rev:3093;)
alert ip [81.35.215.194,81.4.109.47,81.4.121.48,81.43.149.140,81.56.192.231,81.56.96.154,81.57.208.135,81.67.45.173,81.7.10.193,81.7.10.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 518"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523034; rev:3093;)
alert ip [81.7.10.29,81.7.10.93,81.7.11.142,81.7.11.154,81.7.11.186,81.7.11.22,81.7.11.253,81.7.11.33,81.7.11.38,81.7.11.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 519"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523036; rev:3093;)
alert ip [81.7.11.96,81.7.13.248,81.7.13.84,81.7.14.253,81.7.14.31,81.7.16.139,81.7.16.177,81.7.16.18,81.7.16.182,81.7.16.59] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 520"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523038; rev:3093;)
alert ip [81.7.18.84,81.7.19.110,81.7.3.67,81.82.204.148,81.89.63.150,81.95.13.55,81.95.52.68,81.97.143.247,82.102.142.210,82.103.140.87] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 521"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523040; rev:3093;)
alert ip [82.116.120.3,82.118.17.122,82.118.17.137,82.118.17.235,82.118.242.124,82.118.242.126,82.118.242.128,82.118.242.147,82.118.242.173,82.119.233.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 522"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523042; rev:3093;)
alert ip [82.130.11.148,82.131.107.121,82.131.107.240,82.135.88.37,82.141.39.114,82.146.47.17,82.161.182.20,82.161.210.87,82.161.212.209,82.161.214.117] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 523"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523044; rev:3093;)
alert ip [82.161.50.30,82.165.142.79,82.165.148.163,82.169.80.71,82.181.116.199,82.181.238.144,82.192.250.215,82.192.80.194,82.194.170.30,82.196.11.10] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 524"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523046; rev:3093;)
alert ip [82.196.14.142,82.196.3.85,82.196.6.199,82.196.7.26,82.196.96.127,82.199.155.89,82.202.193.92,82.202.193.94,82.209.179.225,82.209.68.18] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 525"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523048; rev:3093;)
alert ip [82.211.0.180,82.211.0.185,82.211.31.247,82.211.34.97,82.211.60.207,82.211.61.199,82.21.211.29,82.212.221.34,82.213.211.186,82.217.214.215] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 526"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523050; rev:3093;)
alert ip [82.217.245.7,82.219.9.89,82.221.100.29,82.221.104.108,82.221.105.198,82.221.111.151,82.221.111.187,82.221.128.20,82.221.131.59,82.221.131.9] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 527"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523052; rev:3093;)
alert ip [82.221.139.190,82.223.21.74,82.223.36.196,82.226.140.119,82.227.48.17,82.228.252.20,82.229.138.31,82.229.182.19,82.229.26.235,82.243.133.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 528"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523054; rev:3093;)
alert ip [82.247.103.117,82.247.250.162,82.251.17.70,82.251.33.136,82.27.118.130,82.27.255.3,82.28.190.60,82.38.188.37,82.39.122.197,82.41.10.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 529"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523056; rev:3093;)
alert ip [82.44.203.124,82.44.211.228,82.50.191.96,82.5.42.105,82.64.7.146,82.64.9.116,82.66.140.131,8.26.94.18,82.69.76.35,82.71.246.79] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 530"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523058; rev:3093;)
alert ip [82.71.25.129,82.71.7.191,82.80.33.99,82.80.54.64,82.94.132.34,82.94.204.170,82.94.226.146,82.94.251.227,82.95.100.241,82.95.107.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 531"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523060; rev:3093;)
alert ip [82.95.66.203,83.128.173.61,83.134.110.38,83.134.30.70,83.135.106.5,83.135.108.192,83.135.65.74,83.135.66.172,83.143.245.86,83.144.105.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 532"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523062; rev:3093;)
alert ip [83.145.241.231,83.146.231.159,83.149.125.193,83.149.126.139,83.149.20.38,83.149.70.130,83.150.29.178,83.150.59.185,83.150.82.122,83.157.96.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 533"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523064; rev:3093;)
alert ip [83.160.139.183,83.161.249.125,83.162.178.67,83.162.188.100,83.162.199.60,83.162.202.182,83.162.47.26,83.163.201.168,83.163.77.195,83.171.176.227] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 534"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523066; rev:3093;)
alert ip [83.173.198.226,83.175.100.130,83.194.3.100,83.202.164.197,83.212.100.100,83.212.101.60,83.212.102.114,83.212.102.18,83.212.104.124,83.212.105.144] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 535"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523068; rev:3093;)
alert ip [83.212.168.186,83.212.96.120,83.212.96.170,83.212.96.206,83.220.174.128,83.222.144.185,83.226.202.54,83.227.113.24,83.227.84.31,83.227.85.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 536"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523070; rev:3093;)
alert ip [83.228.93.76,83.233.213.202,83.233.76.111,83.234.1.41,83.240.14.219,83.248.84.123,83.249.111.190,83.250.10.13,83.251.198.255,83.252.97.5] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 537"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523072; rev:3093;)
alert ip [83.253.136.88,83.254.19.5,83.254.93.78,83.33.79.205,83.37.107.244,83.37.125.244,83.40.159.127,83.55.10.34,83.60.126.121,8.37.14.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 538"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523074; rev:3093;)
alert ip [83.76.91.146,83.85.252.55,83.86.120.4,83.87.163.195,83.97.85.145,84.10.12.74,84.106.234.152,84.107.116.107,84.112.147.73,84.112.41.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 539"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523076; rev:3093;)
alert ip [84.114.3.54,84.114.57.193,84.115.197.133,84.115.25.42,84.118.164.156,84.128.105.189,84.130.124.138,84.132.221.14,84.133.3.94,84.133.79.167] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 540"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523078; rev:3093;)
alert ip [84.142.199.143,84.147.44.33,84.154.219.13,84.156.27.127,84.157.130.216,84.157.50.116,84.158.221.123,84.159.89.43,84.160.71.137,84.16.241.89] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 541"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523080; rev:3093;)
alert ip [84.164.218.243,84.168.200.152,84.170.120.107,84.17.21.50,84.173.201.133,84.176.97.168,84.179.218.191,84.180.110.191,84.180.215.81,84.182.191.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 542"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523082; rev:3093;)
alert ip [84.182.57.238,84.187.131.93,84.190.34.220,84.191.36.51,84.19.178.155,84.19.178.79,84.19.179.106,84.19.179.229,84.195.229.182,84.198.103.245] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 543"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523084; rev:3093;)
alert ip [84.200.106.6,84.200.206.99,84.200.77.243,84.200.8.207,84.200.8.33,84.208.170.253,84.209.131.13,84.211.49.30,84.216.252.200,84.219.130.131] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 544"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523086; rev:3093;)
alert ip [84.226.125.7,84.2.34.74,84.236.38.14,84.240.60.234,84.241.65.20,84.244.31.52,84.245.15.253,84.245.25.64,84.245.27.209,84.245.30.154] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 545"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523088; rev:3093;)
alert ip [84.248.100.7,84.248.120.6,84.248.223.126,84.249.11.195,84.250.184.214,84.250.227.192,84.250.229.213,84.250.39.220,8.42.76.105,84.27.95.53] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 546"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523090; rev:3093;)
alert ip [84.31.70.198,84.38.134.12,84.38.68.90,84.40.112.70,84.44.179.22,84.44.199.57,84.45.76.10,84.45.76.11,84.45.76.12,84.45.76.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 547"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523092; rev:3093;)
alert ip [84.46.45.105,84.46.47.170,84.47.78.125,84.50.177.101,84.52.225.99,84.53.247.169,84.55.82.94,84.57.132.42,84.63.193.31,84.63.245.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 548"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523094; rev:3093;)
alert ip [84.73.20.157,84.73.220.65,84.74.101.248,84.74.253.127,84.74.80.210,84.75.179.223,84.75.94.209,84.80.80.69,84.81.140.11,84.92.97.97] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 549"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523096; rev:3093;)
alert ip [84.9.49.106,85.10.113.36,85.10.196.12,85.10.198.236,85.10.201.47,85.10.203.71,85.10.240.250,85.113.226.98,85.113.39.154,85.114.133.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 550"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523098; rev:3093;)
alert ip [85.119.82.151,85.119.83.141,85.1.32.115,85.140.184.38,85.14.244.114,85.14.245.175,85.14.249.247,85.144.52.175,85.152.229.51,85.159.211.55] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 551"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523100; rev:3093;)
alert ip [85.159.237.210,85.164.238.48,85.169.111.217,85.17.112.163,85.17.112.32,85.171.173.161,85.17.164.165,85.17.164.172,85.17.194.180,85.17.214.177] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 552"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523102; rev:3093;)
alert ip [85.176.222.176,85.179.90.198,85.180.41.212,85.180.89.64,85.181.54.110,85.183.102.49,85.184.160.128,85.195.207.92,85.195.215.194,85.195.235.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 553"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523104; rev:3093;)
alert ip [85.195.237.134,85.195.237.40,85.195.252.93,85.195.255.205,85.195.82.76,85.197.31.100,85.204.121.218,85.21.144.224,85.21.144.33,85.212.37.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 554"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523106; rev:3093;)
alert ip [85.212.60.178,85.212.60.3,85.212.8.191,85.214.101.233,85.214.115.214,85.214.124.168,85.214.128.199,85.214.136.179,85.214.144.127,85.214.144.159] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 555"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523108; rev:3093;)
alert ip [85.214.20.43,85.214.206.219,85.214.212.153,85.214.222.152,85.214.236.207,85.214.44.172,85.214.54.254,85.214.56.180,85.214.58.236,85.214.62.48] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 556"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523110; rev:3093;)
alert ip [85.214.62.94,85.214.69.75,85.214.74.47,85.216.128.76,85.218.19.154,85.218.82.169,85.220.190.246,85.220.42.195,85.222.0.229,85.227.129.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 557"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523112; rev:3093;)
alert ip [85.229.228.174,85.229.37.150,85.229.84.141,85.230.184.93,85.230.21.88,85.23.194.151,85.23.194.153,85.235.225.239,85.235.250.88,85.237.43.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 558"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523114; rev:3093;)
alert ip [85.24.183.236,85.24.188.22,85.244.122.69,85.246.242.197,85.25.111.77,85.25.13.222,85.25.132.5,85.25.133.34,85.25.150.216,85.25.159.253] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 559"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523116; rev:3093;)
alert ip [85.25.159.65,85.25.210.223,85.25.213.211,85.25.248.108,85.25.44.141,85.255.1.158,85.31.186.253,85.5.164.201,85.52.147.46,85.90.247.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 560"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523118; rev:3093;)
alert ip [85.93.16.47,85.93.17.143,85.93.217.20,86.103.181.196,86.103.207.103,86.104.15.15,86.105.212.130,86.105.212.204,86.106.137.6,86.107.110.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 561"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523120; rev:3093;)
alert ip [86.107.110.254,86.107.110.34,86.107.110.51,86.107.110.82,86.110.117.166,86.115.45.141,86.123.52.188,86.124.38.162,86.142.149.240,86.143.8.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 562"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523122; rev:3093;)
alert ip [86.150.235.216,86.164.122.208,86.171.122.38,86.17.252.138,86.174.156.27,86.179.31.216,86.181.198.165,86.19.102.206,86.194.79.171,86.201.56.209] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 563"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523124; rev:3093;)
alert ip [86.215.161.214,86.23.4.224,86.237.8.54,86.239.246.46,86.248.190.6,86.25.228.206,86.253.207.211,86.29.208.115,86.31.40.147,86.3.172.141] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 564"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523126; rev:3093;)
alert ip [86.56.172.235,86.59.119.83,86.59.119.88,86.59.21.163,86.59.21.38,86.7.140.31,86.73.143.244,86.83.122.203,86.86.173.62,86.87.106.215] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 565"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523128; rev:3093;)
alert ip [86.88.32.199,87.100.131.62,87.102.15.216,87.102.172.100,87.106.140.24,87.106.14.159,87.106.145.238,87.106.208.236,87.106.249.118,87.106.59.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 566"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523130; rev:3093;)
alert ip [87.118.110.113,87.118.111.27,87.118.112.136,87.118.112.63,87.118.114.134,87.118.116.227,87.118.122.120,87.118.122.201,87.118.126.206,87.118.126.218] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 567"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523132; rev:3093;)
alert ip [87.118.89.28,87.118.94.2,87.120.254.161,87.120.254.204,87.121.98.208,87.121.98.43,87.122.110.161,87.122.110.190,87.122.96.132,87.123.149.181] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 568"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523134; rev:3093;)
alert ip [87.123.35.186,87.128.103.242,87.128.111.190,87.139.33.217,87.140.70.14,87.140.80.53,87.146.194.183,87.148.147.123,87.149.117.13,87.150.13.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 569"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523136; rev:3093;)
alert ip [87.151.25.84,87.15.243.146,87.153.102.225,87.157.177.171,87.157.183.223,87.159.56.141,87.163.50.7,87.169.255.104,87.170.157.10,87.172.1.40] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 570"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523138; rev:3093;)
alert ip [87.17.221.66,87.173.60.125,87.174.237.66,87.176.52.57,87.176.54.116,87.177.140.98,87.177.171.142,87.180.36.240,87.181.87.166,87.182.204.132] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 571"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523140; rev:3093;)
alert ip [87.183.239.19,87.184.200.45,87.185.40.120,87.186.43.179,87.187.212.74,87.187.216.139,87.187.218.184,87.187.36.44,87.193.179.238,87.193.208.14] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 572"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523142; rev:3093;)
alert ip [87.205.153.191,87.206.52.43,87.219.93.174,87.230.25.149,87.231.28.173,87.236.194.23,87.236.215.156,87.236.215.83,87.236.27.155,87.254.66.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 573"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523144; rev:3093;)
alert ip [87.52.3.33,87.72.197.113,87.72.239.187,87.72.73.231,87.73.84.77,87.78.98.152,87.79.181.31,87.79.79.94,87.79.95.151,87.88.49.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 574"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523146; rev:3093;)
alert ip [87.92.163.24,87.98.180.9,87.98.185.5,87.98.243.150,87.98.245.84,88.109.16.208,88.113.152.171,88.130.97.249,88.130.99.84,88.152.235.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 575"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523148; rev:3093;)
alert ip [88.156.10.253,88.156.182.196,88.159.152.177,88.159.164.249,88.159.254.102,88.159.76.202,88.163.244.124,88.165.244.169,88.17.157.204,88.176.12.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 576"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523150; rev:3093;)
alert ip [88.180.173.63,88.187.120.90,88.187.233.27,88.188.17.198,88.191.138.57,88.191.212.33,88.193.129.197,88.193.138.181,88.193.200.225,88.198.107.179] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 577"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523152; rev:3093;)
alert ip [88.198.109.149,88.198.110.194,88.198.119.197,88.198.13.116,88.198.148.255,88.198.164.219,88.198.192.156,88.198.19.4,88.198.194.89,88.198.207.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 578"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523154; rev:3093;)
alert ip [88.198.44.145,88.198.6.3,88.198.70.137,88.204.112.242,88.208.121.78,88.208.220.123,88.21.232.113,88.217.143.53,88.64.76.6,88.66.247.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 579"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523156; rev:3093;)
alert ip [88.66.85.27,88.67.47.98,88.7.230.172,88.73.134.236,88.74.215.91,88.80.214.189,88.86.102.163,88.91.112.31,88.98.252.234,88.99.104.94] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 580"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523158; rev:3093;)
alert ip [88.99.141.248,88.99.14.92,88.99.162.199,88.99.169.186,88.99.170.243,88.99.172.64,88.99.174.144,88.99.186.21,88.99.189.0,88.99.199.87] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 581"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523160; rev:3093;)
alert ip [88.99.21.163,88.99.21.171,88.99.216.194,88.99.217.110,88.99.2.24,88.99.27.131,88.99.31.186,88.99.35.178,88.99.36.32,88.99.70.107] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 582"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523162; rev:3093;)
alert ip [88.99.90.203,88.99.96.224,89.0.158.33,89.0.53.125,89.100.9.6,89.102.142.167,89.107.155.162,89.111.20.68,89.12.177.229,89.1.28.168] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 583"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523164; rev:3093;)
alert ip [89.13.225.51,89.13.237.53,89.133.129.147,89.13.44.164,89.13.67.50,89.14.152.171,89.150.174.50,89.16.176.158,89.162.0.126,89.163.141.115] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 584"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523166; rev:3093;)
alert ip [89.163.141.116,89.163.146.41,89.163.210.163,89.163.210.164,89.163.211.42,89.163.216.165,89.163.219.118,89.163.219.27,89.163.224.187,89.163.224.250] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 585"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523168; rev:3093;)
alert ip [89.163.224.70,89.163.225.115,89.163.225.145,89.163.225.6,89.163.225.7,89.163.242.53,89.163.245.116,89.163.245.181,89.163.245.184,89.163.245.199] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 586"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523170; rev:3093;)
alert ip [89.163.246.127,89.163.246.250,89.163.247.115,89.163.249.200,89.163.249.201,89.166.124.13,89.173.212.31,89.175.27.163,89.176.17.234,89.179.119.165] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 587"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523172; rev:3093;)
alert ip [89.18.172.112,89.18.173.41,89.183.209.51,89.187.143.81,89.188.109.210,89.191.217.1,89.207.129.150,89.217.38.172,89.217.96.72,89.22.100.64] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523174; rev:3093;)
alert ip [89.221.210.122,89.221.210.151,89.223.27.241,89.22.97.193,89.2.29.89,89.23.229.110,89.234.182.176,89.234.186.18,89.236.144.248,89.238.178.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 589"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523176; rev:3093;)
alert ip [89.238.178.123,89.238.178.238,89.238.66.240,89.244.173.134,89.244.205.159,89.245.104.57,89.247.11.173,89.247.199.126,89.247.202.92,89.247.47.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 590"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523178; rev:3093;)
alert ip [89.247.61.188,89.247.6.83,89.248.170.227,89.249.65.6,89.33.246.114,89.33.6.24,89.34.237.13,89.34.237.21,89.34.237.230,89.35.134.154] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 591"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523180; rev:3093;)
alert ip [89.35.178.104,89.35.29.19,89.35.29.26,89.35.39.108,89.3.76.94,89.39.67.33,89.40.116.223,89.40.119.43,89.40.125.73,89.40.126.152] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 592"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523182; rev:3093;)
alert ip [89.45.67.137,89.46.100.162,89.46.100.71,89.46.222.254,89.46.70.98,89.67.100.248,89.71.161.30,89.73.57.178,89.82.171.44,89.89.43.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 593"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523184; rev:3093;)
alert ip [90.146.141.214,90.155.76.242,90.184.239.156,90.215.206.6,90.224.9.202,90.225.80.159,90.228.240.43,90.230.158.145,90.254.70.1,90.34.208.210] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 594"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523186; rev:3093;)
alert ip [90.3.4.65,90.45.213.132,90.65.63.146,90.79.101.154,90.79.169.1,90.87.129.49,90.90.170.255,90.92.136.122,91.100.103.196,91.105.203.92] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 595"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523188; rev:3093;)
alert ip [91.106.170.116,91.106.172.58,91.106.193.118,91.109.29.241,91.121.109.209,91.121.116.34,91.121.1.20,91.121.147.65,91.121.154.109,91.121.155.33] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 596"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523190; rev:3093;)
alert ip [91.121.158.17,91.121.160.215,91.121.160.6,91.121.166.152,91.121.16.67,91.121.177.171,91.121.183.178,91.121.192.154,91.121.195.169,91.121.205.56] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 597"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523192; rev:3093;)
alert ip [91.121.218.189,91.121.224.10,91.121.230.208,91.121.230.212,91.121.230.214,91.121.230.216,91.121.230.218,91.121.23.100,91.121.28.66,91.121.67.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 598"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523194; rev:3093;)
alert ip [91.121.73.223,91.121.76.175,91.121.78.119,91.121.79.188,91.121.82.25,91.121.83.108,91.121.84.137,91.121.85.130,91.121.89.201,91.121.98.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 599"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523196; rev:3093;)
alert ip [91.122.100.13,91.122.31.175,91.122.46.175,91.122.47.234,91.122.52.237,91.123.24.138,91.124.27.210,91.126.45.228,91.130.33.90,91.134.131.128] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 600"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523198; rev:3093;)
alert ip [91.134.133.88,91.134.135.12,91.134.137.99,91.134.140.21,91.134.180.240,91.134.217.18,91.134.237.118,91.136.164.146,91.138.71.236,91.143.80.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 601"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523200; rev:3093;)
alert ip [91.143.91.142,91.143.93.29,91.145.118.93,91.146.122.45,91.155.183.84,91.155.228.254,91.16.120.166,91.16.12.249,91.16.71.63,91.176.189.201] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 602"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523202; rev:3093;)
alert ip [91.176.51.65,91.17.82.134,91.18.230.84,91.186.57.78,91.18.81.173,91.188.125.128,91.190.234.66,91.19.232.150,91.194.90.103,91.198.212.250] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 603"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523204; rev:3093;)
alert ip [91.200.13.76,91.200.162.25,91.200.162.9,91.203.138.58,91.203.146.126,91.203.147.165,91.203.5.146,91.203.5.165,91.205.173.82,91.205.89.126] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 604"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523206; rev:3093;)
alert ip [91.210.104.91,91.210.106.134,91.211.107.172,91.211.247.112,91.211.247.71,91.213.233.107,91.213.233.138,91.213.233.194,91.213.233.60,91.213.8.101] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 605"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523208; rev:3093;)
alert ip [91.213.8.89,91.214.169.69,91.218.112.34,91.2.18.68,91.219.236.250,91.219.237.117,91.219.237.154,91.219.237.19,91.219.238.112,91.219.238.221] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 606"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523210; rev:3093;)
alert ip [91.219.238.224,91.219.239.121,91.219.239.92,91.219.28.211,91.219.28.85,91.219.28.99,91.219.29.157,91.219.29.188,91.219.29.238,91.220.145.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 607"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523212; rev:3093;)
alert ip [91.220.220.5,91.221.119.33,91.221.66.21,91.221.66.220,91.224.149.33,91.224.156.117,91.22.57.79,91.226.212.67,91.228.52.186,91.228.53.86] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 608"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523214; rev:3093;)
alert ip [91.229.20.27,91.229.76.124,91.231.86.101,91.231.86.204,91.233.106.237,91.233.116.119,91.233.116.51,91.233.133.244,91.236.116.36,91.236.116.7] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 609"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523216; rev:3093;)
alert ip [91.236.116.8,91.236.116.87,91.236.116.88,91.236.239.135,91.236.239.140,91.236.251.42,91.236.251.72,91.237.244.62,91.237.247.62,91.237.52.170] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 610"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523218; rev:3093;)
alert ip [91.237.88.108,91.239.232.81,91.240.229.195,91.247.251.26,91.248.53.93,91.250.100.7,91.250.84.156,91.34.243.67,91.37.97.140,91.39.101.21] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 611"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523220; rev:3093;)
alert ip [91.40.39.184,91.45.230.139,91.46.61.152,91.49.132.129,91.49.140.172,91.49.45.62,91.49.51.27,91.50.170.219,91.50.246.218,91.51.107.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 612"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523222; rev:3093;)
alert ip [91.51.134.4,91.54.179.239,91.54.201.162,91.62.254.228,91.63.50.152,91.64.27.10,91.64.51.214,91.65.105.24,91.65.134.181,91.65.191.101] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 613"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523224; rev:3093;)
alert ip [91.65.61.217,91.66.76.145,91.69.192.38,91.7.58.246,91.77.252.217,91.79.27.85,91.8.214.141,91.90.166.69,91.9.202.182,91.92.115.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 614"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523226; rev:3093;)
alert ip [91.9.216.25,91.96.2.188,91.97.3.133,92.104.238.109,92.111.4.177,92.151.189.187,92.167.38.82,92.169.22.209,92.169.48.59,92.177.28.114] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 615"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523228; rev:3093;)
alert ip [92.191.127.225,92.191.202.80,92.194.213.142,92.200.11.177,92.201.106.193,92.201.58.171,92.204.82.227,92.206.26.29,92.211.43.219,92.220.233.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 616"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523230; rev:3093;)
alert ip [92.220.40.210,92.222.115.28,92.222.162.54,92.222.180.10,92.222.181.104,92.222.181.123,92.222.207.227,92.222.22.113,92.222.22.37,92.222.22.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 617"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523232; rev:3093;)
alert ip [92.222.24.63,92.222.26.216,92.222.39.183,92.222.39.196,92.222.4.102,92.222.69.173,92.222.74.203,92.222.9.53,92.223.105.32,92.223.72.168] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 618"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523234; rev:3093;)
alert ip [92.226.164.131,92.243.0.179,92.243.30.208,92.243.69.105,92.247.51.169,92.249.143.119,92.255.176.138,92.255.207.89,92.27.7.209,92.39.246.45] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 619"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523236; rev:3093;)
alert ip [92.43.29.220,92.5.217.154,92.52.32.77,92.55.0.224,92.62.46.190,92.63.174.36,92.63.174.71,92.75.240.25,92.77.131.143,92.90.196.61] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 620"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523238; rev:3093;)
alert ip [93.100.231.62,93.100.237.212,93.104.208.119,93.104.209.158,93.104.209.61,93.104.213.65,93.104.83.158,93.115.241.194,93.115.241.2,93.115.241.50] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 621"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523240; rev:3093;)
alert ip [93.115.29.86,93.115.82.180,93.115.84.143,93.115.91.66,93.115.95.38,93.115.96.15,93.115.97.242,93.123.90.13,93.137.196.134,93.144.157.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 622"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523242; rev:3093;)
alert ip [93.144.207.182,93.152.159.223,93.157.51.22,93.158.216.142,93.170.77.90,93.180.136.43,93.180.154.94,93.180.156.84,93.180.157.154,93.181.102.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 623"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523244; rev:3093;)
alert ip [93.184.24.182,93.186.200.68,93.188.161.109,93.188.161.36,93.190.141.115,93.195.42.20,93.198.166.25,93.198.177.109,93.198.177.91,93.200.157.179] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 624"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523246; rev:3093;)
alert ip [93.202.182.34,93.202.247.222,93.203.122.229,93.204.19.216,93.205.162.51,93.205.164.158,93.205.168.70,93.206.105.74,93.211.208.22,93.212.72.106] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 625"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523248; rev:3093;)
alert ip [93.215.24.154,93.215.33.5,93.218.105.12,93.218.57.71,93.21.95.172,93.219.95.188,93.220.11.110,93.220.2.212,93.220.76.73,93.225.115.240] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 626"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523250; rev:3093;)
alert ip [93.225.189.24,93.226.250.177,93.227.133.182,93.227.45.40,93.228.169.102,93.228.170.48,93.230.171.235,93.230.27.178,93.231.225.100,93.231.227.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 627"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523252; rev:3093;)
alert ip [93.233.108.105,93.237.129.27,93.237.143.17,93.237.145.128,93.238.176.157,93.239.20.192,93.244.1.171,93.244.226.172,93.29.252.27,93.55.225.152] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 628"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523254; rev:3093;)
alert ip [93.58.11.24,93.72.198.81,93.72.89.51,93.73.103.6,93.76.246.35,93.80.95.169,93.89.101.27,93.91.157.42,93.92.203.113,93.92.205.248] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 629"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523256; rev:3093;)
alert ip [93.95.100.138,93.95.100.166,93.95.100.202,93.95.227.245,93.95.228.49,94.100.21.162,94.100.23.18,94.100.23.26,94.100.31.194,94.100.6.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 630"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523258; rev:3093;)
alert ip [94.100.6.27,94.112.217.77,94.126.170.165,94.130.10.251,94.130.21.85,94.130.31.206,94.130.32.101,94.130.34.199,94.130.52.205,94.130.58.99] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 631"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523260; rev:3093;)
alert ip [94.130.68.230,94.130.69.171,94.130.79.44,94.132.132.205,94.134.172.71,94.140.120.130,94.140.120.44,94.142.241.138,94.142.245.206,94.14.38.250] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 632"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523262; rev:3093;)
alert ip [94.155.122.185,94.155.49.47,94.156.128.10,94.156.175.120,94.156.175.157,94.156.175.174,94.16.137.7,94.16.173.106,94.176.139.186,94.177.228.80] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 633"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523264; rev:3093;)
alert ip [94.177.246.37,94.180.103.5,94.180.91.6,94.181.44.45,94.181.45.237,94.185.90.86,94.19.12.244,94.19.14.183,94.198.100.18,94.198.100.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 634"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523266; rev:3093;)
alert ip [94.198.68.92,94.198.98.21,94.198.98.35,94.198.98.61,94.198.98.71,94.21.108.113,94.212.20.248,94.214.190.171,94.214.240.71,94.222.19.206] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 635"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523268; rev:3093;)
alert ip [94.223.83.204,94.225.100.84,94.226.151.128,94.228.86.11,94.22.93.92,94.230.202.199,94.23.1.164,94.23.13.107,94.23.144.49,94.23.150.210] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 636"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523270; rev:3093;)
alert ip [94.23.153.241,94.23.154.36,94.23.168.235,94.23.173.93,94.23.174.26,94.23.17.58,94.23.18.169,94.23.20.28,94.23.203.74,94.23.204.175] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 637"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523272; rev:3093;)
alert ip [94.23.207.40,94.23.212.220,94.23.213.46,94.23.247.125,94.23.247.42,94.23.248.158,94.23.252.71,94.23.27.228,94.23.29.204,94.23.7.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 638"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523274; rev:3093;)
alert ip [94.23.78.159,94.23.78.34,94.23.89.90,94.23.9.194,94.241.32.11,94.242.209.121,94.242.209.244,94.242.222.129,94.242.222.176,94.242.222.217] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 639"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523276; rev:3093;)
alert ip [94.242.222.62,94.242.222.66,94.242.228.174,94.242.250.118,94.242.254.91,94.242.255.112,94.242.57.112,94.242.57.164,94.242.58.151,94.242.58.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 640"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523278; rev:3093;)
alert ip [94.242.58.233,94.242.59.147,94.242.59.47,94.247.43.246,94.248.21.145,94.252.108.192,94.254.19.150,94.254.35.25,94.254.40.64,94.31.53.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 641"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523280; rev:3093;)
alert ip [94.60.255.42,94.74.81.113,94.79.137.182,94.79.173.226,95.105.221.15,95.109.122.144,95.111.56.101,95.113.220.3,95.113.254.113,95.129.164.103] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 642"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523282; rev:3093;)
alert ip [95.130.11.15,95.130.11.186,95.130.11.5,95.130.12.119,95.130.12.12,95.130.9.76,95.133.43.144,95.141.32.76,95.141.35.15,95.141.44.61] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 643"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523284; rev:3093;)
alert ip [95.141.44.66,95.141.46.172,95.141.83.146,95.142.160.233,95.143.172.140,95.143.172.188,95.143.172.212,95.143.172.214,95.143.192.12,95.143.192.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 644"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523286; rev:3093;)
alert ip [95.143.193.145,95.143.193.19,95.143.193.20,95.146.129.169,95.151.73.17,95.153.31.8,95.153.32.10,95.156.95.8,95.161.4.34,95.165.133.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 645"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523288; rev:3093;)
alert ip [95.165.143.112,95.165.166.133,95.169.188.103,95.183.48.40,95.183.50.138,95.183.51.126,95.183.51.160,95.183.52.172,95.183.55.53,95.183.55.64] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 646"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523290; rev:3093;)
alert ip [95.188.94.18,95.211.101.141,95.211.138.51,95.211.138.7,95.211.153.12,95.211.156.164,95.211.160.148,95.211.169.34,95.211.186.80,95.211.205.138] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 647"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523292; rev:3093;)
alert ip [95.211.209.73,95.211.210.72,95.211.211.240,95.211.224.12,95.211.225.167,95.211.7.158,95.211.94.113,95.213.11.175,95.213.149.166,95.213.182.28] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 648"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523294; rev:3093;)
alert ip [95.213.207.165,95.215.44.102,95.215.44.105,95.215.44.167,95.215.44.88,95.215.45.138,95.215.45.142,95.215.45.188,95.215.45.236,95.215.46.123] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 649"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523296; rev:3093;)
alert ip [95.215.46.69,95.215.47.206,95.215.61.4,95.223.83.22,95.23.149.72,95.27.167.103,95.27.196.229,95.28.56.2,95.31.19.171,95.31.24.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 650"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523298; rev:3093;)
alert ip [95.31.38.209,95.33.74.90,95.37.235.44,95.42.126.167,95.57.120.117,95.58.170.163,95.71.126.230,95.71.255.254,95.72.8.104,95.79.229.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 651"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523300; rev:3093;)
alert ip [95.79.96.7,95.80.44.100,95.80.45.74,95.84.164.34,95.84.209.126,95.85.1.113,95.85.19.162,95.85.20.73,95.85.32.10,95.85.34.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 652"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523302; rev:3093;)
alert ip [95.85.37.111,95.85.38.152,95.85.8.226,95.86.193.186,95.88.112.11,95.90.178.205,95.91.100.114,95.91.1.149,95.91.38.156,96.126.105.219] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 653"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523304; rev:3093;)
alert ip [96.126.125.187,96.126.96.9,96.126.96.90,96.18.182.94,96.230.56.58,96.234.163.101,96.239.122.20,96.240.10.123,96.242.253.84,96.248.12.242] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 654"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523306; rev:3093;)
alert ip [96.253.78.108,96.255.206.102,96.35.69.1,96.65.123.249,96.65.68.193,96.68.219.29,96.68.60.77,96.81.131.84,96.92.118.50,96.92.142.205] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 655"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523308; rev:3093;)
alert ip [96.9.242.48,97.107.132.24,97.107.138.68,97.107.139.108,97.107.139.28,97.107.142.234,97.113.14.165,97.86.44.160,97.90.130.111,97.95.35.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 656"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523310; rev:3093;)
alert ip [97.99.128.23,98.115.57.155,98.116.98.49,98.193.192.116,98.200.162.245,98.201.49.226,98.206.202.53,98.214.167.61,98.216.134.151,98.217.121.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 657"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523312; rev:3093;)
alert ip [98.217.8.51,98.220.250.164,98.233.45.225,98.235.185.167,99.164.139.172,99.225.25.117,99.230.190.118,99.247.229.177,99.248.248.37,99.51.71.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 658"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523314; rev:3093;)

86
code/chef/templates/mac_os_x/compromised.rules.erb Executable file
View file

@ -0,0 +1,86 @@
#
# $Id: emerging-compromised.rules
# Rules to block known hostile or compromised hosts. These lists are updated daily or better from many sources
#
#Sources include:
#
# Daniel Gerzo's BruteForceBlocker
# http://danger.rulez.sk/projects/bruteforceblocker/
#
# The OpenBL
# http://www.openbl.org/ (formerly sshbl.org)
#
# And the Emerging Threats Sandnet and SidReporter Projects
#
# More information available at www.emergingthreats.net
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# VERSION 4467
# Generated 2017-09-22 00:30:02 EDT
alert ip [101.132.70.58,101.226.164.254,101.230.200.173,101.231.117.54,101.236.51.134,101.251.201.246,101.64.237.31,101.79.44.115,103.17.51.78,103.207.36.217,103.207.36.220,103.207.36.225,103.207.36.226,103.207.36.246,103.207.36.251,103.207.36.84,103.207.37.200,103.207.38.144,103.207.38.178,103.207.38.202,103.207.38.86,103.207.39.125,103.207.39.203,103.210.239.167,103.212.222.16,103.212.223.150,103.212.223.42,103.217.152.20,103.228.152.141,103.237.56.230] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500000; rev:4467;)
alert ip [103.27.239.143,103.28.38.74,103.45.5.85,103.53.77.118,103.69.219.46,103.71.255.27,103.73.86.76,103.79.142.18,103.89.88.138,103.89.88.147,103.89.88.168,103.89.88.64,103.89.88.86,103.89.88.95,103.89.88.98,103.89.90.28,103.90.226.162,103.9.156.251,104.130.138.184,104.131.40.115,104.131.41.77,104.131.73.27,104.154.89.43,104.168.235.233,104.192.3.34,104.192.3.46,104.193.10.228,104.198.193.205,104.203.45.174,104.211.183.174] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500002; rev:4467;)
alert ip [104.218.140.228,104.223.123.98,104.238.95.233,104.244.77.64,104.244.78.156,104.37.214.97,104.42.197.23,105.209.67.118,105.225.167.218,106.112.59.106,106.172.82.195,106.247.22.57,106.254.62.123,106.38.252.50,106.39.70.232,106.39.93.84,106.51.1.164,106.51.44.4,106.57.168.64,106.75.134.62,106.75.143.3,106.75.48.185,106.75.71.224,107.132.53.129,107.167.184.140,107.175.145.42,108.14.52.60,108.162.151.203,108.172.246.196,108.172.71.183] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500004; rev:4467;)
alert ip [108.173.38.92,108.180.129.213,108.208.120.134,108.48.123.223,108.58.41.139,108.61.166.208,109.110.63.131,109.171.3.184,109.195.1.224,109.204.44.230,109.205.136.10,109.206.50.173,109.230.0.69,109.30.27.127,109.98.100.108,110.200.221.235,110.20.113.244,110.228.34.174,110.45.165.12,110.45.244.113,110.8.188.38,111.119.197.73,111.122.211.147,111.125.89.10,111.127.116.215,111.194.196.27,111.204.175.228,111.205.121.92,111.206.115.107,111.231.194.103] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500006; rev:4467;)
alert ip [111.26.139.65,111.26.182.3,111.39.46.47,111.89.5.185,112.101.172.18,112.148.101.13,112.161.232.55,112.4.81.93,112.5.140.230,112.64.33.92,112.81.182.17,112.82.237.169,113.105.152.226,113.116.60.141,113.122.140.67,113.124.141.122,113.124.141.48,113.141.70.163,113.178.66.10,113.179.135.18,113.195.226.160,113.200.203.102,113.201.169.192,113.247.233.90,113.252.218.53,113.252.222.216,113.57.160.51,113.77.11.29,114.112.65.226,114.113.101.107] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500008; rev:4467;)
alert ip [114.207.102.52,114.34.101.101,115.159.152.47,115.195.208.191,115.209.180.49,115.213.144.133,115.231.8.12,115.231.94.238,115.236.47.25,115.236.47.27,115.249.75.29,115.25.138.222,115.68.3.153,116.101.123.47,116.101.17.10,116.107.220.24,116.107.221.141,116.107.223.107,116.15.8.12,116.196.108.252,116.196.84.88,116.231.57.98,116.246.11.101,1.164.9.109,116.62.155.36,117.107.159.144,117.146.60.13,117.18.105.172,117.2.123.42,117.48.194.129] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500010; rev:4467;)
alert ip [117.79.147.217,118.140.111.22,118.144.138.200,118.144.138.203,118.151.209.235,118.165.126.206,118.179.220.203,118.180.18.102,118.186.21.234,118.186.36.50,118.221.123.174,118.221.201.81,118.244.238.14,118.244.238.18,118.244.238.19,118.244.238.4,118.26.170.129,118.32.27.85,118.34.18.148,118.89.239.137,119.14.160.126,119.146.201.177,119.192.239.231,119.195.208.150,119.197.4.164,119.236.181.148,119.254.153.43,119.44.217.220,119.52.229.151,120.132.113.76] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500012; rev:4467;)
alert ip [120.132.113.82,120.132.113.84,120.132.113.85,120.132.14.35,120.132.30.150,1.202.166.74,120.234.5.228,120.237.101.134,120.52.118.33,120.52.56.152,120.77.204.253,120.83.5.28,120.89.29.132,1.209.148.74,120.92.74.178,120.92.85.3,121.12.120.171,121.129.186.183,121.159.89.132,121.160.21.13,121.177.23.189,121.194.2.248,121.201.18.228,121.35.209.94,121.46.31.50,121.56.147.48,121.78.87.138,121.8.107.234,121.96.57.204,122.114.213.144] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500014; rev:4467;)
alert ip [122.117.90.221,122.146.46.145,122.207.17.20,122.224.144.131,122.228.196.166,122.228.249.84,122.243.182.219,122.46.210.188,122.72.22.132,123.122.123.172,123.132.243.89,123.134.87.51,123.150.101.229,123.150.108.238,123.16.84.49,123.169.170.158,123.169.192.151,123.169.192.77,123.169.200.247,123.171.114.246,123.184.35.48,123.196.120.135,123.207.236.127,123.207.242.81,123.247.9.244,123.249.20.27,123.249.20.31,1.234.4.14,123.96.186.129,123.96.49.127] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500016; rev:4467;)
alert ip [124.117.241.152,1.241.184.143,124.135.31.202,124.205.195.3,124.207.190.60,124.251.36.75,124.42.66.91,124.61.247.61,124.67.81.2,124.90.206.204,125.100.114.3,125.121.111.64,125.123.155.119,125.130.103.130,125.208.29.140,125.212.253.176,125.34.210.238,125.75.207.25,126.25.84.195,128.199.112.13,128.199.62.192,1.28.86.194,129.121.178.56,129.125.75.199,131.255.6.32,132.148.133.186,133.232.74.108,134.19.181.20,13.54.136.89,13.59.109.162] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500018; rev:4467;)
alert ip [136.144.156.254,137.186.227.52,137.44.3.243,13.75.158.218,13.76.245.100,137.74.6.238,13.81.217.61,138.197.101.38,138.197.103.4,13.84.188.226,138.68.239.21,138.68.5.130,139.159.220.163,139.219.103.115,139.219.190.2,139.219.70.7,139.255.93.122,139.5.71.112,139.59.123.240,139.59.123.37,139.59.18.218,139.99.104.118,140.114.75.64,140.207.213.31,140.207.2.182,140.255.69.150,140.255.99.4,141.105.69.248,14.163.184.137,14.166.71.61] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500020; rev:4467;)
alert ip [14.169.1.86,14.177.68.22,14.198.124.91,14.204.87.108,14.228.254.184,14.235.138.51,14.29.118.197,14.34.27.163,144.0.242.178,144.217.128.26,144.217.146.49,144.48.168.8,145.249.106.104,14.58.109.187,14.58.118.69,146.148.108.195,14.63.165.247,147.135.136.81,147.135.226.50,147.178.194.71,149.56.128.14,149.56.180.126,149.56.223.104,151.84.133.210,152.149.59.147,152.204.2.160,153.127.194.180,153.166.65.77,154.0.165.125,154.0.169.254] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500022; rev:4467;)
alert ip [155.133.82.12,156.67.106.30,157.7.137.248,159.203.102.134,159.203.104.139,159.203.66.209,159.203.68.222,159.203.90.141,159.203.93.23,159.224.62.130,159.226.162.195,160.202.161.28,160.202.161.30,160.3.126.165,162.223.162.11,162.223.162.62,162.243.170.180,162.253.41.66,162.253.42.106,163.172.118.208,163.172.119.32,163.172.125.238,163.172.135.37,163.172.167.129,163.172.170.212,163.172.174.231,163.172.200.128,163.172.223.87,163.172.48.201,163.172.67.180] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500024; rev:4467;)
alert ip [164.132.51.91,164.177.113.231,165.227.109.171,165.227.124.196,165.227.124.86,165.227.144.103,166.111.131.71,166.62.40.246,167.114.61.195,167.250.73.80,168.1.128.133,168.235.102.145,168.235.89.230,168.70.82.160,169.50.107.11,169.50.86.185,169.50.86.187,169.50.86.188,169.50.86.190,169.50.86.191,170.250.90.139,171.234.231.115,171.245.13.106,171.25.165.26,173.0.52.106,173.16.233.5,173.166.99.116,173.198.206.107,173.212.222.115,173.214.175.146] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500026; rev:4467;)
alert ip [173.254.233.195,173.63.215.158,174.100.60.23,174.138.80.41,175.125.93.32,175.126.232.29,175.139.173.1,175.156.152.231,175.207.20.177,175.99.86.177,176.105.180.147,176.126.252.11,176.162.154.1,176.9.156.75,177.11.50.67,177.155.104.44,177.182.109.43,177.201.127.209,177.240.165.184,177.55.160.207,177.55.98.244,177.67.82.109,177.99.236.237,178.124.171.187,178.159.36.6,178.159.37.11,178.170.172.85,178.17.173.74,178.238.239.123,178.239.62.109] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500028; rev:4467;)
alert ip [178.62.34.57,178.62.95.5,178.73.195.109,178.93.174.229,179.159.163.243,179.198.1.41,179.41.195.194,180.101.143.2,180.150.224.2,180.150.224.4,180.153.151.93,180.153.19.139,180.166.22.98,180.168.166.121,180.168.76.230,180.169.129.228,180.175.55.213,180.76.140.154,180.76.150.192,180.76.165.244,181.168.78.160,181.214.205.130,181.214.87.4,181.26.141.193,182.126.102.242,182.163.126.241,182.18.153.206,182.245.29.89,182.253.226.82,182.253.66.2] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500030; rev:4467;)
alert ip [182.36.201.180,182.38.118.131,182.45.108.45,182.45.43.33,182.45.45.24,18.248.2.85,183.136.188.116,183.152.50.38,183.152.95.93,183.214.148.89,183.239.228.51,183.87.56.75,183.91.0.68,184.149.38.74,185.100.84.108,185.107.94.40,185.140.120.153,185.156.173.106,185.165.29.111,185.165.29.116,185.165.29.122,185.165.29.128,185.165.29.23,185.165.29.50,185.165.29.69,185.165.29.77,185.165.29.78,185.168.242.215,185.200.35.233,185.200.35.3] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500032; rev:4467;)
alert ip [185.2.82.45,185.48.207.32,185.55.218.100,185.55.218.34,185.55.218.95,185.56.81.2,185.67.3.144,185.74.36.30,185.8.50.36,186.227.226.158,186.227.234.116,186.4.156.124,187.177.120.75,187.18.54.167,187.18.58.193,187.189.153.69,187.22.231.227,187.84.3.188,188.0.67.184,188.120.254.159,188.121.2.243,188.121.26.102,188.152.201.116,188.165.230.6,188.166.175.211,188.166.34.129,188.187.121.39,188.190.59.137,188.243.168.56,189.114.229.185] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500034; rev:4467;)
alert ip [189.169.197.102,189.224.143.228,189.28.12.34,189.39.120.230,189.55.139.237,190.107.225.54,190.107.81.2,190.110.88.164,190.110.89.82,190.110.90.118,190.110.91.217,190.110.94.208,190.110.94.97,190.116.182.154,190.174.203.127,190.196.156.134,190.197.53.146,190.205.38.222,190.210.244.236,190.215.115.50,190.45.3.201,190.48.135.240,190.85.6.90,190.97.205.89,190.98.207.226,191.101.235.232,191.96.112.105,191.96.112.106,191.96.112.107,191.96.112.111] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500036; rev:4467;)
alert ip [191.96.112.112,191.96.249.114,191.96.249.145,191.96.249.156,191.96.249.38,191.96.249.82,192.129.162.2,192.241.225.16,192.248.87.22,193.104.205.177,193.111.63.192,193.201.224.208,193.201.224.212,193.201.224.214,193.201.224.216,193.201.224.218,193.201.224.232,193.34.144.30,193.40.7.6,193.93.217.142,194.105.205.42,194.213.34.106,194.2.209.2,194.33.76.162,195.154.255.158,195.154.34.127,195.154.37.186,195.154.55.131,195.171.242.187,195.22.126.177] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500038; rev:4467;)
alert ip [195.225.224.38,195.62.53.126,196.52.32.17,197.231.221.211,198.12.152.136,198.167.136.101,198.199.112.44,198.199.113.122,198.211.121.75,198.24.186.34,198.255.146.211,198.98.50.113,198.98.51.117,198.98.57.188,198.98.57.32,198.98.59.151,198.98.60.112,198.98.60.239,198.98.60.72,198.98.61.180,198.98.61.33,199.168.100.164,199.195.248.31,199.195.249.132,199.195.250.64,199.27.250.119,199.76.14.51,200.17.252.12,200.56.109.119,200.68.66.165] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500040; rev:4467;)
alert ip [201.144.84.82,201.178.158.127,201.178.184.127,201.193.197.106,201.232.89.209,201.249.207.212,201.48.226.19,202.107.104.119,202.108.199.14,202.129.207.109,202.131.237.149,202.201.64.102,202.29.153.142,202.55.93.98,202.73.50.214,202.80.184.2,202.85.222.225,203.126.140.172,203.128.73.185,203.174.85.138,203.195.160.105,203.215.172.170,203.254.127.19,203.80.94.137,203.86.69.132,204.152.209.14,204.188.251.130,205.185.113.181,207.138.132.44,207.195.19.153] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500042; rev:4467;)
alert ip [207.81.165.45,208.66.77.245,208.98.22.130,209.10.82.200,209.15.218.187,209.188.19.226,209.213.170.114,209.239.114.231,209.239.123.90,209.243.10.198,209.92.176.105,209.92.176.114,210.140.10.72,210.212.210.86,210.245.32.72,210.84.44.200,210.94.133.8,211.110.139.215,211.168.232.5,211.195.14.39,211.215.174.144,211.216.123.97,211.226.176.47,211.249.35.203,211.249.35.205,211.57.201.184,211.64.35.129,212.109.221.169,212.129.13.232,212.129.59.195] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500044; rev:4467;)
alert ip [212.143.128.139,212.159.139.204,212.237.37.123,212.237.40.247,212.237.40.48,212.237.41.114,212.237.42.218,212.237.42.252,212.237.42.61,212.237.43.138,212.237.43.44,212.237.44.26,212.237.45.105,212.237.45.188,212.237.45.212,212.237.45.84,212.237.46.210,212.47.243.174,212.47.250.7,212.51.189.201,212.83.136.196,212.83.141.81,212.83.147.105,212.85.202.67,213.113.215.115,213.136.81.74,213.136.94.221,213.149.105.28,213.32.69.137,213.74.201.146] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500046; rev:4467;)
alert ip [213.74.55.250,213.78.109.14,216.168.110.244,216.223.112.22,216.245.209.78,216.98.212.11,217.111.170.195,217.170.205.103,217.23.138.22,217.23.15.165,217.46.196.74,217.57.147.180,217.61.18.106,217.65.2.116,218.103.98.209,218.106.244.93,218.108.206.56,218.148.4.24,218.15.163.100,218.156.193.236,218.2.15.138,218.28.55.134,218.29.188.109,218.32.45.19,218.52.219.225,218.5.76.147,218.63.248.173,218.79.14.243,218.9.118.187,219.116.11.89] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500048; rev:4467;)
alert ip [219.159.249.219,219.221.10.99,219.239.227.252,219.239.227.253,220.130.148.106,220.149.235.114,220.72.146.117,220.85.152.96,221.135.104.112,221.145.110.21,221.148.106.180,221.163.191.92,221.192.4.18,222.107.38.1,222.161.37.110,222.220.93.11,222.237.36.38,222.38.230.2,222.73.12.22,2.228.167.211,222.84.159.196,222.91.125.174,222.99.52.246,223.112.4.242,223.112.77.186,223.112.87.85,223.166.92.4,223.30.251.140,223.68.134.29,2.24.131.203] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 26"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500050; rev:4467;)
alert ip [23.129.64.12,23.30.57.83,24.119.126.64,24.46.10.22,24.80.229.169,24.87.106.109,2.50.47.6,27.118.21.218,27.16.159.23,27.19.1.251,27.210.14.232,27.219.169.241,27.255.65.189,27.255.79.21,27.255.79.7,27.54.162.253,27.64.38.194,27.73.14.63,27.73.87.164,31.172.247.106,31.172.80.188,31.173.128.149,31.207.47.53,31.37.37.187,35.162.178.210,35.190.149.252,35.193.213.56,35.193.231.245,35.199.187.166,36.67.37.95] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 27"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500052; rev:4467;)
alert ip [36.7.87.34,37.221.242.40,37.49.224.119,37.49.225.93,37.57.17.101,39.108.169.46,40.113.22.5,40.121.158.5,40.121.221.115,40.69.164.199,40.71.206.237,40.71.222.21,40.71.82.183,40.83.253.82,40.83.255.188,40.86.186.117,41.190.93.225,41.210.160.3,41.76.226.88,41.77.222.57,41.78.78.66,42.112.26.24,42.115.138.8,42.159.204.117,42.159.249.108,42.159.250.5,42.55.73.197,42.62.73.85,42.93.81.115,42.94.140.79] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 28"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500054; rev:4467;)
alert ip [45.116.80.242,45.249.247.80,45.251.43.189,45.32.236.123,45.32.39.134,45.32.47.58,45.32.60.87,45.55.186.166,45.55.216.145,45.55.4.137,45.56.30.99,45.63.104.148,45.63.35.50,45.76.104.223,45.76.186.62,45.76.198.131,45.76.216.217,45.76.218.238,45.76.220.58,45.76.221.116,45.76.223.152,45.76.53.82,45.79.200.100,46.101.9.80,46.148.20.25,46.164.186.33,46.165.223.217,46.166.185.14,46.17.44.94,46.183.217.165] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 29"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500056; rev:4467;)
alert ip [46.18.3.47,46.188.19.235,46.39.222.2,46.41.134.10,46.4.71.142,46.6.48.15,47.154.229.1,47.22.51.154,47.90.201.99,47.90.202.171,47.90.204.225,47.92.158.26,47.93.223.84,49.116.146.210,49.176.210.112,49.177.224.46,49.207.182.120,49.236.203.74,49.248.152.178,49.51.37.225,50.115.166.21,50.115.166.22,50.116.55.19,50.117.38.106,50.117.86.160,50.118.255.159,50.19.160.96,50.226.124.68,50.247.173.145,50.248.163.25] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 30"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500058; rev:4467;)
alert ip [50.62.56.171,5.101.40.37,5.101.40.38,5.101.40.62,5.102.224.212,51.15.141.220,51.15.39.26,51.15.64.212,51.254.101.200,51.254.34.30,51.255.202.66,5.135.21.155,5.135.212.153,5.188.10.156,5.188.10.175,5.188.10.176,5.188.10.178,5.188.10.179,5.188.10.180,5.188.10.182,5.189.153.129,52.124.71.138,52.144.39.97,52.165.220.242,52.166.112.31,52.168.179.155,52.168.180.139,52.187.131.166,5.226.174.124,5.249.146.145] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 31"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500060; rev:4467;)
alert ip [52.64.87.237,52.88.81.95,5.39.217.25,54.245.26.231,5.79.105.11,5.8.18.184,5.8.18.190,58.187.120.180,58.218.213.65,58.221.249.102,58.227.192.158,58.241.120.6,58.242.74.231,58.246.118.252,58.249.54.22,58.30.96.130,58.30.96.133,58.30.96.143,58.46.245.50,58.62.144.229,59.12.201.230,59.13.69.5,59.15.95.50,59.16.74.234,59.175.153.94,59.19.177.128,59.27.218.55,59.49.46.60,59.56.69.126,60.12.229.225] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 32"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500062; rev:4467;)
alert ip [60.124.22.115,60.13.74.216,60.176.158.242,60.206.137.145,60.208.139.180,60.222.116.99,61.147.68.166,61.161.143.179,61.164.46.188,61.176.218.19,61.197.164.161,61.216.155.200,61.216.38.102,61.219.149.59,61.240.159.244,61.8.249.89,62.152.32.179,62.164.145.253,62.210.130.150,62.210.15.114,62.210.169.48,62.210.97.105,62.219.209.70,62.64.154.18,62.76.177.98,62.76.185.15,62.76.187.122,62.76.191.87,62.76.42.249,62.76.42.62] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 33"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500064; rev:4467;)
alert ip [62.76.42.99,62.76.44.35,63.135.10.242,64.113.32.29,64.137.192.185,64.50.176.226,64.59.144.120,64.66.226.188,64.71.135.233,65.130.73.219,66.201.100.124,66.35.51.195,66.35.51.198,66.58.155.50,66.58.199.149,66.76.143.225,66.96.203.242,67.205.138.240,67.205.185.191,69.131.92.126,71.230.124.219,72.34.55.130,72.35.252.25,73.207.67.124,73.223.158.230,73.231.34.71,73.235.81.87,73.32.240.93,74.208.155.102,74.208.45.40] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 34"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500066; rev:4467;)
alert ip [74.52.53.204,76.164.197.48,76.191.17.120,76.74.219.170,76.8.60.134,77.105.1.80,77.123.76.69,77.242.132.150,77.72.82.171,77.72.82.199,77.72.83.249,77.72.85.100,77.81.226.157,78.113.206.194,78.129.10.146,78.138.91.6,78.146.59.79,78.188.21.107,78.195.178.119,78.203.141.125,78.203.248.197,78.211.73.147,78.224.40.128,78.245.236.138,78.43.104.193,78.47.64.211,79.106.161.36,79.137.39.158,79.143.191.24,79.148.105.88] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 35"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500068; rev:4467;)
alert ip [79.46.205.166,80.11.28.58,80.14.151.90,80.211.226.174,80.211.231.211,80.211.232.174,80.216.42.120,80.243.184.26,80.26.255.232,80.77.43.49,80.82.64.203,80.98.98.181,81.137.199.29,81.143.231.26,81.167.233.182,81.169.143.207,81.171.24.61,81.171.58.49,81.171.85.84,81.17.30.208,81.17.31.250,81.57.126.72,81.95.140.244,82.102.216.128,82.127.48.23,82.185.231.221,82.193.124.36,82.202.245.51,82.211.49.197,82.213.2.18] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 36"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500070; rev:4467;)
alert ip [82.228.240.199,82.246.170.196,82.6.131.182,82.98.139.229,83.209.114.167,83.220.169.203,83.246.164.83,84.105.201.12,84.107.154.75,84.200.7.180,84.237.16.110,84.55.161.158,85.195.226.180,85.195.48.166,85.230.149.52,85.247.95.85,85.90.210.87,86.109.170.96,86.164.122.219,86.57.164.109,86.57.168.86,86.88.141.158,87.106.71.197,87.126.129.215,87.85.170.35,88.127.227.155,88.147.17.251,88.212.206.44,88.99.38.116,89.108.109.46] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 37"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500072; rev:4467;)
alert ip [89.108.87.179,89.212.50.176,89.216.97.113,89.225.201.101,89.239.24.62,89.250.84.2,89.251.98.4,89.38.98.6,89.38.98.66,89.87.178.129,90.137.13.61,90.176.140.1,90.84.45.108,91.121.117.6,91.121.14.122,91.134.133.251,91.134.214.132,91.197.232.103,91.197.232.109,92.113.108.27,92.177.78.25,92.220.16.32,92.222.77.85,92.87.236.139,92.87.236.17,92.87.236.189,93.103.212.84,93.170.190.94,93.171.247.91,93.174.89.85] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 38"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500074; rev:4467;)
alert ip [93.174.93.10,93.174.93.71,93.174.94.253,93.190.140.112,93.212.109.60,93.42.185.41,94.102.51.26,94.177.207.42,94.177.217.169,94.177.218.163,94.177.244.134,94.200.147.213,94.231.4.132,94.231.82.19,94.23.210.41,94.23.59.133,94.74.81.29,95.110.224.97,95.169.50.213,95.179.32.4,95.213.202.178,95.215.62.242,95.240.135.79,95.85.25.122,96.22.196.161,96.231.43.95,96.239.59.131,96.33.76.87,98.110.245.232,98.160.239.31] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 39"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500076; rev:4467;)

73
code/chef/templates/mac_os_x/drop.rules.erb Executable file
View file

@ -0,0 +1,73 @@
#
# $Id: emerging-drop.rules $
# Emerging Threats Spamhaus DROP List rules.
#
# Rules to block Spamhaus DROP listed networks (www.spamhaus.org)
#
# More information available at www.emergingthreats.net
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# VERSION 2619
# Generated 2017-09-17 00:05:01 EDT
alert ip [5.134.128.0/19,5.157.0.0/18,14.4.0.0/14,23.226.48.0/20,23.246.128.0/18,23.251.224.0/19,24.51.0.0/19,24.233.0.0/19,27.126.160.0/20,31.11.43.0/24,31.184.238.0/24,31.222.200.0/21,36.0.8.0/21,36.37.48.0/20,36.93.0.0/16,36.116.0.0/16,36.119.0.0/16,36.255.212.0/22,37.18.42.0/24,37.139.49.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 1"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400000; rev:2619;)
alert ip [42.1.56.0/22,42.1.128.0/17,42.52.0.0/14,42.83.80.0/22,42.96.0.0/18,42.123.36.0/22,42.128.0.0/12,42.160.0.0/12,42.194.8.0/22,42.194.12.0/22,42.194.128.0/17,42.208.0.0/12,43.229.52.0/22,43.236.0.0/16,43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,43.252.180.0/22,45.4.128.0/22,45.4.136.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; rev:2619;)
alert ip [46.29.248.0/22,46.29.248.0/21,46.151.48.0/21,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,46.243.173.0/24,49.8.0.0/14,49.238.64.0/18,59.254.0.0/15,60.233.0.0/16,61.11.224.0/19,61.13.128.0/17,61.14.224.0/22,61.45.251.0/24,66.98.112.0/20,66.231.64.0/20,67.213.112.0/20,67.213.136.0/21,67.219.208.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 3"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400002; rev:2619;)
alert ip [79.110.17.0/24,79.110.18.0/24,79.110.19.0/24,79.110.25.0/24,79.173.104.0/21,83.175.0.0/18,84.238.160.0/22,85.93.5.0/24,85.121.39.0/24,86.55.40.0/23,86.55.42.0/23,91.194.254.0/23,91.200.12.0/22,91.200.248.0/22,91.207.4.0/22,91.209.12.0/24,91.212.104.0/24,91.212.124.0/24,91.213.126.0/24,91.217.10.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 4"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400003; rev:2619;)
alert ip [91.230.252.0/23,91.234.36.0/24,91.235.2.0/24,91.236.74.0/23,91.238.82.0/24,91.240.165.0/24,93.179.89.0/24,93.179.90.0/24,93.179.91.0/24,95.216.0.0/15,101.192.0.0/14,101.202.0.0/16,101.203.128.0/19,101.248.0.0/15,101.252.0.0/15,103.2.44.0/22,103.16.76.0/24,103.23.8.0/22,103.36.64.0/22,103.57.248.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 5"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400004; rev:2619;)
alert ip [103.197.8.0/22,103.205.84.0/22,103.207.160.0/22,103.210.12.0/22,103.215.80.0/22,103.227.4.0/22,103.228.8.0/22,103.229.36.0/22,103.229.40.0/22,103.230.144.0/22,103.231.84.0/22,103.232.136.0/22,103.232.172.0/22,103.236.32.0/22,103.239.56.0/22,104.36.184.0/22,104.153.96.0/21,104.153.112.0/21,104.153.244.0/22,104.160.224.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 6"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400005; rev:2619;)
alert ip [104.245.248.0/21,104.255.56.0/21,108.166.224.0/19,110.172.64.0/18,114.118.0.0/17,115.166.136.0/22,116.78.0.0/15,116.119.0.0/17,116.128.0.0/10,116.144.0.0/15,116.146.0.0/15,116.197.156.0/22,116.206.16.0/22,117.58.0.0/17,117.120.64.0/18,119.42.52.0/22,119.58.0.0/16,119.232.0.0/16,120.48.0.0/15,121.46.124.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 7"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400006; rev:2619;)
alert ip [124.70.0.0/15,124.157.0.0/18,124.242.0.0/16,125.31.192.0/18,125.58.0.0/18,125.169.0.0/16,128.13.0.0/16,128.85.0.0/16,128.94.0.0/16,128.168.0.0/16,128.188.0.0/16,130.148.0.0/16,130.196.0.0/16,130.222.0.0/16,131.72.208.0/22,131.108.16.0/22,131.108.232.0/22,131.200.0.0/16,134.18.0.0/16,134.22.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 8"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400007; rev:2619;)
alert ip [134.209.0.0/16,136.230.0.0/16,137.19.0.0/16,137.33.0.0/16,137.55.0.0/16,137.76.0.0/16,137.105.0.0/16,137.171.0.0/16,137.218.0.0/16,138.31.0.0/16,138.36.92.0/22,138.36.136.0/22,138.36.148.0/22,138.43.0.0/16,138.52.0.0/16,138.59.4.0/22,138.59.204.0/22,138.94.120.0/22,138.94.144.0/22,138.94.216.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 9"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400008; rev:2619;)
alert ip [138.216.0.0/16,138.228.0.0/16,138.249.0.0/16,139.45.0.0/16,139.136.0.0/16,139.188.0.0/16,140.143.128.0/17,140.167.0.0/16,141.94.0.0/15,141.101.132.0/24,141.101.201.0/24,141.136.22.0/24,141.136.27.0/24,141.178.0.0/16,141.253.0.0/16,142.4.160.0/19,142.102.0.0/16,143.0.236.0/22,143.49.0.0/16,143.64.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 10"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400009; rev:2619;)
alert ip [147.7.0.0/16,147.16.0.0/14,147.119.0.0/16,148.111.0.0/16,148.148.0.0/16,148.154.0.0/16,148.178.0.0/16,148.185.0.0/16,148.248.0.0/16,149.109.0.0/16,149.114.0.0/16,149.118.0.0/16,149.143.64.0/18,150.10.0.0/16,150.22.128.0/17,150.25.0.0/16,150.40.0.0/16,150.107.106.0/23,150.107.220.0/22,150.121.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 11"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400010; rev:2619;)
alert ip [150.242.36.0/22,150.242.100.0/22,150.242.120.0/22,150.242.144.0/22,151.123.0.0/16,151.192.0.0/16,151.212.0.0/16,151.237.176.0/20,151.237.184.0/22,152.109.0.0/16,152.136.0.0/16,152.147.0.0/16,153.14.0.0/16,153.52.0.0/14,153.93.0.0/16,155.11.0.0/16,155.40.0.0/16,155.66.0.0/16,155.73.0.0/16,155.108.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 12"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400011; rev:2619;)
alert ip [157.195.0.0/16,157.231.0.0/16,157.232.0.0/16,158.54.0.0/16,158.90.0.0/17,158.249.0.0/16,159.65.0.0/16,159.80.0.0/16,159.85.0.0/16,159.111.0.0/16,159.151.0.0/16,159.174.0.0/16,159.219.0.0/16,159.223.0.0/16,159.229.0.0/16,160.14.0.0/16,160.21.0.0/16,160.117.0.0/16,160.180.0.0/16,160.181.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 13"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400012; rev:2619;)
alert ip [161.0.68.0/22,161.66.0.0/16,161.70.0.0/16,161.71.0.0/16,161.189.0.0/16,161.232.0.0/16,162.208.124.0/22,162.212.188.0/22,162.213.128.0/22,162.213.232.0/22,162.219.32.0/21,162.222.148.0/22,162.245.124.0/22,162.254.72.0/21,163.47.19.0/24,163.50.0.0/16,163.53.247.0/24,163.59.0.0/16,163.250.0.0/16,163.254.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 14"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400013; rev:2619;)
alert ip [165.192.0.0/16,165.205.0.0/16,165.209.0.0/16,166.117.0.0/16,167.74.0.0/18,167.87.0.0/16,167.97.0.0/16,167.103.0.0/16,167.158.0.0/16,167.162.0.0/16,167.175.0.0/16,167.224.0.0/19,168.64.0.0/16,168.90.108.0/22,168.129.0.0/16,168.181.52.0/22,170.67.0.0/16,170.113.0.0/16,170.114.0.0/16,170.120.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 15"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400014; rev:2619;)
alert ip [172.96.16.0/22,172.103.40.0/21,172.103.64.0/18,173.228.160.0/19,173.246.160.0/19,175.103.64.0/18,176.61.136.0/22,176.61.136.0/21,176.65.128.0/19,176.97.116.0/22,177.36.16.0/20,177.74.160.0/20,177.91.0.0/22,177.234.136.0/21,178.16.80.0/20,178.216.48.0/21,179.42.64.0/19,180.178.192.0/18,180.236.0.0/14,181.118.32.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 16"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400015; rev:2619;)
alert ip [185.35.136.0/22,185.46.84.0/22,185.50.250.0/24,185.50.251.0/24,185.64.20.0/22,185.68.156.0/22,185.72.68.0/22,185.93.185.0/24,185.93.187.0/24,185.103.72.0/22,185.106.94.0/24,185.127.24.0/22,185.129.148.0/23,185.132.4.0/22,185.133.20.0/22,185.134.20.0/22,185.135.184.0/22,185.137.219.0/24,185.141.188.0/22,185.146.20.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 17"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400016; rev:2619;)
alert ip [185.149.112.0/22,185.150.84.0/22,185.151.48.0/22,185.151.60.0/22,185.152.36.0/22,185.152.248.0/22,185.154.20.0/22,185.155.52.0/22,185.156.88.0/21,185.156.92.0/22,185.159.36.0/22,185.159.37.0/24,185.159.68.0/22,185.166.216.0/22,185.167.116.0/22,185.171.120.0/22,185.173.44.0/22,185.175.140.0/22,185.180.124.0/22,185.184.192.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 18"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400017; rev:2619;)
alert ip [185.198.212.0/22,185.202.88.0/22,185.204.236.0/22,185.205.68.0/22,185.208.128.0/22,186.1.128.0/19,186.65.112.0/20,186.96.96.0/19,188.72.96.0/24,188.72.126.0/24,188.72.127.0/24,188.172.160.0/19,188.239.128.0/18,188.247.135.0/24,188.247.230.0/24,189.213.128.0/17,190.2.208.0/21,190.9.48.0/21,190.99.80.0/21,190.123.208.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 19"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400018; rev:2619;)
alert ip [192.40.29.0/24,192.43.153.0/24,192.43.154.0/23,192.43.156.0/22,192.43.160.0/24,192.43.175.0/24,192.43.176.0/21,192.43.184.0/24,192.46.192.0/18,192.54.110.0/24,192.67.16.0/24,192.67.160.0/22,192.86.85.0/24,192.88.74.0/24,192.100.142.0/24,192.101.44.0/24,192.101.181.0/24,192.101.200.0/21,192.101.240.0/21,192.101.248.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 20"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400019; rev:2619;)
alert ip [192.158.51.0/24,192.160.44.0/24,192.190.49.0/24,192.190.97.0/24,192.195.150.0/24,192.197.87.0/24,192.203.252.0/24,192.206.114.0/24,192.206.183.0/24,192.219.120.0/21,192.219.128.0/18,192.219.192.0/20,192.219.208.0/21,192.225.96.0/20,192.226.16.0/20,192.229.32.0/19,192.231.66.0/24,192.234.189.0/24,192.245.101.0/24,193.9.158.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 21"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400020; rev:2619;)
alert ip [193.177.64.0/18,193.243.0.0/17,194.1.152.0/24,194.29.185.0/24,195.182.57.0/24,195.190.13.0/24,195.191.56.0/23,195.191.102.0/23,195.225.176.0/22,196.1.109.0/24,196.42.128.0/17,196.61.240.0/20,196.63.0.0/16,196.164.0.0/15,196.193.0.0/16,196.196.0.0/16,196.197.0.0/16,196.198.0.0/16,196.199.0.0/16,196.240.0.0/15] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 22"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400021; rev:2619;)
alert ip [198.13.0.0/20,198.14.128.0/19,198.14.160.0/19,198.20.16.0/20,198.44.192.0/20,198.45.32.0/20,198.45.64.0/19,198.56.64.0/18,198.57.64.0/20,198.62.70.0/24,198.62.76.0/24,198.96.224.0/20,198.99.117.0/24,198.102.222.0/24,198.148.212.0/24,198.151.16.0/20,198.151.64.0/18,198.151.152.0/22,198.160.205.0/24,198.169.201.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 23"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400022; rev:2619;)
alert ip [198.179.22.0/24,198.181.64.0/19,198.181.96.0/20,198.183.32.0/19,198.184.193.0/24,198.184.208.0/24,198.186.25.0/24,198.186.208.0/24,198.187.64.0/18,198.187.192.0/24,198.190.173.0/24,198.199.212.0/24,198.202.237.0/24,198.204.0.0/21,198.206.140.0/24,198.212.132.0/24,199.5.152.0/23,199.5.229.0/24,199.10.64.0/24,199.26.137.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 24"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400023; rev:2619;)
alert ip [199.58.248.0/21,199.60.102.0/24,199.71.56.0/21,199.71.192.0/20,199.84.55.0/24,199.84.56.0/22,199.84.60.0/24,199.84.64.0/19,199.87.208.0/21,199.88.32.0/20,199.88.48.0/22,199.89.16.0/20,199.89.198.0/24,199.120.163.0/24,199.165.32.0/19,199.166.200.0/22,199.184.82.0/24,199.185.192.0/20,199.196.192.0/19,199.198.160.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 25"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400024; rev:2619;)
alert ip [199.223.0.0/20,199.230.64.0/19,199.230.96.0/21,199.233.85.0/24,199.233.96.0/24,199.241.64.0/19,199.244.56.0/21,199.245.138.0/24,199.246.137.0/24,199.246.213.0/24,199.246.215.0/24,199.248.64.0/18,199.249.64.0/19,199.253.32.0/20,199.253.48.0/21,199.253.224.0/20,199.254.32.0/20,200.0.60.0/23,200.3.128.0/20,200.22.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 26"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400025; rev:2619;)
alert ip [202.20.32.0/19,202.21.64.0/19,202.27.96.0/23,202.27.98.0/24,202.27.99.0/24,202.27.100.0/22,202.27.120.0/22,202.27.161.0/24,202.27.162.0/23,202.27.164.0/22,202.27.168.0/24,202.39.112.0/20,202.40.32.0/19,202.40.64.0/18,202.68.0.0/18,202.86.0.0/22,202.148.32.0/20,202.148.176.0/20,202.183.0.0/19,202.189.80.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 27"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400026; rev:2619;)
alert ip [203.34.252.0/23,203.86.252.0/22,203.148.80.0/22,203.149.92.0/22,203.169.0.0/22,203.189.112.0/22,203.191.64.0/18,204.19.38.0/23,204.44.32.0/20,204.44.192.0/20,204.44.224.0/20,204.48.16.0/20,204.52.255.0/24,204.57.16.0/20,204.75.147.0/24,204.75.228.0/24,204.80.198.0/24,204.86.16.0/20,204.87.199.0/24,204.89.224.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 28"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400027; rev:2619;)
alert ip [204.128.180.0/24,204.130.16.0/20,204.130.167.0/24,204.147.64.0/21,204.187.155.0/24,204.187.156.0/22,204.187.160.0/19,204.187.192.0/19,204.187.224.0/20,204.187.240.0/21,204.187.248.0/22,204.187.252.0/23,204.187.254.0/24,204.194.64.0/21,204.194.184.0/21,204.225.16.0/20,204.225.159.0/24,204.225.210.0/24,204.232.0.0/18,204.238.137.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 29"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400028; rev:2619;)
alert ip [205.144.176.0/20,205.148.128.0/18,205.148.192.0/18,205.151.128.0/19,205.159.45.0/24,205.159.174.0/24,205.159.180.0/24,205.166.77.0/24,205.166.84.0/24,205.166.130.0/24,205.166.168.0/24,205.166.211.0/24,205.172.176.0/22,205.172.244.0/22,205.175.160.0/19,205.189.71.0/24,205.189.72.0/23,205.203.0.0/19,205.203.224.0/19,205.207.134.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 30"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400029; rev:2619;)
alert ip [205.214.128.0/19,205.233.224.0/20,205.236.185.0/24,205.236.189.0/24,205.237.88.0/21,206.41.160.0/19,206.51.29.0/24,206.81.0.0/19,206.130.4.0/23,206.130.188.0/24,206.143.128.0/17,206.189.0.0/16,206.195.224.0/19,206.197.28.0/24,206.197.29.0/24,206.197.77.0/24,206.197.165.0/24,206.203.64.0/18,206.209.80.0/20,206.224.160.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 31"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400030; rev:2619;)
alert ip [207.32.208.0/20,207.45.224.0/20,207.110.64.0/18,207.110.96.0/19,207.110.128.0/18,207.177.128.0/18,207.178.64.0/19,207.183.192.0/19,207.226.192.0/20,207.234.0.0/17,208.93.4.0/22,208.117.88.0/22,208.117.92.0/24,209.51.32.0/20,209.54.160.0/19,209.66.128.0/19,209.95.192.0/19,209.97.128.0/18,209.99.128.0/18,209.145.0.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 32"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400031; rev:2619;)
alert ip [209.182.64.0/19,209.229.0.0/16,209.242.192.0/19,212.92.127.0/24,216.47.96.0/20,216.152.240.0/20,216.183.208.0/20,220.154.0.0/16,221.132.192.0/18,223.0.0.0/15,223.169.0.0/16,223.173.0.0/16,223.201.0.0/16,223.254.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 33"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400032; rev:2619;)

35
code/chef/templates/mac_os_x/dshield.rules.erb Executable file
View file

@ -0,0 +1,35 @@
#
# $Id: emerging-dshield.rules $
# Emerging Threats Dshield rules.
#
# Rules to block Dshield identified Top Attackers (www.dshield.org)
#
# More information available at www.emergingthreats.net
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2014, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
alert ip [61.174.51.0/24,94.102.49.0/24,185.5.174.0/24,116.10.191.0/24,218.77.79.0/24,74.82.47.0/24,184.105.247.0/24,93.180.5.0/24,93.174.93.0/24,80.82.70.0/24,184.105.139.0/24,198.20.69.0/24,124.232.142.0/24,71.6.167.0/24,66.240.192.0/24,71.6.165.0/24,198.20.99.0/24,190.139.61.0/24,66.240.236.0/24,162.253.66.0/24] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,feed.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:3403;)

198
code/chef/templates/mac_os_x/emerging-dns.rules.erb Executable file
View file

@ -0,0 +1,198 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3-enhanced.
#alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008446; classtype:bad-unknown; sid:2008446; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; threshold: type both, track by_src, count 50, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008470; classtype:bad-unknown; sid:2008470; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src,count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008447; classtype:bad-unknown; sid:2008447; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src, count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008475; classtype:bad-unknown; sid:2008475; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Format error"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x81/"; reference:url,doc.emergingthreats.net/2001116; classtype:not-suspicious; sid:2001116; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Name Error"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x83/"; reference:url,doc.emergingthreats.net/2001117; classtype:not-suspicious; sid:2001117; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Not Implemented"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x84/"; reference:url,doc.emergingthreats.net/2001118; classtype:not-suspicious; sid:2001118; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Refused"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x85/"; reference:url,doc.emergingthreats.net/2001119; classtype:not-suspicious; sid:2001119; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100258; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100259; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:2100261; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103153; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:2101435; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:2100257; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2100255; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:2100253; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:2100254; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS UDP inverse query overflow"; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103154; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:nessus,10728; classtype:attempted-recon; sid:2100256; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:2100252; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:nessus,10028; classtype:attempted-recon; sid:2101616; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2101948; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011407; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|cn|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011408; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|cc|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011409; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .cz.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cz|02|cc|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.kr Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|kr|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011411; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|localhost"; fast_pattern; nocase; classtype:bad-unknown; sid:2011802; rev:3; metadata:created_at 2010_10_12, updated_at 2010_10_12;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS Hiloti DNS CnC Channel Successful Install Message"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|empty"; nocase; distance:0; content:"|0C|explorer_exe"; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:bad-unknown; sid:2011911; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for a Suspicious Malware Related Numerical .in Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|in|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02in\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012115; rev:6; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query to a .tk domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|tk|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2012811; rev:2; metadata:created_at 2011_05_15, updated_at 2011_05_15;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query to a Suspicious *.vv.cc domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|vv|02|cc|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2012826; rev:1; metadata:created_at 2011_05_19, updated_at 2011_05_19;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.ae.am domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ae|02|am"; fast_pattern; classtype:bad-unknown; sid:2012900; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for a Suspicious *.noc.su domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|noc|02|su"; fast_pattern:only; classtype:bad-unknown; sid:2012901; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.be.ma domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|be|02|ma"; fast_pattern; distance:0; classtype:bad-unknown; sid:2012902; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.qc.cx domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|qc|02|cx"; fast_pattern; classtype:bad-unknown; sid:2012903; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.co.tv domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|tv"; fast_pattern; classtype:bad-unknown; sid:2012956; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Illegal Drug Sales Site (SilkRoad)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ianxz6zefk72ulzz|05|onion"; classtype:policy-violation; sid:2013016; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.be Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|be"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013124; rev:3; metadata:created_at 2011_06_28, updated_at 2011_06_28;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.cu.cc domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cu|02|cc"; fast_pattern; classtype:bad-unknown; sid:2013172; rev:2; metadata:created_at 2011_07_02, updated_at 2011_07_02;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .net.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|net|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013847; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .eu.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|eu|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013848; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .int.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|int|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013849; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .edu.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|edu|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013850; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .us.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|us|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013851; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ca.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ca|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013852; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .bg.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|bg|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013853; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ru.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013854; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .pl.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|pl|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013855; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .cz.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cz|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013856; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .de.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|de|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013857; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .at.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|at|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013858; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ch.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ch|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013859; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .sg.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|sg|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013860; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .nl.ai Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|nl|02|ai"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013861; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .xe.cx Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|xe|02|cx"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013862; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) to google.com.br possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; content:"|06|google|03|com|02|br|00|"; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; classtype:bad-unknown; sid:2013894; rev:5; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .noip.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|noip|02|cn|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013970; rev:1; metadata:created_at 2011_11_28, updated_at 2011_11_28;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for .su TLD (Soviet Union) Often Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|su|00|"; fast_pattern; distance:0; nocase; reference:url,www.abuse.ch/?p=3581; classtype:bad-unknown; sid:2014169; rev:1; metadata:created_at 2012_01_31, updated_at 2012_01_31;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for Suspicious .ch.vu Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ch|02|vu"; fast_pattern; nocase; distance:0; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:2014285; rev:4; metadata:created_at 2012_02_27, updated_at 2012_02_27;)
alert udp $HOME_NET !9987 -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set"; content:!"7PYqwfzt"; depth:8; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,&,16,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014701; rev:12; metadata:created_at 2012_05_03, updated_at 2016_07_12;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set"; content:!"7PYqwfzt"; depth:8; byte_test:1,&,64,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014702; rev:9; metadata:created_at 2012_05_03, updated_at 2016_07_12;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set"; content:!"7PYqwfzt"; depth:8; byte_test:1,&,64,3; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014703; rev:9; metadata:created_at 2012_05_03, updated_at 2016_07_12;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query for a Suspicious *.upas.su domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|upas|02|su|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2015550; rev:1; metadata:created_at 2012_07_31, updated_at 2012_07_31;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111"; content:"|00 01 00 01|"; content:"|00 04 94 51 6f 6f|"; distance:4; within:6; classtype:trojan-activity; sid:2016413; rev:4; metadata:created_at 2013_02_14, updated_at 2013_02_14;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Dr. Web"; content:"|00 01 00 01|"; content:"|00 04 5b e9 f4 6a|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016418; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Zinkhole.org"; content:"|00 01 00 01|"; content:"|00 04 b0 1f 3e 4c|"; distance:4; within:6; classtype:trojan-activity; sid:2016419; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - German Company"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 a7|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016420; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 1and1 Internet AG"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 d2|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016421; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (1)"; content:"|00 01 00 01|"; content:"|00 04 c6 3d e3 06|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016422; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (2)"; content:"|00 01 00 01|"; content:"|00 04 32 3e 0c 67|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016423; rev:6; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.net"; content:"|0a|micorsofts|03|net|00|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016569; rev:3; metadata:created_at 2013_03_13, updated_at 2013_03_13;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.com"; content:"|0a|micorsofts|03|com|00|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016570; rev:2; metadata:created_at 2013_03_13, updated_at 2013_03_13;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain hotmal1.com"; content:"|07|hotmal1|03|com|00|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016571; rev:1; metadata:created_at 2013_03_13, updated_at 2013_03_13;)
alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 106.187.96.49 blacklistthisdomain.com"; content:"|00 01 00 01|"; content:"|00 04 6a bb 60 31|"; distance:4; within:6; classtype:trojan-activity; sid:2016591; rev:6; metadata:created_at 2013_03_18, updated_at 2013_03_18;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query to a *.pw domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|pw|00|"; fast_pattern; nocase; distance:0; content:!"|01|u|02|pw|00|"; nocase; classtype:bad-unknown; sid:2016778; rev:4; metadata:created_at 2013_04_19, updated_at 2013_04_19;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DNS DNS Query for vpnoverdns - indicates DNS tunnelling"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|tun|10|vpnoverdns|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,osint.bambenekconsulting.com/manual/vpnoverdns.txt; classtype:bad-unknown; sid:2018438; rev:2; metadata:created_at 2014_05_01, updated_at 2014_05_01;)
alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole FBI Zeus P2P 1 - 142.0.36.234"; content:"|00 01 00 01|"; content:"|00 04 8e 00 24 ea|"; distance:4; within:6; classtype:trojan-activity; sid:2018517; rev:1; metadata:created_at 2014_06_03, updated_at 2014_06_03;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query to a *.top domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|top|00|"; fast_pattern; nocase; distance:0; threshold:type limit, track by_src, count 1, seconds 30; reference:url,www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2023883; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_07, updated_at 2017_02_07;)

254
code/chef/templates/mac_os_x/emerging-dos.rules.erb Executable file
View file

@ -0,0 +1,254 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3-enhanced.
#alert udp any any -> any 53 (msg:"ET DOS DNS BIND 9 Dynamic Update DoS attempt"; byte_test:1,&,40,2; byte_test:1,>,0,5; byte_test:1,>,0,1; content:"|00 00 06|"; offset:8; content:"|c0 0c 00 ff|"; distance:2; reference:cve,2009-0696; reference:url,doc.emergingthreats.net/2009701; classtype:attempted-dos; sid:2009701; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET [22,23,80,443,10000] (msg:"ET DOS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets)"; flow:to_server; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; depth:40; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; distance:300; isdataat:300,relative; threshold: type threshold, track by_src, count 60, seconds 80; reference:url,www.securityfocus.com/bid/34429/info; reference:url,www.securityfocus.com/bid/34429/exploit; reference:url,www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html; reference:cve,2009-1157; reference:url,doc.emergingthreats.net/2010624; classtype:attempted-dos; sid:2010624; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DOS Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; flow:established,to_server; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010817; classtype:attempted-dos; sid:2010817; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"ET DOS Cisco 514 UDP flood DoS"; content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000010; classtype:attempted-dos; sid:2000010; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET DOS Catalyst memory leak attack"; flow: to_server,established; content:"|41 41 41 0a|"; depth: 20; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000011; classtype:attempted-dos; sid:2000011; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Cisco Router HTTP DoS"; flow:to_server,established; content:"/%%"; http_uri; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype:attempted-dos; sid:2000006; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/screens/frameset.html"; fast_pattern; http_uri; nocase; content:"Authorization|3A 20|Basic"; nocase; content:!"|0a|"; distance:2; within:118; isdataat:120,relative; pcre:"/^Authorization\x3A Basic.{120}/Hmi"; reference:url,www.securityfocus.com/bid/35805; reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml; reference:cve,2009-1164; reference:url,doc.emergingthreats.net/2010674; classtype:attempted-dos; sid:2010674; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6014 (msg:"ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt"; flow:established,to_server; content:"|00 05 03 31 41|"; reference:url,www.securityfocus.com/bid/38018; reference:url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html; reference:url,doc.emergingthreats.net/2010755; classtype:attempted-dos; sid:2010755; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"ET DOS FreeBSD NFS RPC Kernel Panic"; flow:to_server,established; content:"|00 01 86 a5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 00 00 00 00 00|"; offset:0; depth:6; reference:cve,2006-0900; reference:bugtraq,19017; reference:url,doc.emergingthreats.net/bin/view/Main/2002853; classtype:attempted-dos; sid:2002853; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 1755 (msg:"ET DOS Microsoft Streaming Server Malformed Request"; flow:established,to_server; content:"MSB "; depth:4; content:"|06 01 07 00 24 00 00 40 00 00 00 00 00 00 01 00 00 00|"; distance:0; within:18; reference:bugtraq,1282; reference:url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002843; classtype:attempted-dos; sid:2002843; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS ICMP Path MTU lowered below acceptable threshold"; itype: 3; icode: 4; byte_test:2,<,576,6; byte_test:2,!=,0,7; reference:cve,CAN-2004-1060; reference:url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,doc.emergingthreats.net/bin/view/Main/2001882; classtype:denial-of-service; sid:2001882; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt"; flow: established,to_server; content:"|10 00 00 10 cc|"; depth:5; reference:bugtraq,11265; reference:url,doc.emergingthreats.net/bin/view/Main/2001366; classtype:attempted-dos; sid:2001366; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET DOS NetrWkstaUserEnum Request with large Preferred Max Len"; flow:established,to_server; content:"|ff|SMB"; content:"|10 00 00 00|"; distance:0; content:"|02 00|"; distance:14; within:2; byte_jump:4,12,relative,little,multiplier 2; content:"|00 00 00 00 00 00 00 00|"; distance:12; within:8; byte_test:4,>,2,0,relative; reference:cve,2006-6723; reference:url,doc.emergingthreats.net/bin/view/Main/2003236; classtype:attempted-dos; sid:2003236; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DOS Excessive SMTP MAIL-FROM DDoS"; flow: to_server, established; content:"MAIL FROM|3a|"; nocase; window: 0; id:0; threshold: type limit, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2001795; classtype:denial-of-service; sid:2001795; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL GeomFromWKB() function Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"geometrycollectionfromwkb"; distance:0; nocase; pcre:"/SELECT.+geometrycollectionfromwkb/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010491; classtype:attempted-dos; sid:2010491; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL SELECT WHERE to User Variable Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"WHERE"; distance:0; nocase; content:"SELECT"; nocase; content:"INTO"; distance:0; nocase; content:"|60|"; within:50; content:"|60|"; pcre:"/SELECT.+WHERE.+SELECT.+\x60/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297-2.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010492; classtype:attempted-dos; sid:2010492; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MySQL ALTER DATABASE Denial Of Service Attempt"; flow:established,to_server; content:"ALTER "; nocase; content:"DATABASE"; nocase; within:12; content:"|22|."; distance:0; content:"UPGRADE "; nocase; distance:0; content:"DATA"; nocase; within:8; pcre:"/ALTER.+DATABASE.+\x22\x2E(\x22|\x2E\x22|\x2E\x2E\x2F\x22).+UPGRADE.+DATA/si"; reference:url,securitytracker.com/alerts/2010/Jun/1024160.html; reference:url,dev.mysql.com/doc/refman/5.1/en/alter-database.html; reference:cve,2010-2008; reference:url,doc.emergingthreats.net/2011761; classtype:attempted-dos; sid:2011761; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Netgear DG632 Web Management Denial Of Service Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/firmwarecfg"; http_uri; nocase; reference:url, securitytracker.com/alerts/2009/Jun/1022403.html; reference:cve,2009-2256; reference:url,doc.emergingthreats.net/2010554; classtype:attempted-dos; sid:2010554; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Large amount of TCP ZeroWindow - Possible Nkiller2 DDos attack"; flags:A; window:0; threshold: type both, track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009414; classtype:attempted-dos; sid:2009414; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 request)"; dsize:1; content:"|17|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010486; classtype:attempted-dos; sid:2010486; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply)"; dsize:4; content:"|97 00 00 00|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010487; classtype:attempted-dos; sid:2010487; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt"; content:"|00 01 01|"; depth:3; content:"NETASCII"; reference:url,www.exploit-db.com/exploits/12683/; reference:url,doc.emergingthreats.net/2011673; classtype:attempted-dos; sid:2011673; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET DOS SolarWinds TFTP Server Long Write Request Denial Of Service Attempt"; content:"|00 02|"; depth:2; isdataat:1000,relative; content:!"|0A|"; within:1000; content:"NETASCII"; distance:1000; reference:url,www.exploit-db.com/exploits/13836/; reference:url,doc.emergingthreats.net/2011674; classtype:attempted-dos; sid:2011674; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg:"ET DOS Possible VNC ClientCutText Message Denial of Service/Memory Corruption Attempt"; flow:established,to_server; content:"|06|"; depth:1; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.fortiguard.com/encyclopedia/vulnerability/vnc.server.clientcuttext.message.memory.corruption.html; reference:url,doc.emergingthreats.net/2011732; classtype:attempted-dos; sid:2011732; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:2100272; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:2100268; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp any any -> $HOME_NET 3000 (msg:"ET DOS ntop Basic-Auth DOS inbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; distance:0; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; distance:0; within:20; content:"=="; distance:0; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011511; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert tcp $HOME_NET any -> any 3000 (msg:"ET DOS ntop Basic-Auth DOS outbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; distance:0; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; distance:0; within:20; content:"=="; distance:0; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011512; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound"; flow:established,to_server; content:"User-agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| ru|3b| rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011821; rev:3; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected inbound"; flow:established,to_server; content:"User-agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| ru|3b| rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011822; rev:3; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound 2"; flow:established,to_server; content:"User-agent|3a| Opera/9.02 (Windows NT 5.1|3b| U|3b| ru)"; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011823; rev:3; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected inbound 2"; flow:established,to_server; content:"User-agent|3a| Opera/9.02 (Windows NT 5.1|3b| U|3b| ru)"; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011824; rev:4; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS"; flow:to_server,established; content:"hihihihihihihihihihihihihihihihi"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012048; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Inbound Low Orbit Ion Cannon LOIC DDOS Tool desu string"; flow:to_server,established; content:"desudesudesu"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012049; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS desu string"; flow:to_server,established; content:"desudesudesu"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012050; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
alert http $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli Endpoint Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; http_method; isdataat:261; content:!"|0A|"; depth:261; reference:url, zerodayinitiative.com/advisories/ZDI-11-169/; classtype:denial-of-service; sid:2012938; rev:2; metadata:created_at 2011_06_07, updated_at 2011_06_07;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"22C83263-E4B8-4233-82CD-FB047C6BF13E"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22C83263-E4B8-4233-82CD-FB047C6BF13E/si"; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:web-application-attack; sid:2013462; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"SkypePNRLib.PNR"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:attempted-user; sid:2013463; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS LOIC Javascript DDoS Outbound"; flow:established,to_server; content:"GET"; http_method; content:"/?id="; fast_pattern; http_uri; depth:5; content:"&msg="; http_uri; distance:13; within:5; pcre:"/^\/\?id=[0-9]{13}&msg=/U"; threshold: type both, track by_src, count 5, seconds 60; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014141; rev:5; metadata:created_at 2012_01_23, updated_at 2012_01_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA"; flow:established,to_server; content:"User-Agent|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; fast_pattern:only; threshold: type both, track by_src, count 225, seconds 60; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:attempted-dos; sid:2014153; rev:5; metadata:created_at 2012_01_27, updated_at 2012_01_27;)
alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; sid:2014384; rev:8; metadata:created_at 2012_03_13, updated_at 2012_03_13;)
alert tcp $HOME_NET 3389 -> any any (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn/Ack Outbound Flowbit Set"; flow:from_server; flags:SA; flowbits:isnotset,ms.rdp.synack; flowbits:set,ms.rdp.synack; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014385; rev:5; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Session Established Flowbit Set"; flow:to_server,established; flowbits:isset,ms.rdp.synack; flowbits:unset,ms.rdp.synack; flowbits:set,ms.rdp.established; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014386; rev:2; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt Negative INT"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_test:1,&,0x80,1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014430; rev:13; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_jump:1,0,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014431; rev:15; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014662; rev:1; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Negative Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,&,0x80,-1,relative,big; reference:url, www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014663; rev:1; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
#alert icmp any any -> any any (msg:"ET DOS Microsoft Windows 7 ICMPv6 Router Advertisement Flood"; itype:134; icode:0; byte_test:1,&,0x08,2; content:"|03|"; offset:20; depth:1; byte_test:1,&,0x40,2,relative; byte_test:1,&,0x80,2,relative; threshold:type threshold, track by_src, count 10, seconds 1; reference:url,www.samsclass.info/ipv6/proj/proj8x-124-flood-router.htm; classtype:attempted-dos; sid:2014996; rev:3; metadata:created_at 2012_07_02, updated_at 2012_07_02;)
alert udp any any -> $HOME_NET 53 (msg:"ET DOS DNS Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type both, track by_dst, seconds 60, count 5; classtype:bad-unknown; sid:2016016; rev:8; metadata:created_at 2012_12_11, updated_at 2012_12_11;)
#alert udp $HOME_NET 53 -> any any (msg:"ET DOS DNS Amplification Attack Outbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:7; metadata:created_at 2012_12_11, updated_at 2012_12_11;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS LOIC POST"; flow:established,to_server; content:"POST"; http_method; content:"13"; depth:2; http_client_body; content:"=MSG"; fast_pattern; http_client_body; distance:11; within:4; pcre:"/^13\d{11}/P"; threshold:type limit, track by_src, count 1, seconds 300; classtype:web-application-attack; sid:2016030; rev:4; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS LOIC GET"; flow:established,to_server; content:"GET"; http_method; content:"/?msg=MSG"; http_uri; threshold:type limit, track by_src, count 1, seconds 300; classtype:web-application-attack; sid:2016031; rev:3; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5958 ST DeviceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern:only; reference:cve,CVE_2012-5958; reference:cve,CVE-2012-5962; classtype:attempted-dos; sid:2016322; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5963 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*uuid\x3a[^\r\n\x3a]{181}/Ri"; reference:cve,CVE-2012-5963; classtype:attempted-dos; sid:2016323; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5964 ST URN ServiceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*urn\x3aservice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|service"; nocase; fast_pattern:only; reference:cve,CVE-2012-5964; classtype:attempted-dos; sid:2016324; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5965 ST URN DeviceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*urn\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|device"; nocase; fast_pattern:only; reference:cve,CVE-2012-5965; classtype:attempted-dos; sid:2016325; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5961 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{1,180}\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern:only; reference:cve,CVE-2012-5961; classtype:attempted-dos; sid:2016326; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Miniupnpd M-SEARCH Buffer Overflow CVE-2013-0229"; content:"M-SEARCH"; depth:8; isdataat:1492,relative; content:!"|0d 0a|"; distance:1490; within:2; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0229; classtype:attempted-dos; sid:2016363; rev:2; metadata:created_at 2013_02_06, updated_at 2013_02_06;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS CVE-2013-0230 Miniupnpd SoapAction MethodName Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a|SOAPAction|3a|"; nocase; distance:0; pcre:"/^[^\r\n]+#[^\x22\r\n]{2049}/R"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0230; classtype:attempted-dos; sid:2016364; rev:1; metadata:created_at 2013_02_06, updated_at 2013_02_06;)
#alert http any any -> $HOME_NET 3128 (msg:"ET DOS Squid-3.3.5 DoS"; flow:established,to_server; content:"Host|3a| "; http_header; pcre:"/^Host\x3a[^\x3a\r\n]+?\x3a[^\r\n]{6}/Hmi"; classtype:attempted-dos; sid:2017154; rev:2; metadata:created_at 2013_07_16, updated_at 2013_07_16;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Inbound"; flow:established,to_server; content:"POST"; http_method; content:"Mozilla/4.0 (compatible|3B| Synapse)"; fast_pattern:24,9; http_user_agent; content:"login="; http_client_body; depth:6; content:"$pass="; http_client_body; within:50; threshold: type both, count 5, seconds 60, track by_src; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:attempted-dos; sid:2017722; rev:3; metadata:created_at 2013_11_14, updated_at 2013_11_14;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02"; content:"|00 02 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017918; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03"; content:"|00 03 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017919; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017920; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017921; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017965; rev:3; metadata:created_at 2014_01_13, updated_at 2014_01_13;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017966; rev:3; metadata:created_at 2014_01_13, updated_at 2014_01_13;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Inbound GoldenEye DoS attack"; flow:established,to_server; content:"/?"; fast_pattern; http_uri; depth:2; content:"="; http_uri; distance:3; within:11; pcre:"/^\/\?[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20}(?:&[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20})*?$/U"; content:"Keep|2d|Alive|3a|"; http_header; content:"Connection|3a| keep|2d|alive"; http_header; content:"Cache|2d|Control|3a|"; http_header; pcre:"/^Cache-Control\x3a\x20(?:max-age=0|no-cache)\r?$/Hm"; content:"Accept|2d|Encoding|3a|"; http_header; threshold: type both, track by_src, count 100, seconds 300; reference:url,github.com/jseidl/GoldenEye; classtype:denial-of-service; sid:2018208; rev:2; metadata:created_at 2014_03_04, updated_at 2014_03_04;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Possible WordPress Pingback DDoS in Progress (Inbound)"; flow:established,to_server; content:"/xmlrpc.php"; http_uri; nocase; content:"pingback.ping"; nocase; http_client_body; fast_pattern; threshold:type both, track by_src, count 5, seconds 90; classtype:attempted-dos; sid:2018277; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2014_03_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS HOIC with booster outbound"; flow:to_server,established; content:"GET"; http_method; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; content:"If-Modified-Since|3a 20 20|"; http_raw_header; content:"Keep-Alive|3a 20 20|"; http_raw_header; content:"Connection|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; http_raw_header; threshold: type both, count 1, seconds 60, track by_src; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018977; rev:3; metadata:created_at 2014_08_21, updated_at 2014_08_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS HOIC with booster inbound"; flow:to_server,established; content:"GET"; http_method; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; content:"If-Modified-Since|3a 20 20|"; http_raw_header; content:"Keep-Alive|3a 20 20|"; http_raw_header; content:"Connection|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; http_raw_header; threshold: type both, count 1, seconds 60, track by_dst; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018978; rev:2; metadata:created_at 2014_08_21, updated_at 2014_08_21;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019010; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019011; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019012; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019013; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019014; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019015; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019016; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019017; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019018; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019019; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019020; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019021; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any any (msg:"ET DOS Likely NTP DDoS In Progress Multiple UNSETTRAP Mode 6 Responses"; content:"|df 00 00 04 00|"; offset:1; depth:5; byte_test:1,!&,128,0; byte_test:1,!&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,!&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019022; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Possible SSDP Amplification Scan in Progress"; content:"M-SEARCH * HTTP/1.1"; content:"ST|3a 20|ssdp|3a|all|0d 0a|"; nocase; distance:0; fast_pattern; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/29/weekly-metasploit-update; classtype:attempted-dos; sid:2019102; rev:1; metadata:created_at 2014_09_02, updated_at 2014_09_02;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019346; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS HTTP GET AAAAAAAA Likely FireFlood"; flow:to_server,established; content:"GET AAAAAAAA HTTP/1.1"; content:!"Referer|3a|"; distance:0; content:!"Accept"; distance:0; content:!"|0d 0a|"; distance:0; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019347; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonMafiaIC DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.0|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019348; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonGhost DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.1|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019349; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely GoodBye 5.2 DDoS tool"; flow:to_server,established; dsize:<50; content:"|20|HTTP/1.1Host|3a 20|"; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019350; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
#alert tcp $EXTERNAL_NET 10000: -> $HOME_NET 0:1023 (msg:"ET DOS Potential Tsunami SYN Flood Denial Of Service Attempt"; flags:S; flow:to_server; dsize:>900; threshold: type both, count 20, seconds 120, track by_src; reference:url,security.radware.com/uploadedFiles/Resources_and_Content/Threat/TsunamiSYNFloodAttack.pdf; classtype:attempted-dos; sid:2019404; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
alert udp $HOME_NET 1434 -> $EXTERNAL_NET any (msg:"ET DOS MC-SQLR Response Outbound Possible DDoS Participation"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_src,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020305; rev:4; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
alert udp $EXTERNAL_NET 1434 -> $HOME_NET any (msg:"ET DOS MC-SQLR Response Inbound Possible DDoS Target"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_dst,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020306; rev:3; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Bittorrent User-Agent inbound - possible DDOS"; flow:established,to_server; content:"User-Agent|3a| Bittorrent"; http_header; threshold: type both, count 1, seconds 60, track by_src; reference:url,torrentfreak.com/zombie-pirate-bay-tracker-fuels-chinese-ddos-attacks-150124/; classtype:attempted-dos; sid:2020702; rev:2; metadata:created_at 2015_03_18, updated_at 2015_03_18;)
alert udp $HOME_NET 5093 -> $EXTERNAL_NET any (msg:"ET DOS Possible Sentinal LM Application attack in progress Outbound (Response)"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021170; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
alert udp $EXTERNAL_NET 5093 -> $HOME_NET any (msg:"ET DOS Possible Sentinal LM Amplification attack (Response) Inbound"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021171; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"ET DOS Possible Sentinal LM Amplification attack (Request) Inbound"; dsize:6; content:"|7a 00 00 00 00 00|"; threshold: type both,track by_dst,count 10,seconds 60; classtype:attempted-dos; sid:2021172; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Linux/Tsunami DOS User-Agent (x00_-gawa.sa.pilipinas.2015) INBOUND"; flow:to_server,established; content:"x00_-gawa.sa.pilipinas.2015"; http_user_agent; reference:url,vms.drweb.com/virus/?i=4656268; classtype:attempted-dos; sid:2022760; rev:2; metadata:created_at 2016_04_26, updated_at 2016_04_26;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Inbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023053; rev:2; metadata:attack_target Server, deployment Datacenter, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)
alert udp $HOME_NET 53 -> $EXTERNAL_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Outbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023054; rev:2; metadata:attack_target Server, deployment Datacenter, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)
alert tcp any any -> $HOME_NET 445 (msg:"ET DOS Microsoft Windows LSASS Remote Memory Corruption (CVE-2017-0004)"; flow:established,to_server; content:"|FF|SMB|73|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; byte_test:1,&,0x08,6,relative; byte_test:1,&,0x10,5,relative; byte_test:1,&,0x04,5,relative; byte_test:1,&,0x02,5,relative; byte_test:1,&,0x01,5,relative; content:"|ff 00|"; distance:28; within:2; content:"|84|"; distance:25; within:1; content:"NTLMSSP"; fast_pattern; within:64; reference:url,github.com/lgandx/PoC/tree/master/LSASS; reference:url,support.microsoft.com/en-us/kb/3216771; reference:url,support.microsoft.com/en-us/kb/3199173; reference:cve,2017-0004; reference:url,technet.microsoft.com/library/security/MS17-004; classtype:attempted-dos; sid:2023497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Major, created_at 2016_11_11, performance_impact Low, updated_at 2017_01_12;)
alert tcp any 445 -> $HOME_NET any (msg:"ET DOS Excessive Large Tree Connect Response"; flow:from_server,established; byte_test: 3,>,1000,1; content: "|fe 53 4d 42 40 00|"; offset: 4; depth: 6; content: "|03 00|"; offset: 16; depth:2; reference:url,isc.sans.edu/forums/diary/Windows+SMBv3+Denial+of+Service+Proof+of+Concept+0+Day+Exploit/22029/; classtype:attempted-dos; sid:2023831; rev:2; metadata:affected_product SMBv3, attack_target Client_and_Server, deployment Datacenter, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)
alert tcp any 445 -> $HOME_NET any (msg:"ET DOS SMB Tree_Connect Stack Overflow Attempt (CVE-2017-0016)"; flow:from_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|03 00|"; distance:8; within:2; byte_test:1,&,1,2,relative; byte_jump:2,8,little,from_beginning; byte_jump:2,4,relative,little; isdataat:1000,relative; content:!"|FE|SMB"; within:1000; reference:cve,2017-0016; classtype:attempted-dos; sid:2023832; rev:3; metadata:affected_product SMBv3, attack_target Client_and_Server, deployment Datacenter, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_07;)
#alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS Possible SMBLoris NBSS Length Mem Exhaustion Vuln Inbound"; flow:established,to_server; content:"|00 01|"; depth:2; threshold:type both,track by_dst,count 3, seconds 90; metadata: former_category DOS; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024510; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Internal, signature_severity Major, created_at 2017_08_02, performance_impact Significant, updated_at 2017_08_02;)
alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS SMBLoris NBSS Length Mem Exhaustion Attempt (PoC Based)"; flow:established,to_server; content:"|00 01 ff ff|"; depth:4; threshold:type both,track by_dst,count 30, seconds 300; metadata: former_category DOS; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024511; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Internal, signature_severity Major, created_at 2017_08_02, performance_impact Significant, updated_at 2017_08_03;)
alert udp $EXTERNAL_NET 389 -> $HOME_NET 389 (msg:"ET DOS CLDAP Amplification Reflection (PoC based)"; dsize:52; content:"|30 84 00 00 00 2d 02 01 01 63 84 00 00 00 24 04 00 0a 01 00|"; fast_pattern; threshold:type both, count 100, seconds 60, track by_src; metadata: former_category DOS; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024584; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, deployment Perimeter, signature_severity Major, created_at 2017_08_16, performance_impact Significant, updated_at 2017_08_16;)
alert udp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"ET DOS Potential CLDAP Amplification Reflection"; content:"objectclass0"; fast_pattern; threshold:type both, count 200, seconds 60, track by_src; metadata: former_category DOS; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2017_08_16, performance_impact Significant, updated_at 2017_08_16;)

1200
code/chef/templates/mac_os_x/emerging-exploit.rules.erb Executable file
View file

File diff suppressed because it is too large Load diff

409
code/chef/templates/mac_os_x/emerging-shellcode.rules.erb Executable file
View file

@ -0,0 +1,409 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3-enhanced.
#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode"; flow:established; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009246; classtype:shellcode-detect; sid:2009246; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode (UDP)"; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009285; classtype:shellcode-detect; sid:2009285; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode"; flow:established; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009247; classtype:shellcode-detect; sid:2009247; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode (UDP)"; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009284; classtype:shellcode-detect; sid:2009284; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode"; flow:established; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009248; classtype:shellcode-detect; sid:2009248; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode (UDP)"; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009283; classtype:shellcode-detect; sid:2009283; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode"; flow:established; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009249; classtype:shellcode-detect; sid:2009249; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode (UDP)"; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009282; classtype:shellcode-detect; sid:2009282; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode"; flow:established; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009250; classtype:shellcode-detect; sid:2009250; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode (UDP)"; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009281; classtype:shellcode-detect; sid:2009281; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode"; flow:established; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009251; classtype:shellcode-detect; sid:2009251; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode (UDP)"; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009280; classtype:shellcode-detect; sid:2009280; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009252; classtype:shellcode-detect; sid:2009252; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009279; classtype:shellcode-detect; sid:2009279; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009253; classtype:shellcode-detect; sid:2009253; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009278; classtype:shellcode-detect; sid:2009278; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode"; flow:established; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009254; classtype:shellcode-detect; sid:2009254; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode (UDP)"; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009277; classtype:shellcode-detect; sid:2009277; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode"; flow:established; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009255; classtype:shellcode-detect; sid:2009255; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode (UDP)"; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009276; classtype:shellcode-detect; sid:2009276; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode"; flow:established; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009256; classtype:shellcode-detect; sid:2009256; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode (UDP)"; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009275; classtype:shellcode-detect; sid:2009275; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode"; flow:established; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009257; classtype:shellcode-detect; sid:2009257; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode (UDP)"; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009274; classtype:shellcode-detect; sid:2009274; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode"; flow:established; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009258; classtype:shellcode-detect; sid:2009258; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode (UDP)"; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009273; classtype:shellcode-detect; sid:2009273; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Furth Shellcode"; flow:established; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009259; classtype:shellcode-detect; sid:2009259; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Furth Shellcode (UDP)"; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009272; classtype:shellcode-detect; sid:2009272; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode"; flow:established; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009260; classtype:shellcode-detect; sid:2009260; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode (UDP)"; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009271; classtype:shellcode-detect; sid:2009271; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode"; flow:established; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009261; classtype:shellcode-detect; sid:2009261; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode (UDP)"; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009270; classtype:shellcode-detect; sid:2009270; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode"; flow:established; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009262; classtype:shellcode-detect; sid:2009262; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode (UDP)"; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009269; classtype:shellcode-detect; sid:2009269; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode"; flow:established; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009263; classtype:shellcode-detect; sid:2009263; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode (UDP)"; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009268; classtype:shellcode-detect; sid:2009268; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode"; flow:established; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009264; classtype:shellcode-detect; sid:2009264; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode (UDP)"; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009267; classtype:shellcode-detect; sid:2009267; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode"; flow:established; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009265; classtype:shellcode-detect; sid:2009265; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode (UDP)"; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009266; classtype:shellcode-detect; sid:2009266; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:2; content:!"|0A|"; within:2; content:!"|20|"; within:2; pcre:"/(%U([0-9a-f]{2})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003173; classtype:trojan-activity; sid:2003173; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:4; content:!"|0A|"; within:4; content:!"|20|"; within:4; pcre:"/(%U([0-9a-f]{4})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003174; classtype:trojan-activity; sid:2003174; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexFnstenvMov/Sub Encoder"; flow:established; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002903; classtype:shellcode-detect; sid:2002903; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Alpha2 GetEIPs Encoder"; flow:established; content:"|EB 03 59 EB 05 E8 F8 FF FF FF|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002904; classtype:shellcode-detect; sid:2002904; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Countdown Encoder"; flow:established; content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002905; classtype:shellcode-detect; sid:2002905; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexAlphaNum Encoder"; flow:established; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; content:"JJJJJ"; distance: 2; within: 5; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM"; distance: 2; within: 55; reference:url,doc.emergingthreats.net/bin/view/Main/2002906; classtype:shellcode-detect; sid:2002906; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 PexCall Encoder"; flow:established; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|82 EE FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002907; classtype:shellcode-detect; sid:2002907; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 JmpCallAdditive Encoder"; flow:established; content:"|FC BB|"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; distance: 4; within: 19; reference:url,doc.emergingthreats.net/bin/view/Main/2002908; classtype:shellcode-detect; sid:2002908; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010383; classtype:shellcode-detect; sid:2010383; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 2)"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74 45 d3|"; reference:url,doc.emergingthreats.net/2010385; classtype:shellcode-detect; sid:2010385; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 3)"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45 6a 69 63|"; reference:url,doc.emergingthreats.net/2010386; classtype:shellcode-detect; sid:2010386; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 4)"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a 2a cc a5|"; reference:url,doc.emergingthreats.net/2010387; classtype:shellcode-detect; sid:2010387; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 5)"; content:"|17 1c 1a 19 fb 77 80 ce|"; reference:url,doc.emergingthreats.net/2010388; classtype:shellcode-detect; sid:2010388; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 1)"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010389; classtype:shellcode-detect; sid:2010389; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010390; classtype:shellcode-detect; sid:2010390; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 1)"; content:"|6a 61 58 99 52 68 10 02|"; reference:url,doc.emergingthreats.net/2010391; classtype:shellcode-detect; sid:2010391; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 2)"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a 68 58 cd|"; reference:url,doc.emergingthreats.net/2010392; classtype:shellcode-detect; sid:2010392; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 3)"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a 5a 58 51|"; reference:url,doc.emergingthreats.net/2010393; classtype:shellcode-detect; sid:2010393; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 4)"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3|"; reference:url,doc.emergingthreats.net/2010394; classtype:shellcode-detect; sid:2010394; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 5)"; content:"|50 54 53 53 b0 3b cd 80|"; reference:url,doc.emergingthreats.net/2010395; classtype:shellcode-detect; sid:2010395; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49 51 5a 56|"; reference:url,doc.emergingthreats.net/2010396; classtype:shellcode-detect; sid:2010396; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2)"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33 30 42 43|"; reference:url,doc.emergingthreats.net/2010397; classtype:shellcode-detect; sid:2010397; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010398; classtype:shellcode-detect; sid:2010398; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4)"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36 41|"; reference:url,doc.emergingthreats.net/2010399; classtype:shellcode-detect; sid:2010399; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5)"; content:"|41 4e 44 35 44 34 44|"; reference:url,doc.emergingthreats.net/2010400; classtype:shellcode-detect; sid:2010400; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1)"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010401; classtype:shellcode-detect; sid:2010401; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010402; classtype:shellcode-detect; sid:2010402; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (JmpCallAdditive Encoded)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010403; classtype:shellcode-detect; sid:2010403; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49 49 49 49|"; reference:url,doc.emergingthreats.net/2010404; classtype:shellcode-detect; sid:2010404; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 2)"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|"; reference:url,doc.emergingthreats.net/2010405; classtype:shellcode-detect; sid:2010405; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 3)"; content:"|49 72 4e 4e 69 6b 53|"; reference:url,doc.emergingthreats.net/2010406; classtype:shellcode-detect; sid:2010406; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1)"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010407; classtype:shellcode-detect; sid:2010407; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 1)"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa 6b 63 5b 9d|"; reference:url,doc.emergingthreats.net/2010409; classtype:shellcode-detect; sid:2010409; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 2)"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c 96 7d 79 7e|"; reference:url,doc.emergingthreats.net/2010410; classtype:shellcode-detect; sid:2010410; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 3)"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50 54 b2 df 6d|"; reference:url,doc.emergingthreats.net/2010411; classtype:shellcode-detect; sid:2010411; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 4)"; content:"|57 44 55 4a 5b 62|"; reference:url,doc.emergingthreats.net/2010412; classtype:shellcode-detect; sid:2010412; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 1)"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010413; classtype:shellcode-detect; sid:2010413; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010414; classtype:shellcode-detect; sid:2010414; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 1)"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50|"; reference:url,doc.emergingthreats.net/2010415; classtype:shellcode-detect; sid:2010415; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 2)"; content:"|6a 61 58 99 52 42 52 42 52 68|"; reference:url,doc.emergingthreats.net/2010416; classtype:shellcode-detect; sid:2010416; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 3)"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59 b0 5a 51 57|"; reference:url,doc.emergingthreats.net/2010417; classtype:shellcode-detect; sid:2010417; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1)"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f 49 38 41 4e|"; reference:url,doc.emergingthreats.net/2010418; classtype:shellcode-detect; sid:2010418; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2)"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56 4a 35 4d 4c|"; reference:url,doc.emergingthreats.net/2010419; classtype:shellcode-detect; sid:2010419; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010420; classtype:shellcode-detect; sid:2010420; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1)"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010421; classtype:shellcode-detect; sid:2010421; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010423; classtype:shellcode-detect; sid:2010423; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 1)"; content:"|49 49 49 49 49 49 49 51 5a 6a|"; reference:url,doc.emergingthreats.net/2010424; classtype:shellcode-detect; sid:2010424; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 2)"; content:"|58 50 30 42 31 41 42 6b 42 41|"; reference:url,doc.emergingthreats.net/2010425; classtype:shellcode-detect; sid:2010425; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 3)"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|"; reference:url,doc.emergingthreats.net/2010426; classtype:shellcode-detect; sid:2010426; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010427; classtype:shellcode-detect; sid:2010427; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010428; classtype:shellcode-detect; sid:2010428; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 1)"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20 10 82 10 20 68|"; reference:url,doc.emergingthreats.net/2010429; classtype:shellcode-detect; sid:2010429; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20 6a 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010430; classtype:shellcode-detect; sid:2010430; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 3)"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20 1e 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010431; classtype:shellcode-detect; sid:2010431; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 4)"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf f0 d0 23 bf f8|"; reference:url,doc.emergingthreats.net/2010432; classtype:shellcode-detect; sid:2010432; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 1)"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10 20 02 82 10 20 61|"; reference:url,doc.emergingthreats.net/2010433; classtype:shellcode-detect; sid:2010433; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2 60 01 82 10 20 5a|"; reference:url,doc.emergingthreats.net/2010434; classtype:shellcode-detect; sid:2010434; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 3)"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f c0|"; reference:url,doc.emergingthreats.net/2010437; classtype:shellcode-detect; sid:2010437; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010435; classtype:shellcode-detect; sid:2010435; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010436; classtype:shellcode-detect; sid:2010436; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; classtype:shellcode-detect; sid:2100640; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:2100641; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:2100642; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:2100643; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:2100652; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:2100638; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:2100639; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:2100644; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:2100645; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:2100646; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:2100647; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2102313; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2102312; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2102314; rev:4; metadata:created_at 2010_09_23, updated_at 2016_09_09;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2100653; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern:only; classtype:shellcode-detect; sid:2101424; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:2100648; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; metadata: former_category SHELLCODE; classtype:shellcode-detect; sid:2101390; rev:6; metadata:created_at 2010_09_23, updated_at 2017_09_08;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:2100649; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:2100650; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; metadata: former_category SHELLCODE; reference:arachnids,291; classtype:shellcode-detect; sid:2100651; rev:9; metadata:created_at 2010_09_23, updated_at 2017_09_08;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101324; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101326; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern:only; classtype:shellcode-detect; sid:2100691; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray"; flow:established,to_client; content:"unescape"; nocase; content:"%u"; nocase; distance:0; content:"%u"; nocase; within:6; pcre:"/unescape.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}/smi"; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; classtype:shellcode-detect; sid:2011346; rev:7; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected"; flow:established; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; content:!"MZ"; content:!"This program cannot be run in DOS mode"; content:!"Windows Program"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011803; rev:5; metadata:created_at 2010_10_12, updated_at 2010_10_12;)
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UDP x86 JMP to CALL Shellcode Detected"; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011804; rev:2; metadata:created_at 2010_10_12, updated_at 2010_10_12;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012087; rev:2; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 8F|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012088; rev:3; metadata:created_at 2010_12_23, updated_at 2016_09_16;)
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 8F|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012089; rev:2; metadata:created_at 2010_12_23, updated_at 2017_09_08;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F 1A|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012090; rev:2; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F 1A|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012091; rev:3; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F A9|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012092; rev:2; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F A9|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012093; rev:3; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:3; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:4; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90%90"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:4; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Usage of Actionscript ByteArray writeByte Function to Build Shellcode"; flow:established,to_client; content:"writeByte(0x"; nocase; pcre:"/writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}/smi"; reference:url,blog.fireeye.com/research/2009/07/actionscript_heap_spray.html; classtype:shellcode-detect; sid:2012120; rev:2; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:3; metadata:created_at 2011_01_17, updated_at 2011_01_17;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:4; metadata:created_at 2011_01_17, updated_at 2011_01_17;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012252; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0a%0a%0a%0a Heap Spray String"; flow:established,to_client; content:"%0a%0a%0a%0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012253; rev:2; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0a0a%u0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012254; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0a%u0a%u0a%u0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012255; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0c0c0c0c Heap Spray String"; flow:established,to_client; content:"0c0c0c0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012256; rev:2; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String"; flow:established,to_client; content:"%0c%0c%0c%0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012257; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0c0c%u0c0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012258; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0c%u0c%u0c%u0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012259; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE UTF-8/16 Encoded Shellcode"; flow:established,to_client; content:"|5C|u"; nocase; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; pcre:"/\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012510; rev:2; metadata:created_at 2011_03_16, updated_at 2011_03_16;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable %u Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"%u"; nocase; within:3; content:"%u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x25u[a-f,0-9]{2,4}\x25u[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012534; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable Unicode Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"|5C|u"; nocase; within:3; content:"|5C|u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012535; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt"; flow:established,to_client; content:"|22|u|22 20|+|20 22|0|22 20|+|20 22|"; content:"|22 20|+|20 22|"; distance:1; within:5; pcre:"/\x220\x22\x20\x2B\x20\x22[a-d]\x22\x20\x2B\x20\x22/smi"; classtype:shellcode-detect; sid:2012925; rev:2; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0a0a0a0a Heap Spray Attempt"; flow:established,to_client; content:"0x0a0a0a0a"; nocase; classtype:shellcode-detect; sid:2012962; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt"; flow:established,to_client; content:"0x0b0b0b0b"; nocase; classtype:shellcode-detect; sid:2012963; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0c0c0c0c Heap Spray Attempt"; flow:established,to_client; content:"0x0c0c0c0c"; nocase; classtype:shellcode-detect; sid:2012964; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0d0d0d0d Heap Spray Attempt"; flow:established,to_client; content:"0x0d0d0d0d"; nocase; classtype:shellcode-detect; sid:2012965; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt"; flow:established,to_client; content:"%0d%0d%0d%0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012966; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d%u0d%u0d%u0d UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u0d%u0d%u0d%u0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012967; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d0d%u0d0d UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u0d0d%u0d0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012968; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Vertical Slash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|7C|u0"; nocase; content:"|7C|u0"; distance:1; within:4; pcre:"/\x7Cu0[a-d](\x7Cu0|0)[a-d]/\x7Cu0[a-d](\x7Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012969; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|5C|u0"; nocase; content:"|5C|u0"; distance:1; within:4; pcre:"/\x5Cu0[a-d](\x5Cu0|0)[a-d]/\x5Cu0[a-d](\x5Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012970; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt"; flow:established,to_client; content:"%41%41%41%41"; fast_pattern:only; classtype:shellcode-detect; sid:2013145; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u41%u41%u41%u41"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013146; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u4141%u4141"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013147; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE JavaScript Redefinition of a HeapLib Object - Likely Malicious Heap Spray Attempt"; flow:established,to_client; content:"heap|2E|"; nocase; fast_pattern:only; pcre:"/var\x20[^\n\r]*\x3D[^\n\r]*heap\x2E/smi"; classtype:shellcode-detect; sid:2013148; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; file_data; content:"|5C|x0b|5C|x0b|5C|x0b|5C|x0b"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013268; rev:4; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013269; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C|x0d|5C|x0d|5C|x0d|5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013270; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C|x90|5C|x90|5C|x90|5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013271; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Hex Obfuscated Content"; flow:established,to_client; content:"unescape|28|"; fast_pattern; content:"|5C|x"; distance:1; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; pcre:"/unescape\x28(\x22|\x27)\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/smi"; classtype:shellcode-detect; sid:2013272; rev:3; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013273; rev:2; metadata:created_at 2011_07_14, updated_at 2017_09_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013274; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013275; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013276; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013277; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013278; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C 5C|x41|5C 5C|x41|5C 5C|x41|5C 5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013279; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; pcre:"/u0[a-d]u0[a-d]u0[a-d]u0[a-d]/smi"; classtype:shellcode-detect; sid:2013319; rev:2; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:3; within:2; pcre:"/u0[a-d]0[a-d]u0[a-d]0[a-d]/smi"; classtype:shellcode-detect; sid:2013320; rev:2; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c|5C|0c"; nocase; distance:0; classtype:bad-unknown; sid:2016714; rev:2; metadata:created_at 2013_04_03, updated_at 2013_04_03;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c0c"; nocase; distance:0; metadata: former_category SHELLCODE; classtype:bad-unknown; sid:2016715; rev:2; metadata:created_at 2013_04_03, updated_at 2017_09_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 u9090 NOP SLED"; file_data; flow:established,to_client; content:"|5c|u9090|5c|"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2017345; rev:4; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Flush IPTables Shellcode"; content:"|6a 52 58 99 52 66 68 2d 46 54 5b 52 48 b9 69 70 74 61 62 6c 65 73 51 d0 e0 28 c8 48 b9 2f 2f 73 62 69 6e 2f 2f 51 54 5f 52 53 57 54 5e 0f 05|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,a41l4.blogspot.ca/2017/03/polyflushiptables1434.html; classtype:shellcode-detect; sid:2024057; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Critical, created_at 2017_03_15, performance_impact Low, updated_at 2017_03_15;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode"; content:"|31 ff 57 6a 69 58 48 bb 5e c4 d2 dc 5e 5e e6 d0 0f 05 48 d1 cb b0 3b 53 87 f7 54 99 5f 0f 05|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,a41l4.blogspot.ca/2017/03/polysetuidexecve1434.html; classtype:shellcode-detect; sid:2024058; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Critical, created_at 2017_03_15, performance_impact Low, updated_at 2017_03_15;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Reverse Shell Shellcode"; content:"|6a 02 6a 2a 6a 10 6a 29 6a 01 6a 02|"; content:"|48 bf 2f 2f 62 69 6e 2f 73 68|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,exploit-db.com/exploits/41477/; classtype:shellcode-detect; sid:2024065; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Critical, created_at 2017_03_16, performance_impact Low, updated_at 2017_03_16;)

447
code/chef/templates/mac_os_x/mobilemalware.rules.erb Executable file
View file

@ -0,0 +1,447 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3-enhanced.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/getAdXml.do"; http_uri; nocase; content:"params="; nocase; reference:url,www.isc.sans.org/diary.html?storyid=10186; classtype:trojan-activity; sid:2012140; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_01_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1"; flow:established,to_server; content:"/push/androidxml/"; http_uri; nocase; content:"sim="; http_uri; nocase; content:"tel="; http_uri; nocase; content:"imsi="; http_uri; content:"pid="; http_uri; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A; classtype:trojan-activity; sid:2012451; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9033 (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 2"; flow:established,to_server; content:".log"; http_uri; nocase; content:"id="; http_uri; nocase; content:"softid="; http_uri; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A/; classtype:trojan-activity; sid:2012452; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan DroidDream Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/GMServer/GMServlet"; nocase; http_uri; content:"|0d 0a|User-Agent|3a| Dalvik"; http_header; reference:url,blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/; classtype:trojan-activity; sid:2012453; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1"; flow:established,to_server; content:"POST"; http_method; content:"request"; http_uri; nocase; content:".php"; http_uri; nocase; content:"<imei>"; content:"<smscenter>"; content:"<installtime>"; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012454; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 2"; flow:established,to_server; content:"req.php"; nocase; http_uri; content:"pid="; http_uri; nocase; content:"ver="; http_uri; nocase; content:"area="; http_uri; nocase; content:"insttime="; http_uri; nocase; content:"first="; http_uri; nocase; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012455; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; http_uri; content:"StartUpdata.ini"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012782; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/BackgroundUpdata.ini"; http_uri; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012783; rev:3; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; http_uri; nocase; content:"active.txt"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012784; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request"; flow:established,to_server; content:"/Kernel.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012844; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request"; flow:established,to_server; content:"/bs?Version="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012845; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2"; flow:established,to_server; content:"/number/?PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012846; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3"; flow:established,to_server; content:".jsp?PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012847; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI"; flow:established,to_server; content:"POST"; http_method; content:"imei="; nocase; http_uri; pcre:"/imei=\d{2}-?\d{6}-?\d{6,}-?\d{1,}/Ui"; content:!"Host|3a 20|iphone-wu.apple.com"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2012848; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending User Information to Server"; flow:established,to_server; content:"Host|3a| mobile.flexispy.com"; http_header; content:"/service"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_flexispy.a!tr.spy.html; classtype:trojan-activity; sid:2012850; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server Communication"; flow:established,to_server; content:"/PropertyFile.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012851; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server Communication"; flow:established,to_server; content:"TipFile.jsp"; http_uri; content:"&LanguageCode="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012852; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server Communication"; flow:established,to_server; content:"NumberFile.jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012853; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Merogo User Agent"; flow:established,to_server; content:"User-Agent|3A| LiveUpdater 1.0"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_merogo.b!tr.html; classtype:trojan-activity; sid:2012854; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic Location Logs To Remote Server"; flow:established,to_server; content:"/webapi/gpslog.php"; nocase; http_uri; content:"&long="; nocase; http_uri; content:"&lat="; nocase; http_uri; content:"&speed="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012855; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs to Remote Server"; flow:established,to_server; content:"/webapi/calllog.php"; http_uri; content:"&date="; http_uri; content:"&time="; http_uri; content:"&from="; http_uri; content:"&dur="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012856; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs to Remote Server"; flow:established,to_server; content:"/webapi/sms.php"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012857; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/HiShowServlet/servlet"; http_uri; pcre:"/\x2FHiShowServlet\x2Fservlet.+(InstalNum|UserActivation)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012858; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/cot?ID="; http_uri; content:"&DLType="; http_uri; content:"&SD="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012859; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0"; flow:established,to_server; content:"User-Agent|3A| LARK/"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012861; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"/billwebsvr.dll?Buy?user="; http_uri; content:"&key="; http_uri; content:"&channel="; http_uri; content:"&corp="; http_uri; content:"&product="; http_uri; content:"&phone="; http_uri; content:"&private="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012862; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"?id="; http_uri; content:"&time="; http_uri; content:"&imei="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012863; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"sender="; http_uri; content:"&cpId="; http_uri; content:"&cpServiceId="; http_uri; content:"&channelId="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012864; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to Server"; flow:established,to_server; content:"jiao.com"; http_header; fast_pattern; content:"/?id=book22"; nocase; http_uri; pcre:"/Host\x3A[^\n\r]*jiao.com/Hi"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012904; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smspacem CnC Communication Attempt"; flow:established,to_server; content:"/talktome.asmx"; nocase; http_uri; content:"cell"; http_client_body; nocase; content:"opname"; nocase; distance:0; http_client_body; reference:url,www.fortiguard.com/encyclopedia/virus/android_smspacem.a!tr.html; classtype:trojan-activity; sid:2012924; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_02, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Iphone iKee.B Checkin"; flow:established,to_server; content:"/xlm.p.php?id="; http_uri; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013019; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/search/sayhi.php"; http_uri; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013020; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Post of Infected Mobile Device Location Information"; flow:established,to_server; content:"POST"; http_method; nocase; content:"longitude="; http_uri; nocase; content:"latitude="; http_uri; nocase; classtype:trojan-activity; sid:2013021; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:"search/rpty.php"; http_uri; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013022; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query for gongfu-android.com DroidKungFu CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0E|gongfu-android|03|com"; distance:0; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013023; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_13, updated_at 2016_07_01;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Waplove.cn"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|waplove|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013038; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Tonclank JAR File Download"; flow:established,to_server; content:"/ProtocolGW/"; fast_pattern; http_uri; nocase; content:"filename="; http_uri; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013040; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_16, updated_at 2016_07_01;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Searchwebmobile.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0F|searchwebmobile|03|com"; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013041; rev:2; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Plankton/Tonclank Control Server Responding With JAR Download URL"; flow:established,to_client; content:"|0d 0a|url=http|3A|//"; nocase; content:"ProtocolGW/|3B|filename="; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013044; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_16, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 3"; flow:established,to_server; content:"POST"; http_method; content:"/search/getty.php"; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; reference:url,blog.fortinet.com/androiddroidkungfu-attacking-from-a-mobile-device/; classtype:trojan-activity; sid:2013063; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.HongTouTou Checkin"; flow:established,to_server; content:"POST"; http_method; content:".aspx?im="; http_uri; content:"User-Agent|3A| J2ME/UCWEB"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/android_hongtoutou.a!tr.html; classtype:trojan-activity; sid:2013072; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message"; flow:established,to_server; content:"/android/android.dbug.php?action=heart"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013078; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms URL for Possible File Download"; flow:established,to_server; content:"/ss/attachments/files/URLshorter.apk"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013079; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE XML Style POST Of IMEI International Mobile Equipment Identity"; flow:established,to_server; content:"POST"; http_method; nocase; content:"<IMEI>"; http_client_body; nocase; content:"<|2F|IMEI>"; fast_pattern; nocase; http_client_body; distance:0; content:!".blackberry.com|0d 0a|"; http_header; content:!".nokia.com|0d 0a|"; http_header; content:!".sonyericsson.com|0d 0a|"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2013138; rev:8; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE XML Style POST Of IMSI International Mobile Subscriber Identity"; flow:established,to_server; content:"POST"; http_method; nocase; content:"<IMSI>"; http_client_body; nocase; content:"<|2F|IMSI"; nocase; distance:0; http_client_body; reference:url,www.learntelecom.com/telephony/gsm/international-mobile-subscriber-identity-imsi; classtype:trojan-activity; sid:2013139; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message"; flow:established,to_server; content:".jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"PhoneImsi="; http_uri; content:"&PhoneNumber="; http_uri; content:"&Succeed="; http_uri; content:"&Fail="; http_uri; content:"&Source="; http_uri; content:"&Time="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013140; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Plugucsrv.sisx File Download"; flow:established,to_server; content:"plugucsrv.sisx"; http_uri; fast_pattern:only; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013141; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message"; flow:established,to_server; content:"/Jump.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013142; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin Message"; flow:established,to_server; content:"/KernelPara.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013143; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin Retriving XML File from Hard Coded CnC"; flow:established,to_server; content:"/flash/test.xml"; http_uri; fast_pattern:only; flowbits:set,ET.And.CruseWin; flowbits:noalert; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:trojan-activity; sid:2013193; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_05, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin XML Configuration File Sent From CnC Server"; flowbits:isset,ET.And.CruseWin; flow:established,from_server; content:"<connect>http|3A|//"; nocase; content:"<send number="; nocase; distance:0; content:"<insms>http|3A|//"; nocase; distance:0; content:"<delete number="; nocase; distance:0; content:"<clean app="; nocase; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:trojan-activity; sid:2013194; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Mobile Device Posting Phone Number"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&Phone"; fast_pattern; nocase; http_uri; content:"Number="; nocase; http_uri; pcre:"/\x26Phone(Number\x3D|\x5FNumber\x3D|\x2DNumber\x3D)/Ui"; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2013208; rev:3; metadata:created_at 2011_07_06, updated_at 2017_07_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Walkinwat Sending Data to CnC Server"; flow:established,to_server; content:"/wat.php"; nocase; http_uri; content:"incorporateapps.com"; nocase; http_header; pcre:"/Host\x3A[^\r\n]*incorporateapps\x2Ecom/Hi"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-033008-4831-99&tabid=2; reference:url,blog.avast.com/2011/03/21/android-is-calling-walk-and-text-and-be-malicious/; classtype:trojan-activity; sid:2013209; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_06, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Bgserv POST of Data to CnC Server"; flow:established,to_server; content:"POST"; http_method; uricontent:"/Coop/request"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-031005-2918-99&tabid=2; classtype:trojan-activity; sid:2013210; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_06, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Infected Device Registration"; flow:established,to_server; content:"/RegistUid.asp"; fast_pattern:only; http_uri; nocase; content:"?pid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&imei="; nocase; http_uri; content:"&sim="; nocase; http_uri; content:"&imsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013238; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Task Information Retrieval"; flow:established,to_server; content:"/alotWorkTask.aspx?no="; http_uri; content:"&uid="; http_uri; content:"&ti="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013240; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Uploading Watch Files"; flow:established,to_server; content:"/upload/UploadFiles.aspx?askId="; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013241; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/CommDN Downloading Second Stage Malware Binary"; flow:established,to_server; content:"DGOManagerServer/file/TianXiangServer2.sisx"; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_commdn.a!tr.html; classtype:trojan-activity; sid:2013261; rev:2; metadata:created_at 2011_07_13, updated_at 2011_07_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin"; flow:established,to_server; content:"/ddown/getvalid.aspx"; nocase; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013265; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message Template from CnC Server"; flow:established,to_client; content:"<smslist>"; content:"<sms id="; distance:0; content:"upnumber="; distance:0; content:"<|2F|smslist>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013266; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/HippoSms Method Request to CnC"; flow:established,to_server; content:"/clientRequest.htm?method="; http_uri; nocase; content:"&os="; http_uri; content:"&brand="; nocase; http_uri; content:"&sdkVersion="; nocase; http_uri; pcre:"/method\x3D(update|startcharge)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/android_hipposms.a!tr.html; classtype:trojan-activity; sid:2013299; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.AdSms Retrieving XML File from CnC Server"; flow:established,to_server; content:"/Submit.aspx?ver="; http_uri; content:"&sys="; http_uri; content:"&imei="; http_uri; content:"&ua="; http_uri; content:"&pro="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013316; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_26, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.AdSms XML File From CnC Server"; flow:established,from_server; content:"<cmdsystem>"; content:"<mobile>"; content:"<|2F|mobile>"; within:50; content:"<killprocess>"; distance:0; content:"<killinstall>"; distance:0; content:"<killuninst>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013317; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_26, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC Server"; flow:established,to_server; content:"POST"; http_method; content:"/security.jsp"; nocase; http_uri; content:"|0d 0a 0d 0a|f0="; content:"&b0="; distance:0; content:"&pid="; distance:0; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:trojan-activity; sid:2013327; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Netisend.A Posting Information to CnC"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/netsend/nmsm_json.jsp"; fast_pattern:only; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; reference:url,www.fortiguard.com/latest/mobile/2959807; classtype:trojan-activity; sid:2013694; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_09_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApp.B Sending Device Information"; flow:established,to_server; content:"/android_notifier/notifier.php?app="; http_uri; content:"&deviceId="; http_uri; content:"&mobile="; http_uri; content:"&country="; http_uri; content:"&carrier="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302891; classtype:trojan-activity; sid:2013965; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ozotshielder.A Checkin"; flow:established,to_server; content:"/AndroidService.aspx?imsi="; http_uri; content:"&mobile="; http_uri; content:"&pid="; http_uri; content:"&ownerid="; http_uri; content:"&testchlid="; http_uri; content:"&androidver="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302951; classtype:trojan-activity; sid:2013966; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/KungFu Package Delete Command"; flow:established,to_server; content:"/search/isavailable"; http_uri; content:".php?imei="; http_uri; content:"&ch="; http_uri; content:"&ver="; http_uri; content:"User-Agent|3A 20|adlib/"; http_header; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013968; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:to_server,established; content:"/send.php?a_id="; http_uri; content:"&telno="; fast_pattern:only; http_uri; content:"&m_addr="; http_uri; content:"Android"; http_user_agent; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; reference:url,anubis.iseclab.org/?action=result&task_id=1ba82b938005acea4ddefc8eff1f4db06; reference:md5,cf9ba4996531d40402efe268c7efda91; reference:md5,537f190d3d469ad1f178024940affcb5; classtype:trojan-activity; sid:2014161; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_01_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to_server; content:"/android_notifier/notifier.php?h="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM; classtype:trojan-activity; sid:2014162; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_01_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Plankton.P Commands Request to CnC Server"; flow:established,to_server; content:"/ProtocolGW/protocol/commands"; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_PLANKTON.P; classtype:trojan-activity; sid:2014215; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_02_07, updated_at 2016_07_01;)
alert tcp $HOME_NET 8888 -> any any (msg:"ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access"; flow:from_server,established; content:"/><title>Keystrokes - iKeyMonitor</title><style "; reference:url,moreinfo.thebigboss.org/moreinfo/depiction.php?file=ikeymonitorDp; classtype:policy-violation; sid:2014406; rev:2; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ksapp.A Checkin"; flow:to_server,established; content:"/kspp/do?imei="; fast_pattern:only; http_uri; content:"&wid="; http_uri; content:"&type="; http_uri; content:"&step="; http_uri; reference:md5,e6d9776113b29680aec73ac2d1445946; reference:md5,13e6ce4aac7e60b10bfde091c09b9d88; reference:url,anubis.iseclab.org/?action=result&task_id=16b7814b794cd728435e122ca2c2fcdd3; reference:url,www.fortiguard.com/latest/mobile/4158213; reference:url,symantec.com/connect/blogs/mdk-largest-mobile-botnet-china; classtype:trojan-activity; sid:2016318; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_12_12, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Updtkiller Sending Device Information"; flow:established,to_server; content:"/phone_getinfokou_android.php"; http_uri; reference:url,www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2012-082308-1823-99&tabid=2; classtype:trojan-activity; sid:2016094; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_12_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/CoolPaperLeak Sending Information To CnC"; flow:established,to_server; content:"POST"; http_method; content:"/geturl.aspx?email="; http_uri; content:"&lat="; http_uri; content:"&lon="; http_uri; content:"&mobile="; http_uri; content:"&group="; http_uri; reference:url,www.symantec.com/connect/blogs/androidcoolpaperleak-million-download-baby; classtype:trojan-activity; sid:2016209; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_01_15, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android TrojanFakeLookout.A"; flow:established,to_server; urilen:13; content:"/controls.php"; http_uri; content:"Dalvik/"; http_user_agent; reference:url,blog.trustgo.com/fakelookout/; reference:md5,65baecf1fe1ec7b074a5255dc5014beb; classtype:trojan-activity; sid:2016343; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_02_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Fakelash.A!tr.spy Checkin"; flow:to_server,established; content:"/data.php?action="; nocase; http_uri; content:"&online="; distance:0; http_uri; content:"&m="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; content:"User-Agent|3a| Dalvik/"; http_header; reference:md5,7dec1c9174d0f688667f6c34c0fa66c2; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:2016344; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_02_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Variant"; flow:established,to_server; content:"GET"; http_method; content:"/search/"; http_uri; content:".php?i="; http_uri; distance:0; content:"1.0|0d 0a|User-Agent|3a| unknown|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2016345; rev:5; metadata:created_at 2013_02_05, updated_at 2013_02_05;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Successful Install Report"; flow:established,to_server; content:"/Android_SMS/installing.php"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016512; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_03_01, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Sending SMS Messages CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/Android_SMS/receiving.php"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016513; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_03_01, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE signed-unsigned integer mismatch code-verification bypass"; flow:from_server,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; file_data; content:"PK"; depth:2; content:"|FD FF|"; distance:26; within:2; content:".dex"; nocase; within:128; reference:url,sophos.com/2013/07/17/anatomy-of-another-android-hole-chinese-researchers-claim-new-code-verification-bypass/; classtype:trojan-activity; sid:2017163; rev:2; metadata:created_at 2013_07_17, updated_at 2013_07_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeAhnAV.A CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/srev.asp"; http_uri; content:"action="; http_client_body; depth:7; content:"&b_name="; http_client_body; distance:0; content:"&b_conter="; http_client_body; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/android-fake-av-hosted-in-google-code-targets-south-koreans; classtype:trojan-activity; sid:2017466; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_09_16, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A GetTask CnC Beacon"; flow:established,to_server; content:"/getTask.php?"; fast_pattern:only; nocase; http_uri; content:"imei="; http_uri; content:"balance="; http_uri; content:!"Referer|3a 20|"; http_header; metadata: former_category MOBILE_MALWARE; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:trojan-activity; sid:2017587; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_10_13, updated_at 2017_03_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A Country CnC Beacon"; flow:established,to_server; content:".php?"; http_uri; content:"co"; http_uri; content:"untry="; http_uri; content:"phone="; http_uri; content:"&op="; http_uri; content:"imei="; fast_pattern:only; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:trojan-activity; sid:2017588; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_10_13, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install CnC Beacon"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/send_sim_no.php|20|HTTP/1."; fast_pattern; content:!"Referer|3a 20|"; http_header; content:"_no="; http_client_body; depth:16; metadata: former_category MOBILE_MALWARE; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017787; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_11_27, updated_at 2017_04_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Successful Fake Banking App Install CnC Server Acknowledgement"; flow:established,to_client; file_data; content:"|7b 22|success|22 3A|1,|22|message|22 3A 22|Product successfully updated.|22|}"; within:55; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017788; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_11_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon"; flow:established,to_server; content:"POST "; urilen:15; content:"/getLastVersion"; depth:15; http_uri; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2017999; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy RegisterRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:9; content:"/register"; depth:9; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018000; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:7; content:"/login"; depth:7; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018001; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:7; content:"/report"; depth:7; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018002; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:8; content:"/getTask"; depth:8; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018003; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC Beacon"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/reportMessage"; depth:14; http_uri; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/H"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018004; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/DwnlAPK-A Configuration File Request"; flow:established,to_server; content:"/iconfig.txt"; fast_pattern; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible)|0D 0A|"; http_header; reference:url,nakedsecurity.sophos.com/2014/01/31/android-banking-malware-with-a-twist-in-the-delivery/; classtype:trojan-activity; sid:2018071; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 1"; flow:to_server,established; content:"POST"; http_method; content:"androidbugreport.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; content:"&token="; depth:7; http_client_body; content:"&target="; depth:8; http_client_body; content:"&rd="; depth:4; http_client_body; content:"&fo="; depth:4; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018138; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 2"; flow:to_server,established; content:"POST"; http_method; content:"filter.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018139; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 3"; flow:to_server,established; content:"POST"; http_method; content:"history.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; content:"&ds="; depth:4; http_client_body; content:"&sg="; depth:4; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018140; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SMSSend Fake flappy bird APK"; flow:to_server,established; content:"GET"; http_method; content:"/bookmark/getServiceCode?price="; http_uri; fast_pattern:only; content:"Dalvik"; depth:6; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,securehoney.net/blog/how-to-dissect-android-flappy-bird-malware.html; reference:md5,6c357ac34d061c97e6237ce9bd1fe003; classtype:trojan-activity; sid:2018306; rev:3; metadata:created_at 2014_03_24, updated_at 2014_03_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/get.php|20|HTTP/1."; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:"info"; http_client_body; pcre:"/(?:^|&|\x22|\{\x22)id(?:=|\x22\x3a\x22)(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})(?:&|\x22|$)/P"; metadata: former_category MOBILE_MALWARE; reference:md5,a85990f79268a18329f4040a2ec85591; reference:md5,f48cd0c0e5362142c0c15316fa2635dd; classtype:trojan-activity; sid:2023553; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_04_17, malware_family Android_Hqwar, updated_at 2017_07_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS/Lotoor.Q"; flow:established, to_server; content: "device_id="; http_uri; pcre:"/^\d{10,20}&imsi=\d{10,15}&device_name=/URi"; content:"&app_id="; http_uri; pcre:"/^[a-f0-9]{30,35}&app_package_name=/URi"; content: "screen_density="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:md5,92608e6ff795862f83d891ad8337b387; classtype:trojan-activity; sid:2018520; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_06_04, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Adware.Wapsx.A"; flow:established, to_server; content:"/fengmian/"; fast_pattern:only; content:"meinv6.4.0 qiu shou gou, zhi mai 503 wan ren min bi"; http_user_agent; depth:51; content:!"Referer|3a|"; http_header; reference:md5,37e36531e6dbc3ad0954fd9bb4588fad; classtype:trojan-activity; sid:2018533; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_06_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Andr/com.sdwiurse"; flow:established,to_server; content:"POST"; http_method; content:"/youxi_up.php"; fast_pattern:only; http_uri; content:"--*****|0d 0a|Content-Disposition|3a| form-data|3b| name=|22|npki|22|"; depth:52; http_client_body; reference:url,fireeye.com/blog/technical/2014/06/what-are-you-doing-dsencrypt-malware.html; reference:md5,04d24eb45d3278400b5fee5c1b06226c; classtype:trojan-activity; sid:2018584; rev:3; metadata:created_at 2014_06_19, updated_at 2014_06_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Comll.Banker RAT CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/n/"; http_uri; content:!"Referer|3a 20|"; http_header; content:"content=eyJ"; http_client_body; depth:11; fast_pattern; content:!"Accept|3a|"; http_header; pcre:"/\/n\/\d{15}$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,a78e904a05d4a9e6a15b6f56b261eab9; classtype:trojan-activity; sid:2018630; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_03, updated_at 2017_03_09;)
alert http $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"ET MOBILE_MALWARE Android Spyware Dowgin Checkin"; flow:established,to_server; urilen:13; content:"POST"; http_method; content:"/webviewAdReq"; nocase; depth:13; http_uri; reference:md5,45bf9f6e19649d3e1642854ecd82623c; classtype:trojan-activity; sid:2018663; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin"; flow:established,to_server; content:"POST"; http_method; content:"/flash/api.php?id="; http_uri; fast_pattern:only; pcre:"/^\/flash\/api\.php\?id=\d/U"; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018769; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_24, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:14; content:"/api33/api.php"; http_uri; fast_pattern:only; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018774; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_24, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS.Simplocker Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:5; content:"/1/?1"; http_uri; fast_pattern:only; content:"{|22|n|22 3a 22|"; depth:6; http_client_body; content:"|22 2c 22|d|22 3a 22|"; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,welivesecurity.com/2014/07/22/androidsimplocker/; reference:md5,b98cac8f1ce9284f9882ba007878caf1; classtype:trojan-activity; sid:2018781; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_25, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Worm.AndroidOS.Selfmite.a Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/message.php"; http_uri; fast_pattern:only; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a|"; http_header; reference:md5,54b715f6608d4457a9d22cfdd8bddbe6; reference:url,adaptivemobile.com/blog/selfmite-worm; reference:url,computerworld.com/s/article/9249430/Self_propagating_SMS_worm_Selfmite_targets_Android_devices; classtype:trojan-activity; sid:2018792; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_28, updated_at 2016_07_01;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MOBILE_MALWARE Android/Trogle.A Possible Exfiltration of SMS via SMTP"; flow:established,to_server; content:"MAIL FROM|3a|<a137736513@qq.com>"; nocase; reference:md5,ef819779fc4bee6117c124fb752abf57; classtype:trojan-activity; sid:2018887; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_04, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/path/DeviceManager.php"; nocase; depth:23; http_uri; content:"func="; depth:5; http_client_body; content:"&deviceid="; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,6df6553b115d9ed837161a9e67146ecf; classtype:trojan-activity; sid:2018888; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_04, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"method=counter&app_key="; depth:23; http_client_body; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018945; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_18, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"method=devicestatus"; http_client_body; fast_pattern:only; content:"&app_key="; offset:19; http_client_body; content:"&imei="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018946; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_18, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Youmi.Adware Install Report CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:15; content:"/report/install"; http_uri; fast_pattern:only; content:"data="; http_client_body; depth:5; content:"os="; http_client_body; distance:0; content:"mac="; http_client_body; distance:0; content:"sign="; http_client_body; distance:0; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:trojan-activity; sid:2019125; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_09_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 1"; flow:established,to_server; content:"/updatesrv.aspx?f=1"; http_uri; fast_pattern:only; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019174; rev:2; metadata:created_at 2014_09_15, updated_at 2014_09_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 2"; flow:established,to_server; content:"/updatesrv.aspx?f=2&uuid="; http_uri; fast_pattern:only; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019175; rev:2; metadata:created_at 2014_09_15, updated_at 2014_09_15;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Code4hk.A Checkin"; flow:established,to_server; content:"ClientInfo"; content:"isWifi"; distance:0; content:"cpuInfo"; distance:0; content:"firstOnlineIp"; distance:0; content:"firstOnlineTime"; distance:0; content:"imei"; distance:0; content:"ipAddr"; distance:0; content:"phoneBrand"; distance:0; content:"phoneNumber"; distance:0; content:"simOperator"; distance:0; fast_pattern; reference:url,malware.lu/articles/2014/09/29/analysis-of-code4hk.html; classtype:trojan-activity; sid:2019318; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_09_30, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser Checkin"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/TargetConnect.aspx"; http_uri; content:"&tIMEI="; http_uri; content:"&tIMSI="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019331; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending GPS info"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/TargetUploadGps.aspx"; http_uri; content:"tmac="; http_uri; content:"&JZ="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019332; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending files"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/TargetUploadFile.aspx"; http_uri; content:"tmac="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019333; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser checking library version"; flow:to_server,established; content:"GET"; http_method; nocase; urilen:18; content:"/CheckLibrary.aspx"; http_uri; content:!"Referer|3a|"; http_header; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019334; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Koler.C Checkin"; flow:to_server,established; content:".php?v="; http_uri; content:"&brok="; fast_pattern:only; http_uri; content:"&u="; http_uri; content:"&id="; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/&id=\d{15}$/U"; reference:md5,6ae7b0d04e2fd64a50703910d0eff9cc; classtype:trojan-activity; sid:2019510; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_10_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Stealthgenie Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/SGCommand.aspx?sgcommand="; fast_pattern:6,20; http_uri; content:"&uid="; http_uri; distance:0; content:"&sid="; http_uri; distance:0; content:"&value="; http_uri; distance:0; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"|20|Android|20|"; http_user_agent; reference:md5,06947ce839a904d6abcb272ff46e7de1; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99&tabid=2; reference:url,engadget.com/2014/09/30/crackdown-on-spying-apps-leads-to-stealthgenie-ceos-arrest/; classtype:trojan-activity; sid:2019805; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_11_25, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 1"; flow:established,to_server; content:"/dmp/api/"; http_uri; fast_pattern:only; content:"UAC/"; depth:4; http_user_agent; content:"|28|Android|20|"; distance:0; http_user_agent; content:"dmp."; http_header; pcre:"/\/dmp\/api\/[a-z]+$/U"; pcre:"/^Host\x3a[^\r\n]+?dmp\.[^\r\n]+?\r?$/Hmi"; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019958; rev:4; metadata:created_at 2014_12_17, updated_at 2014_12_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"UAC/"; depth:4; http_user_agent; content:"|28|Android|20|"; distance:0; http_user_agent; content:"name=|22|softwareVersion|22|"; nocase; http_client_body; content:"name=|22|isEnc|22|"; nocase; distance:0; http_client_body; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019959; rev:3; metadata:created_at 2014_12_17, updated_at 2014_12_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper User-Agent"; flow:established,to_server; content:"UAC/"; depth:4; http_user_agent; fast_pattern; content:"|28|Android|20|"; distance:0; http_user_agent; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019960; rev:3; metadata:created_at 2014_12_17, updated_at 2014_12_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Syria-Twitter Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/contacts"; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:"contact|25|26="; depth:11; fast_pattern; http_client_body; pcre:"/\/contacts$/U"; reference:md5,b91315805ef1df07bdbfa07d3a467424; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020343; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_02_02, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SMSThief.F Banker CnC Beacon"; flow:established,to_server; content:"/input_data_get_contact.asp?user="; http_uri; content:"&pwd="; http_uri; content:"&addr="; http_uri; reference:url,research.zscaler.com/2015/02/android-banking-trojan-and-sms-stealer.html; reference:md5,ff081c1400a948f2bcc4952fed2c818b; classtype:trojan-activity; sid:2020353; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_02_03, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Operation Pawn Storm IOS_XAGENT Checkin"; flow:to_server,established; content:"XAgent/1."; depth:9; http_user_agent; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^(?:(?:sear|wat)ch|results|close|find|open)\/\?[a-zA-Z]{2,8}=/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020363; rev:3; metadata:created_at 2015_02_04, updated_at 2015_02_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE IOS_XAGENT UA"; flow:to_server,established; content:"XAgent/1."; http_user_agent; depth:9; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020364; rev:3; metadata:created_at 2015_02_04, updated_at 2015_02_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SMSSend.Y"; flow:established,to_server; content:"/api/log.html|3f|"; http_uri; fast_pattern; content:"c="; http_uri; content:"&o="; http_uri; content:"&n="; http_uri; content:"Apache-HttpClient"; depth:18; http_user_agent; reference:md5,ef79985c90675e7abfb6b9a6bc5a6c65; classtype:trojan-activity; sid:2020729; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_03_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin"; flow:to_server,established; content:"/pha?android_version="; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&phone_number="; http_uri; content:"&client_version="; http_uri; content:"&imei="; http_uri; content:"&name="; http_uri; reference:url,securityblog.s21sec.com/2015/05/new-ransomware-in-mobile-environment.html; classtype:trojan-activity; sid:2021174; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_06_01, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.m Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:!"User-Agent|3a 20|"; http_header; content:"content=eyJmaW5nZXJwcmludCI"; fast_pattern; depth:27; http_client_body; reference:md5,0aa69ad64e20bb6cbf72f346ce43ff23; reference:url,www.fireeye.com/blog/threat-research/2014/07/the-service-you-cant-refuse-a-secluded-hijackrat.html; classtype:trojan-activity; sid:2021185; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_06_04, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 5.2|29 20|"; http_header; content:"appid="; depth:6; http_client_body; content:"&model="; http_client_body; content:"&imei="; fast_pattern:only; http_client_body; content:"&connect="; http_client_body; content:"&dpi="; http_client_body; content:"&width="; http_client_body; content:"&cpu="; http_client_body; content:"&phoneno="; http_client_body; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021386; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_06, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"uuid="; http_client_body; content:"language="; http_client_body; content:"appkey"; http_client_body; content:"model="; http_client_body; content:"operatorsname="; fast_pattern:only; http_client_body; content:"networkname="; http_client_body; content:"networktype="; http_client_body; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021387; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_06, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Gunpoder Checkin"; flow:to_server,established; content:"/landing?c="; fast_pattern:only; http_uri; content:"&g="; http_uri; content:"&a="; http_uri; content:"&s1="; http_uri; content:"&s2="; http_uri; content:"&s3="; http_uri; content:"&s4="; http_uri; content:"&s5="; http_uri; content:"&s6="; http_uri; content:"&s7="; http_uri; content:"&s8="; http_uri; content:"&s9="; http_uri; content:"&s10="; http_uri; content:"&s11="; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,researchcenter.paloaltonetworks.com/2015/07/new-android-malware-family-evades-antivirus-detection-by-using-popular-ad-libraries/; reference:md5,b0b2cd71b4d15bb5f07b8315d7b27822; classtype:trojan-activity; sid:2021392; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_07, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE DNS Android/Spy.Feabme.A Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|tinduongpho|03|com|00|"; fast_pattern; distance:0; nocase; reference:md5,3ae3cb09c8f54210cb4faf7aa76741ee; reference:url,blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/; classtype:trojan-activity; sid:2021412; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin 2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/gac/"; fast_pattern:only; http_uri; content:"|20|Android|20|"; http_user_agent; content:"|0d 0a|Connection|3a| Keep-Alive|0d 0a|Accept-Encoding|3a| gzip|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^\/gac\/[a-f0-9]{15}$/U"; reference:url,blog.fortinet.com/post/locker-an-android-ransomware-full-of-surprises; classtype:trojan-activity; sid:2021617; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_08_12, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin"; flow:to_server,established; content:"/data.php?table="; fast_pattern:only; http_uri; content:"&game="; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/&game=[a-f0-9]{40}$/U"; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021737; rev:2; metadata:created_at 2015_08_31, updated_at 2015_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cert.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"id="; depth:3; http_client_body; content:"&cert="; http_client_body; content:"&priv="; fast_pattern:only; http_client_body; content:"&flag="; http_client_body; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021738; rev:2; metadata:created_at 2015_08_31, updated_at 2015_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M1"; flow:established,to_server; content:"GET"; http_method; content:".plist"; http_uri; content:"bb800.com|0d 0a|"; http_header; fast_pattern:only; pcre:"/\.plist$/U"; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/Hm"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021900; rev:3; metadata:created_at 2015_10_05, updated_at 2015_10_05;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M2"; flow:established,to_server; content:"GET"; http_method; content:"/itms-services|3a|"; http_uri; content:"bb800.com|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/Hm"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021901; rev:3; metadata:created_at 2015_10_05, updated_at 2015_10_05;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Kemoge DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|aps|06|kemoge|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021927; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:25; content:"/getInstalledPackages.jsp"; http_uri; fast_pattern:only; content:"sdCardFree="; http_client_body; depth:11; content:"&imei="; http_client_body; distance:0; content:"&hasSd="; http_client_body; distance:0; content:!"Referer|3a|"; http_header; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021928; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/v1.jsp?e="; http_uri; fast_pattern; depth:10; content:"&s="; http_uri; distance:0; content:"&g="; http_uri; distance:0; content:"&versionCode="; http_uri; distance:0; content:"&osVersion="; http_uri; distance:0; content:"&countryCode="; http_uri; distance:0; content:!"Referer|3a|"; http_header; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021929; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Cloudsota HTTP Host"; flow:to_server,established; content:"Host|3a| download.cloudsota.com"; http_header; reference:url,www.cmcm.com/blog/en/security/2015-11-09/842.html; classtype:trojan-activity; sid:2022081; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_12, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Acecard.c Checkin"; flow:to_server,established; urilen:1; content:"POST"; http_method; nocase; content:!"Referer|3a 20|"; http_header; content:"{|22|type|22 3a|"; depth:8; http_client_body; content:",|22|text|22 3a|"; http_client_body; content:",|22|code|22 3a|"; fast_pattern:only; http_client_body; content:",|22|from|22 3a|"; http_client_body; content:"|22|}"; http_client_body; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; reference:url,fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022137; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_24, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.EP HTTP Host"; flow:to_server,established; content:"Host|3a 20|jackdojacksgot.ru"; http_header; nocase; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; classtype:trojan-activity; sid:2022144; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_24, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw/SlemBunk/SLocker Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:!"Referer|3a 20|"; http_header; content:",|22|model|22 3a|"; http_client_body; content:",|22|apps|22 3a 5b 22|"; http_client_body; content:",|22|imei|22 3a|"; fast_pattern:only; http_client_body; pcre:"/^\{\x22(?:os|type)\x22\x3a/P"; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:md5,a83ce290469654002bcc64062c39387c; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022288; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_12_21, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SlemBunk.Banker Phished Credentials Upload"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"/"; http_uri; depth:1; content:"User-Agent|3A| Apache-HttpClient/UNAVAILABLE"; http_header; content:"{|22|data|22 3A|"; http_client_body; depth:8; content:"|22|password old|22 3A|"; fast_pattern; http_client_body; distance:0; content:"|22|login|22 3A|"; http_client_body; content:"|22|type|22 3A|"; http_client_body; distance:0; content:"|22|login old|22 3A|"; http_client_body; distance:0; content:"|22|password|22 3A|"; http_client_body; distance:0; content:"|22|name|22 3A|"; http_client_body; distance:0; content:"|22|code|22 3A|"; http_client_body; distance:0; content:!"Referer|3a|"; http_header; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022289; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_12_21, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Fakeinst.KD .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pc35hiptpcwqezgs"; nocase; distance:0; fast_pattern; reference:url,www.csis.dk/da/csis/blog/4818/; reference:md5,111b71c120167b5b571ee5501ffef65e; classtype:trojan-activity; sid:2022517; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_12, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yuwurw46taaep6ip"; nocase; distance:0; fast_pattern; reference:md5,58fed8b5b549be7ecbfbc6c63b84a728; classtype:trojan-activity; sid:2022562; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_23, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|voooxrrw2wxnoyew"; nocase; distance:0; fast_pattern; reference:md5,8d260ab2bb36aeaf5b033b80b6bc1e6a; classtype:trojan-activity; sid:2022563; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_23, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE DNS Trojan-Banker.AndroidOS.Marcher.i Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tmdxiawceahpbhmb|03|com"; nocase; distance:0; fast_pattern; reference:md5,3c52de547353d94e95cde7d4c219ccac; classtype:trojan-activity; sid:2022975; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_07_18, performance_impact Low, updated_at 2016_07_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS DualToy Checkin"; flow:to_server,established; content:"/i_info_proxy.php?cmd="; fast_pattern:only; http_uri; content:"&data="; http_uri; content:"|3b 20|iPhone|20|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/&data=(?:([A-Za-z0-9]|%2[FB]){4})*(?:([A-Za-z0-9]|%2[FB]){2}==|([A-Za-z0-9]|%2[FB]){3}=|([A-Za-z0-9]|%2[FB]){4})$/I"; metadata: former_category MOBILE_MALWARE; reference:url,researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/; classtype:trojan-activity; sid:2023240; rev:2; metadata:affected_product iOS, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_15, performance_impact Low, updated_at 2017_03_08;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE AndroRAT Bitter DNS Lookup (info2t .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|info2t|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; classtype:trojan-activity; sid:2023398; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_10_24, malware_family AndroRAT, performance_impact Low, updated_at 2016_10_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Adware.Adwo.A"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?m="; http_uri; content:"&a="; http_uri; content:"&os="; http_uri; content:!"&ComPut="; http_uri; content:!"User-Agent|3a 20|"; http_header; reference:md5,bbb0aa6c9f84963dacec55345fe4c47e; classtype:trojan-activity; sid:2023475; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_01, performance_impact Low, updated_at 2016_11_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Sending Credit Card Info"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cards_json.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"bot_id="; depth:7; fast_pattern; http_client_body; content:"&info="; http_client_body; content:"cardNum"; http_client_body; pcre:"/^bot_id=[a-f0-9]{32}&/P"; pcre:"/\.php$/U"; reference:md5,78c2444fe15a8e58c629076781d9442a; reference:url,blog.fortinet.com/2016/11/01/android-banking-malware-masquerades-as-flash-player-targeting-large-banks-and-popular-social-media-apps; classtype:trojan-activity; sid:2023483; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_03, performance_impact Low, updated_at 2016_11_03;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 1"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"sms|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023500; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, created_at 2016_11_11, updated_at 2016_11_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 2"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"itms-apps|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023501; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, created_at 2016_11_11, updated_at 2016_11_11;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/RequestActionsToExecute"; fast_pattern; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|CommandLine|22 3a|"; depth:15; http_client_body; content:",|22|CurrentDirectory|22 3a|"; http_client_body; pcre:"/\/RequestActionsToExecute$/U"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023507; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/NotifyLog"; fast_pattern:only; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|ClientId|22 3a|"; depth:12; http_client_body; content:",|22|Date|22 3a|"; http_client_body; pcre:"/\/NotifyLog$/U"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023508; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)
alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU SSL CnC Cert"; flow:established,from_server; content:"|02|IT"; content:"|03|AAA"; distance:0; content:"|02|BB"; distance:0; content:"|03|EEE"; distance:0; content:"|0d|IT Department"; distance:0; content:"|0a|SASDS_Srv0"; fast_pattern; distance:0; reference:md5,cbd1c2db9ffc6b67cea46d271594c2ae; classtype:trojan-activity; sid:2023509; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Unknown Redirector Nov 17 2016"; flow:from_server,established; file_data; content:"<script>"; content:".indexOf(|22|_mauthtoken|22|)=="; distance:0; content:"|22|ooglebot|22|"; content:"|7c|fennec|7c|"; content:"|22|_mauthtoken=1|3b| path=/|3b|expires=|22|"; fast_pattern; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023531; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_18, updated_at 2016_11_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Unknown Landing URI Nov 17 2016"; flow:to_server,established; content:"/kt/JpNx9n"; http_uri; pcre:"/\/kt\/JpNx9n$/U"; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023532; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_18, updated_at 2016_11_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin"; flow:to_server,established; content:"lm="; http_uri; content:"/watch/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023680; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 2"; flow:to_server,established; content:"lm="; http_uri; content:"/search/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023681; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 3"; flow:to_server,established; content:"lm="; http_uri; content:"/find/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023682; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 4"; flow:to_server,established; content:"lm="; http_uri; content:"/results/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023683; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 5"; flow:to_server,established; content:"lm="; http_uri; content:"/open/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023684; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 6"; flow:to_server,established; content:"lm="; http_uri; content:"/close/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023685; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert"; flow:established,from_server; content:"|00 dd 45 ec 3f 08 74 58 6a|"; content:"|0a|Department"; distance:0; content:"|55 04 03|"; distance:0; content:"|0f|www.example.com"; distance:1; within:16; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023708; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|rockybalboa|02|at|00|"; nocase; distance:0; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023709; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|storegoogle|02|at|00|"; nocase; distance:0; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023710; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php"; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Language|3a 20|en-US|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; depth:98; http_header; content:!"Referer|3a 20|"; http_header; content:"&method="; fast_pattern:only; http_client_body; pcre:"/^d(?:id|ei)=[A-F0-9]{10,100}&method=IS[A-Z]{1,10}$/P"; pcre:"/\.php$/U"; reference:md5,d6ef9b0cdb49b56c53da3433e30f3fd6; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023933; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, performance_impact Low, updated_at 2017_02_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b Apps List Exfil"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/functions.php"; fast_pattern:only; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:"apslst="; depth:7; http_client_body; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023934; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, performance_impact Low, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|androidbak|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023935; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|droidback|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023936; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|endpointup|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023937; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|siteanalysto|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023938; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|goodydaddy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023939; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.C2P.Qd!c Ransomware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/stat/locker|20|HTTP/1."; fast_pattern:only; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"type="; http_client_body; depth:5; content:"&version="; http_client_body; content:"&lid="; http_client_body; content:"&c="; http_client_body; content:"&i="; http_client_body; metadata: former_category MOBILE_MALWARE; reference:url,www.zscaler.com/blogs/research/new-android-ransomware-bypasses-all-antivirus-programs; classtype:trojan-activity; sid:2024123; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_03_31, updated_at 2017_03_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/support.aspx|20|HTTP/1."; content:"SessionId1|3a 20|"; http_header; content:"SessionId2|3a 20|"; fast_pattern:only; http_header; content:"|3b 20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|header|22 3b 20|filename=|22|header|22 0d 0a|"; http_client_body; metadata: former_category MOBILE_MALWARE; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:trojan-activity; sid:2024171; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_04_04, updated_at 2017_04_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon M2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/adinfo?gi="; fast_pattern:only; http_uri; content:"&bf="; http_uri; pcre:"/^Host\x3a[^\n\r]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[\r\n]+$/Hm"; metadata: former_category MOBILE_MALWARE; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:trojan-activity; sid:2024172; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_04_04, updated_at 2017_04_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/sdk_api.php?id="; fast_pattern:only; http_uri; content:"&type="; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:!"Referer|3a 20|"; http_header; pcre:"/\.php\?id=[a-f0-9]{8}(?:-[a-f0-9]{4}){4}[a-f0-9]{8}&type=/U"; metadata: former_category MOBILE_MALWARE; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024201; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_04_11, malware_family Android_Ewind, updated_at 2017_04_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Response"; flow:from_server,established; file_data; content:"[{|22|id|22 3a 22|0|22|,|22|command|22 3a 22|OK|22|}"; depth:26; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024202; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_04_11, malware_family Android_Ewind, updated_at 2017_04_11;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Dropper.Abd Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/ad-"; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"RgQ7"; depth:4; fast_pattern; http_client_body; pcre:"/\/ad-(?:strat|devi)\/$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,66a1dda748d073f5e659b700339c3343; reference:url,www.zscaler.com/blogs/research/malicious-android-ads-leading-drive-downloads; classtype:trojan-activity; sid:2024411; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android_07012016, signature_severity Major, created_at 2017_06_19, updated_at 2017_06_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a CnC Beacon"; flow:to_server,established; content:"/inj/injek-1.php?id="; fast_pattern:only; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/\?id=(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,e9542a8bd9f0ab57e40bb8519ac443a2; classtype:trojan-activity; sid:2024426; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_06_26, malware_family Android_Marcher, updated_at 2017_06_26;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE ANDROIDOS_LEAKERLOCKER.HRX DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|updatmaster|03|top|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,reference:url,blog.trendmicro.com/trendlabs-security-intelligence/leakerlocker-mobile-ransomware-threatens-expose-user-information/; classtype:trojan-activity; sid:2024509; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_08_02, updated_at 2017_08_02;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE WireX Botnet DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|axclick|05|store|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:md5,6af299a2ac9b59f7d551b6e235e0d200; reference:url,blog.cloudflare.com/the-wirex-botnet/; classtype:trojan-activity; sid:2024615; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_08_28, malware_family Android_WireX, updated_at 2017_08_28;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|b1k51|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024735; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|b1j3aas|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024736; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|wechaatt|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024737; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|10as05|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024738; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 5"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ch0ck4|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024739; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 6"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|fatur1s|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024740; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 7"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|b5k31|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024741; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 8"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|erd0|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024742; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 9"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|b1v2a5|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024743; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 10"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|b1502b|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024744; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 11"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|elsssee|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024745; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|kvp41|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024746; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 13"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|servertestapi|03|ltd|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024747; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 14"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|taxii|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024748; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|p0w3r|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024749; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 16"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|4r3a|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024750; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

18
code/chef/templates/mac_os_x/nmap.rules.erb Executable file
View file

@ -0,0 +1,18 @@
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS window 2048"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2000537; rev:8;)
alert ip any any -> any any (msg:"ET SCAN NMAP -sO"; dsize:0; ip_proto:21; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000536; classtype:attempted-recon; sid:2000536; rev:7;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS window 1024"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2009582; rev:2;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS window 3072"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2009583; rev:2;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS window 4096"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:4096; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2009584; rev:1;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000538; classtype:attempted-recon; sid:2000538; rev:8;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sA (2)"; fragbits:!D; dsize:0; flags:A,12; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000540; classtype:attempted-recon; sid:2000540; rev:8;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -f -sF"; fragbits:!M; dsize:0; flags:F,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000543; classtype:attempted-recon; sid:2000543; rev:7;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -f -sN"; fragbits:!M; dsize:0; flags:0,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000544; classtype:attempted-recon; sid:2000544; rev:7;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -f -sS"; fragbits:!M; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000545; classtype:attempted-recon; sid:2000545; rev:7;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -f -sX"; fragbits:!M; dsize:0; flags:FPU,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000546; classtype:attempted-recon; sid:2000546; rev:7;)
alert http any any -> any $HTTP_PORTS (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Nmap NSE"; reference:url,doc.emergingthreats.net/2009359; classtype:web-application-attack; sid:2009359; rev:3;)
alert http any any -> any any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; nocase; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:4;)
alert icmp any any -> any any (msg:"GPL SCAN PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:2100469; rev:4;)
alert tcp any any -> any any (msg:"GPL SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:2100628; rev:8;)
alert tcp any any -> any any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:2101228; rev:8;)
alert tcp any any -> any any (msg:"GPL SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:2100629; rev:7;)
alert http any any -> $HTTP_SERVERS any (msg:"ET SCAN NMAP SQL Spider Scan"; flow:established,to_server; content:"GET"; http_method; content:" OR sqlspider"; http_uri; reference:url,nmap.org/nsedoc/scripts/sql-injection.html; classtype:web-application-attack; sid:2013778; rev:2;)

12
code/chef/templates/mac_os_x/osxmalware.rules.erb Executable file
View file

@ -0,0 +1,12 @@
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Flashback.K/I reporting successful infection"; flow:established,to_server; content:"/stat_d/"; http_uri; pcre:"/\/stat_d\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:20145229; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Flashback.K/I reporting successful infection 2"; flow:established,to_server; content:"/stat_u/"; http_uri; pcre:"/\/stat_u\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:20145239; rev:3;)
#
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Flashback.K/I reporting failed infection"; flow:established,to_server; content:"/stat_n/"; http_uri; pcre:"/\/stat_n\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:20145249; rev:4;)
#
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Flashback.K first execution checkin"; flow:established,to_server; content:"/stat_svc/"; http_uri; pcre:"/\/stat_svc\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:20145259; rev:4;)
#
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Flashback.K/I User-Agent"; flow:established,to_server; content:" WOW64|3b| rv|3a|9.0.1|3b| sv|3a|"; http_header; content:" id|3a|"; http_header; within:6; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,vms.drweb.com/virus/?i=1816029; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; classtype:trojan-activity; sid:20145349; rev:4;)

772
code/chef/templates/mac_os_x/shellcode.rules.erb Executable file
View file

@ -0,0 +1,772 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2014, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3.
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode"; flow:established; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009246; classtype:shellcode-detect; sid:2009246; rev:3;)
#by Jaime Blasco
#
alert udp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode (UDP)"; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009285; classtype:shellcode-detect; sid:2009285; rev:2;)
#by Jaime Blasco
#
alert tcp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode"; flow:established; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009247; classtype:shellcode-detect; sid:2009247; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode (UDP)"; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009284; classtype:shellcode-detect; sid:2009284; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode"; flow:established; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009248; classtype:shellcode-detect; sid:2009248; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode (UDP)"; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009283; classtype:shellcode-detect; sid:2009283; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode"; flow:established; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009249; classtype:shellcode-detect; sid:2009249; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode (UDP)"; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009282; classtype:shellcode-detect; sid:2009282; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode"; flow:established; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009250; classtype:shellcode-detect; sid:2009250; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode (UDP)"; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009281; classtype:shellcode-detect; sid:2009281; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode"; flow:established; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009251; classtype:shellcode-detect; sid:2009251; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode (UDP)"; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009280; classtype:shellcode-detect; sid:2009280; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009252; classtype:shellcode-detect; sid:2009252; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009279; classtype:shellcode-detect; sid:2009279; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009253; classtype:shellcode-detect; sid:2009253; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009278; classtype:shellcode-detect; sid:2009278; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode"; flow:established; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009254; classtype:shellcode-detect; sid:2009254; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode (UDP)"; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009277; classtype:shellcode-detect; sid:2009277; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode"; flow:established; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009255; classtype:shellcode-detect; sid:2009255; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode (UDP)"; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009276; classtype:shellcode-detect; sid:2009276; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode"; flow:established; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009256; classtype:shellcode-detect; sid:2009256; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode (UDP)"; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009275; classtype:shellcode-detect; sid:2009275; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode"; flow:established; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009257; classtype:shellcode-detect; sid:2009257; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode (UDP)"; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009274; classtype:shellcode-detect; sid:2009274; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode"; flow:established; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009258; classtype:shellcode-detect; sid:2009258; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode (UDP)"; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009273; classtype:shellcode-detect; sid:2009273; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Furth Shellcode"; flow:established; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009259; classtype:shellcode-detect; sid:2009259; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Furth Shellcode (UDP)"; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009272; classtype:shellcode-detect; sid:2009272; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode"; flow:established; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009260; classtype:shellcode-detect; sid:2009260; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode (UDP)"; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009271; classtype:shellcode-detect; sid:2009271; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode"; flow:established; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009261; classtype:shellcode-detect; sid:2009261; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode (UDP)"; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009270; classtype:shellcode-detect; sid:2009270; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode"; flow:established; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009262; classtype:shellcode-detect; sid:2009262; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode (UDP)"; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009269; classtype:shellcode-detect; sid:2009269; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode"; flow:established; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009263; classtype:shellcode-detect; sid:2009263; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode (UDP)"; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009268; classtype:shellcode-detect; sid:2009268; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode"; flow:established; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009264; classtype:shellcode-detect; sid:2009264; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode (UDP)"; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009267; classtype:shellcode-detect; sid:2009267; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode"; flow:established; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009265; classtype:shellcode-detect; sid:2009265; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode (UDP)"; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009266; classtype:shellcode-detect; sid:2009266; rev:2;)
#by Anonymous Researchers(tm)
#Intended to catch common shellcode encoding in exploit scripts coming to clients in web sessions
#high load. use these if you need them!
#
##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:2; content:!"|0A|"; within:2; content:!"|20|"; within:2; pcre:"/(%U([0-9a-f]{2})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003173; classtype:trojan-activity; sid:2003173; rev:7;)
#by Anonymous Researchers(tm)
#Intended to catch common shellcode encoding in exploit scripts coming to clients in web sessions
#high load. use these if you need them!
#
##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:4; content:!"|0A|"; within:4; content:!"|20|"; within:4; pcre:"/(%U([0-9a-f]{4})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003174; classtype:trojan-activity; sid:2003174; rev:8;)
#by Alejandro Gramajo
##############################################################################
#x86 Pex Variable Length Fnstenv/mov/sub Double Word Xor Encoder
#D9 EE fldz
#D9 74 24 F4 fnstenv [esp - 12]
#5B pop ebx
#81 73 13 xorkey xor_xor: xor DWORD [ebx + 22], xorkey
#83 EB FC sub ebx,-4
#E2 F4 loop xor_xor
#Real traffic dump
#Content1
#98 49 F8 27 91 2F 27 48 4F 4E 6A 12 59 <D9 EE D9 .I.'./'HONj.Y...
#74 24 F4 5B 81 73 13> 2E D6 9A FE <83 EB FC E2 F4> t$.[.s..........
#Xorkey Content2
#
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexFnstenvMov/Sub Encoder"; flow:established; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002903; classtype:shellcode-detect; sid:2002903; rev:5;)
##############################################################################
#x86 Skylined\'s Alpha2 Alphanumeric Encoder
#
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Alpha2 GetEIPs Encoder"; flow:established; content:"|EB 03 59 EB 05 E8 F8 FF FF FF|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002904; classtype:shellcode-detect; sid:2002904; rev:5;)
##############################################################################
#x86 Call $+4 countdown xor encoder
#E8 FF FF FF call $+4
#FF C1 inc ecx
#5E pop esi
#30 4C 0E 07 xor_xor: xor [esi + ecx + 0x07], cl
#E2 FA loop xor_xor
#
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Countdown Encoder"; flow:established; content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002905; classtype:shellcode-detect; sid:2002905; rev:5;)
##############################################################################
#x86 Pex Alphanumeric Encoder
#VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089 win32getpc
#?? JJJJJ ?? baseaddr
#VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM decoder
#
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexAlphaNum Encoder"; flow:established; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; content:"JJJJJ"; distance: 2; within: 5; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM"; distance: 2; within: 55; reference:url,doc.emergingthreats.net/bin/view/Main/2002906; classtype:shellcode-detect; sid:2002906; rev:5;)
##############################################################################
#x86 Pex Call $+4 Double Word Xor Encoder
#E8 FF FF FF call $+4
#FF C0 inc eax
#5E pop esi
#81 76 0E xorkey xor_xor: xor [esi + 0x0e], xorkey
#83 EE FC sub esi, -4
#E2 F4 loop xor_xor
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 PexCall Encoder"; flow:established; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|82 EE FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002907; classtype:shellcode-detect; sid:2002907; rev:5;)
##############################################################################
#x86 IA32 Jmp/Call XOR Additive Feedback Decoder
#FC cld
#BB key mov ebx, key
#EB 0C jmp short 0x14
#5E pop esi
#56 push esi
#31 1E xor [esi], ebx
#AD lodsd
#01 C3 add ebx, eax
#85 C0 test eax, eax
#75 F7 jnz 0xa
#C3 ret
#E8 EF FF FF FF call 0x8
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 JmpCallAdditive Encoder"; flow:established; content:"|FC BB|"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; distance: 4; within: 19; reference:url,doc.emergingthreats.net/bin/view/Main/2002908; classtype:shellcode-detect; sid:2002908; rev:5;)
#Metasploit BSD shellcode detect rules by h0f - Jennylab
#Alberto Garcia de Dios
#albertogdedios@andaluciajunta.es
#http://www.jennylab.org
#####
#METASPLOIT SHELLCODE RULES
#####
#BSD METASPLOIT RULES
#### BSD BIND SHELL #######
#BSD Bind Shell - ENCODE: PexFnstenvSub
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010383; classtype:shellcode-detect; sid:2010383; rev:2;)
#BSD Bind Shell - ENCODE: CountDown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 2)"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74 45 d3|"; reference:url,doc.emergingthreats.net/2010385; classtype:shellcode-detect; sid:2010385; rev:4;)
#BSD Bind Shell - ENCODE: CountDown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 3)"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45 6a 69 63|"; reference:url,doc.emergingthreats.net/2010386; classtype:shellcode-detect; sid:2010386; rev:3;)
#BSD Bind Shell - ENCODE: CountDown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 4)"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a 2a cc a5|"; reference:url,doc.emergingthreats.net/2010387; classtype:shellcode-detect; sid:2010387; rev:3;)
#BSD Bind Shell - ENCODE: CountDown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 5)"; content:"|17 1c 1a 19 fb 77 80 ce|"; reference:url,doc.emergingthreats.net/2010388; classtype:shellcode-detect; sid:2010388; rev:3;)
#BSD Bind Shell - ENCODE: Pex
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 1)"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010389; classtype:shellcode-detect; sid:2010389; rev:3;)
#BSD Bind Shell - ENCODE: Pex
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010390; classtype:shellcode-detect; sid:2010390; rev:3;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 1)"; content:"|6a 61 58 99 52 68 10 02|"; reference:url,doc.emergingthreats.net/2010391; classtype:shellcode-detect; sid:2010391; rev:3;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 2)"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a 68 58 cd|"; reference:url,doc.emergingthreats.net/2010392; classtype:shellcode-detect; sid:2010392; rev:2;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 3)"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a 5a 58 51|"; reference:url,doc.emergingthreats.net/2010393; classtype:shellcode-detect; sid:2010393; rev:3;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 4)"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3|"; reference:url,doc.emergingthreats.net/2010394; classtype:shellcode-detect; sid:2010394; rev:3;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 5)"; content:"|50 54 53 53 b0 3b cd 80|"; reference:url,doc.emergingthreats.net/2010395; classtype:shellcode-detect; sid:2010395; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49 51 5a 56|"; reference:url,doc.emergingthreats.net/2010396; classtype:shellcode-detect; sid:2010396; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2)"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33 30 42 43|"; reference:url,doc.emergingthreats.net/2010397; classtype:shellcode-detect; sid:2010397; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010398; classtype:shellcode-detect; sid:2010398; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4)"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36 41|"; reference:url,doc.emergingthreats.net/2010399; classtype:shellcode-detect; sid:2010399; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5)"; content:"|41 4e 44 35 44 34 44|"; reference:url,doc.emergingthreats.net/2010400; classtype:shellcode-detect; sid:2010400; rev:3;)
#BSD Bind Shell - ENCODE: PexFstEnvMov
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1)"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010401; classtype:shellcode-detect; sid:2010401; rev:3;)
#BSD Bind Shell - ENCODE: PexFstEnvMov
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010402; classtype:shellcode-detect; sid:2010402; rev:3;)
#BSD Bind Shell - ENCODE: JmpCallAditive
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (JmpCallAdditive Encoded)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010403; classtype:shellcode-detect; sid:2010403; rev:3;)
#BSD Bind Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49 49 49 49|"; reference:url,doc.emergingthreats.net/2010404; classtype:shellcode-detect; sid:2010404; rev:3;)
#BSD Bind Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 2)"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|"; reference:url,doc.emergingthreats.net/2010405; classtype:shellcode-detect; sid:2010405; rev:3;)
#BSD Bind Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 3)"; content:"|49 72 4e 4e 69 6b 53|"; reference:url,doc.emergingthreats.net/2010406; classtype:shellcode-detect; sid:2010406; rev:3;)
#BSD Reverse Shell - ENCODE: PexFnstenvSub
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1)"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010407; classtype:shellcode-detect; sid:2010407; rev:3;)
#### EOF BSD BIND SHELL ######
### BSD REVERSE SHELL #######
#BSD Reverse Shell - ENCODE: PexFnstenvSub
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010408; classtype:shellcode-detect; sid:2010408; rev:3;)
#BSD Reverse Shell - ENCODE: Countdown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 1)"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa 6b 63 5b 9d|"; reference:url,doc.emergingthreats.net/2010409; classtype:shellcode-detect; sid:2010409; rev:3;)
#BSD Reverse Shell - ENCODE: Countdown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 2)"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c 96 7d 79 7e|"; reference:url,doc.emergingthreats.net/2010410; classtype:shellcode-detect; sid:2010410; rev:3;)
#BSD Reverse Shell - ENCODE: Countdown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 3)"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50 54 b2 df 6d|"; reference:url,doc.emergingthreats.net/2010411; classtype:shellcode-detect; sid:2010411; rev:3;)
#BSD Reverse Shell - ENCODE: Countdown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 4)"; content:"|57 44 55 4a 5b 62|"; reference:url,doc.emergingthreats.net/2010412; classtype:shellcode-detect; sid:2010412; rev:3;)
#BSD Reverse Shell - ENCODE: Pex
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 1)"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010413; classtype:shellcode-detect; sid:2010413; rev:3;)
#BSD Reverse Shell - ENCODE: Pex
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010414; classtype:shellcode-detect; sid:2010414; rev:3;)
#BSD Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 1)"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50|"; reference:url,doc.emergingthreats.net/2010415; classtype:shellcode-detect; sid:2010415; rev:3;)
#BSD Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 2)"; content:"|6a 61 58 99 52 42 52 42 52 68|"; reference:url,doc.emergingthreats.net/2010416; classtype:shellcode-detect; sid:2010416; rev:3;)
#BSD Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 3)"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59 b0 5a 51 57|"; reference:url,doc.emergingthreats.net/2010417; classtype:shellcode-detect; sid:2010417; rev:3;)
#BSD Reverse Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1)"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f 49 38 41 4e|"; reference:url,doc.emergingthreats.net/2010418; classtype:shellcode-detect; sid:2010418; rev:3;)
#BSD Reverse Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2)"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56 4a 35 4d 4c|"; reference:url,doc.emergingthreats.net/2010419; classtype:shellcode-detect; sid:2010419; rev:3;)
#BSD Reverse Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010420; classtype:shellcode-detect; sid:2010420; rev:3;)
#BSD Reverse Shell - ENCODE: PexFnstenvMov
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1)"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010421; classtype:shellcode-detect; sid:2010421; rev:3;)
#BSD Reverse Shell - ENCODE: PexFnstenvMov
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010422; classtype:shellcode-detect; sid:2010422; rev:3;)
#BSD Reverse Shell - ENCODE: JmpCallAditive
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010423; classtype:shellcode-detect; sid:2010423; rev:2;)
#BSD Reverse Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 1)"; content:"|49 49 49 49 49 49 49 51 5a 6a|"; reference:url,doc.emergingthreats.net/2010424; classtype:shellcode-detect; sid:2010424; rev:2;)
#BSD Reverse Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 2)"; content:"|58 50 30 42 31 41 42 6b 42 41|"; reference:url,doc.emergingthreats.net/2010425; classtype:shellcode-detect; sid:2010425; rev:2;)
#BSD Reverse Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 3)"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|"; reference:url,doc.emergingthreats.net/2010426; classtype:shellcode-detect; sid:2010426; rev:2;)
##### EOF BSD Reverse Shell#####
##### BSD SPARC Bind Shell #########
#BSD SPARC Bind Shell - ENCODE: SPARC
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010427; classtype:shellcode-detect; sid:2010427; rev:2;)
##### EOF BSD Reverse Shell#####
##### BSD SPARC Bind Shell #########
#BSD SPARC Bind Shell - ENCODE: SPARC
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010428; classtype:shellcode-detect; sid:2010428; rev:2;)
#BSD SPARC Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 1)"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20 10 82 10 20 68|"; reference:url,doc.emergingthreats.net/2010429; classtype:shellcode-detect; sid:2010429; rev:2;)
#BSD SPARC Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20 6a 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010430; classtype:shellcode-detect; sid:2010430; rev:2;)
#BSD SPARC Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 3)"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20 1e 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010431; classtype:shellcode-detect; sid:2010431; rev:2;)
#BSD SPARC Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 4)"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf f0 d0 23 bf f8|"; reference:url,doc.emergingthreats.net/2010432; classtype:shellcode-detect; sid:2010432; rev:2;)
#### EOF BSD SPARC Bind Shell #########4
### BSD SPARC Reverse Shell ########
#BSD SPARC Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 1)"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10 20 02 82 10 20 61|"; reference:url,doc.emergingthreats.net/2010433; classtype:shellcode-detect; sid:2010433; rev:2;)
#### EOF BSD SPARC Bind Shell #########4
### BSD SPARC Reverse Shell ########
#BSD SPARC Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2 60 01 82 10 20 5a|"; reference:url,doc.emergingthreats.net/2010434; classtype:shellcode-detect; sid:2010434; rev:2;)
#### EOF BSD SPARC Bind Shell #########4
### BSD SPARC Reverse Shell ########
#BSD SPARC Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 3)"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f c0|"; reference:url,doc.emergingthreats.net/2010437; classtype:shellcode-detect; sid:2010437; rev:2;)
#BSD SPARC Reverse Shell - ENCODE: SPARC
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010435; classtype:shellcode-detect; sid:2010435; rev:2;)
#BSD SPARC Reverse Shell - ENCODE: SPARC
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010436; classtype:shellcode-detect; sid:2010436; rev:2;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; classtype:shellcode-detect; sid:2100640; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:2100641; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:2100642; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:2100643; rev:8;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:2100652; rev:10;)
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:2100638; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:2100639; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:2100644; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:2100645; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:2100646; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:2100647; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2102313; rev:3;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2102312; rev:3;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2102314; rev:3;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:653; rev:9;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern:only; classtype:shellcode-detect; sid:2101424; rev:8;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:6;)
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:2100649; rev:9;)
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:2100650; rev:9;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; reference:arachnids,291; classtype:shellcode-detect; sid:2100651; rev:9;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101324; rev:7;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101326; rev:7;)
#
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern:only; classtype:shellcode-detect; sid:2100691; rev:7;)
#
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray"; flow:established,to_client; content:"unescape"; nocase; content:"%u"; nocase; distance:0; content:"%u"; nocase; within:6; pcre:"/unescape.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}/smi"; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; classtype:shellcode-detect; sid:2011346; rev:7;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected"; flow:established; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; content:!"MZ"; content:!"This program cannot be run in DOS mode"; content:!"Windows Program"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011803; rev:5;)
#
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UDP x86 JMP to CALL Shellcode Detected"; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011804; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012086; rev:2;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012087; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 8F|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012088; rev:2;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; content:"|E8 00 00 00 00 8F|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012089; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F 1A|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012090; rev:2;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F 1A|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012091; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F A9|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012092; rev:2;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F A9|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012093; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:4;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90%90"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:4;)
#
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Usage of Actionscript ByteArray writeByte Function to Build Shellcode"; flow:established,to_client; content:"writeByte(0x"; nocase; pcre:"/writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}/smi"; reference:url,blog.fireeye.com/research/2009/07/actionscript_heap_spray.html; classtype:shellcode-detect; sid:2012120; rev:2;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:4;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012252; rev:3;)
#
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0a%0a%0a%0a Heap Spray String"; flow:established,to_client; content:"%0a%0a%0a%0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012253; rev:2;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0a0a%u0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012254; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0a%u0a%u0a%u0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012255; rev:3;)
#
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0c0c0c0c Heap Spray String"; flow:established,to_client; content:"0c0c0c0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012256; rev:2;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String"; flow:established,to_client; content:"%0c%0c%0c%0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012257; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0c0c%u0c0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012258; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0c%u0c%u0c%u0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012259; rev:3;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE UTF-8/16 Encoded Shellcode"; flow:established,to_client; content:"|5C|u"; nocase; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; pcre:"/\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012510; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable %u Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"%u"; nocase; within:3; content:"%u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x25u[a-f,0-9]{2,4}\x25u[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012534; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable Unicode Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"|5C|u"; nocase; within:3; content:"|5C|u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012535; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt"; flow:established,to_client; content:"|22|u|22 20|+|20 22|0|22 20|+|20 22|"; content:"|22 20|+|20 22|"; distance:1; within:5; pcre:"/\x220\x22\x20\x2B\x20\x22[a-d]\x22\x20\x2B\x20\x22/smi"; classtype:shellcode-detect; sid:2012925; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0a0a0a0a Heap Spray Attempt"; flow:established,to_client; content:"0x0a0a0a0a"; nocase; classtype:shellcode-detect; sid:2012962; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt"; flow:established,to_client; content:"0x0b0b0b0b"; nocase; classtype:shellcode-detect; sid:2012963; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0c0c0c0c Heap Spray Attempt"; flow:established,to_client; content:"0x0c0c0c0c"; nocase; classtype:shellcode-detect; sid:2012964; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0d0d0d0d Heap Spray Attempt"; flow:established,to_client; content:"0x0d0d0d0d"; nocase; classtype:shellcode-detect; sid:2012965; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt"; flow:established,to_client; content:"%0d%0d%0d%0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012966; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d%u0d%u0d%u0d UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u0d%u0d%u0d%u0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012967; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d0d%u0d0d UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u0d0d%u0d0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012968; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Vertical Slash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|7C|u0"; nocase; content:"|7C|u0"; distance:1; within:4; pcre:"/\x7Cu0[a-d](\x7Cu0|0)[a-d]/\x7Cu0[a-d](\x7Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012969; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|5C|u0"; nocase; content:"|5C|u0"; distance:1; within:4; pcre:"/\x5Cu0[a-d](\x5Cu0|0)[a-d]/\x5Cu0[a-d](\x5Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012970; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt"; flow:established,to_client; content:"%41%41%41%41"; fast_pattern:only; classtype:shellcode-detect; sid:2013145; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u41%u41%u41%u41"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013146; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u4141%u4141"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013147; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE JavaScript Redefinition of a HeapLib Object - Likely Malicious Heap Spray Attempt"; flow:established,to_client; content:"heap|2E|"; nocase; fast_pattern:only; pcre:"/var\x20[^\n\r]*\x3D[^\n\r]*heap\x2E/smi"; classtype:shellcode-detect; sid:2013148; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; file_data; content:"Heap|2E|"; nocase; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; file_data; content:"|5C|x0a|5C|x0a|5C|x0a|5C|x0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013267; rev:4;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; file_data; content:"|5C|x0b|5C|x0b|5C|x0b|5C|x0b"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013268; rev:4;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013269; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C|x0d|5C|x0d|5C|x0d|5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013270; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C|x90|5C|x90|5C|x90|5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013271; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Hex Obfuscated Content"; flow:established,to_client; content:"unescape|28|"; fast_pattern; content:"|5C|x"; distance:1; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; pcre:"/unescape\x28(\x22|\x27)\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/smi"; classtype:shellcode-detect; sid:2013272; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013273; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013274; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013275; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013276; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013277; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013278; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C 5C|x41|5C 5C|x41|5C 5C|x41|5C 5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013279; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; pcre:"/u0[a-d]u0[a-d]u0[a-d]u0[a-d]/smi"; classtype:shellcode-detect; sid:2013319; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:3; within:2; pcre:"/u0[a-d]0[a-d]u0[a-d]0[a-d]/smi"; classtype:shellcode-detect; sid:2013320; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c|5C|0c"; nocase; distance:0; classtype:bad-unknown; sid:2016714; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c0c"; nocase; distance:0; classtype:bad-unknown; sid:2016715; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 u9090 NOP SLED"; file_data; flow:established,to_client; content:"|5c|u9090|5c|"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2017345; rev:4;)

90
code/chef/templates/mac_os_x/suricata.init.erb Executable file
View file

@ -0,0 +1,90 @@
#!/bin/bash
#
# Init file for suricata
#
#
# chkconfig: 345 52 48
# description: Network Intrusion Detection System
#
# processname: Suricata
# pidfile: /var/run/suricata.pid
source /etc/rc.d/init.d/functions
### Read configuration
[ -r "$SYSCONFIG" ] && source "$SYSCONFIG"
RETVAL=0
prog="suricata"
desc="Suricata IDS"
start() {
# Make sure the interfaces are up, or suricata won't start.
for interface in <% @interface.each do |int| -%><%= int %> <% end -%>
do
/sbin/ifconfig $interface up
done
echo -n $"Starting $desc ($prog): "
daemon "suricata -D -c /etc/suricata/suricata.yaml <% @interface.each do |int| -%> -i <%= int %> <% end -%> >> /var/log/suricata/suricata.log"
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
return $RETVAL
}
stop() {
echo -n $"Shutting down $desc ($prog): "
killproc $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
return $RETVAL
}
restart() {
stop
start
}
reload() {
echo "Checking config before restarting"
suricata -T -c /etc/suricata/suricata.yaml >/dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ]
then
kill -USR2 $(cat /var/run/suricata.pid)
else
echo "Config broken, not reloading"
fi
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
condrestart)
[ -e /var/lock/subsys/$prog ] && restart
RETVAL=$?
;;
status)
status $prog
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
RETVAL=1
esac
exit $RETVAL

12
code/chef/templates/mac_os_x/suricata.service.erb Executable file
View file

@ -0,0 +1,12 @@
[Unit]
Description=Open Source Next Generation Intrusion Detection and Prevention Engine
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml <% @interface.each do |int| -%> -i <%= int %> <% end -%>
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill $MAINPID
[Install]
WantedBy=multi-user.target

313
code/chef/templates/mac_os_x/suricata.yaml.erb Executable file
View file

@ -0,0 +1,313 @@
%YAML 1.1
---
default-log-dir: /var/log/suricata/
unix-command:
enabled: no
run-as:
user: suricata
group: suricata
outputs:
- fast:
enabled: yes
filename: fast.log
append: yes
- unified2-alert:
enabled: no
filename: unified2.alert
- http-log:
enabled: no
filename: http.log
append: yes
- tls-log:
enabled: no # Log TLS connections.
filename: tls.log # File to store TLS logs.
certs-log-dir: certs # directory to store the certificates files
- pcap-info:
enabled: no
- pcap-log:
enabled: no
filename: log.pcap
limit: 1000mb
max-files: 2000
mode: normal # normal or sguil.
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
- alert-debug:
enabled: no
filename: alert-debug.log
append: yes
- alert-prelude:
enabled: no
profile: suricata
log-packet-content: no
log-packet-header: yes
- stats:
enabled: no
filename: stats.log
interval: 8
- syslog:
enabled: no
facility: local5
- drop:
enabled: no
filename: drop.log
append: yes
- file-store:
enabled: no # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-md5: no # force logging of md5 checksums
- file-log:
enabled: no
filename: files-json.log
append: yes
force-magic: no # force logging magic on all logged files
force-md5: no # force logging of md5 checksums
magic-file: /usr/share/file/magic
nfq:
af-packet:
threshold-file: /etc/suricata/threshold.config
detect-engine:
- profile: medium
- custom-values:
toclient-src-groups: 2
toclient-dst-groups: 2
toclient-sp-groups: 2
toclient-dp-groups: 3
toserver-src-groups: 2
toserver-dst-groups: 4
toserver-sp-groups: 2
toserver-dp-groups: 25
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
threading:
set-cpu-affinity: no
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- receive-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- decode-cpu-set:
cpu: [ 0, 1 ]
mode: "balanced"
- stream-cpu-set:
cpu: [ "0-1" ]
- detect-cpu-set:
cpu: [ "all" ]
mode: "exclusive" # run detect threads in these cpus
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
- verdict-cpu-set:
cpu: [ 0 ]
prio:
default: "high"
- reject-cpu-set:
cpu: [ 0 ]
prio:
default: "low"
- output-cpu-set:
cpu: [ "all" ]
prio:
default: "medium"
detect-thread-ratio: 1.5
cuda:
- mpm:
packet-buffer-limit: 2400
packet-size-limit: 1500
packet-buffers: 10
batching-timeout: 1
page-locked: enabled
device-id: 0
cuda-streams: 2
mpm-algo: ac
pattern-matcher:
- b2gc:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2gm:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2g:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b3g:
search-algo: B3gSearchBNDMq
hash-size: low
bf-size: medium
- wumanber:
hash-size: low
bf-size: medium
defrag:
memcap: 32mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60
flow:
memcap: 32mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
flow-timeouts:
default:
new: 30
established: 300
closed: 0
emergency-new: 10
emergency-established: 100
emergency-closed: 0
tcp:
new: 60
established: 3600
closed: 120
emergency-new: 10
emergency-established: 300
emergency-closed: 20
udp:
new: 30
established: 300
emergency-new: 10
emergency-established: 100
icmp:
new: 30
established: 300
emergency-new: 10
emergency-established: 100
stream:
memcap: 32mb
checksum-validation: yes # reject wrong csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
memcap: 64mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
host:
hash-size: 4096
prealloc: 1000
memcap: 16777216
logging:
default-log-level: info
default-output-filter:
outputs:
- console:
enabled: yes
- file:
enabled: no
filename: /var/log/suricata.log
- syslog:
enabled: no
facility: local5
pfring:
- interface: <%= @pcapinterface %>
threads: 1
cluster-id: 99
cluster-type: cluster_flow
- interface: default
pcap:
- interface: <%= @pcapinterface %>
- interface: default
ipfw:
default-rule-path: /etc/suricata/rules/
rule-files:
- local.rules
- tor.rules
- emerging-shellcode.rules
- dshield.rules
- compromised.rules
- dshield.rules
- mobilemalware.rules
- nmap.rules
- shellcode.rules
- osxmalware.rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
vars:
address-groups:
HOME_NET: "[10.0.0.0/8,172.16.0.0/12]"
port-groups:
HTTP_PORTS: "80"
action-order:
- pass
- drop
- reject
- alert
host-os-policy:
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
asn1-max-frames: 256
engine-analysis:
rules-fast-pattern: yes
rules: yes
pcre:
match-limit: 3500
match-limit-recursion: 1500
libhtp:
default-config:
personality: IDS
request-body-limit: 3072
response-body-limit: 3072
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 32kb
response-body-inspect-window: 4kb
double-decode-path: no
double-decode-query: no
server-config:
- apache:
address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
personality: Apache_2_2
request-body-limit: 4096
response-body-limit: 4096
double-decode-path: no
double-decode-query: no
- iis7:
address:
- 192.168.0.0/24
- 192.168.10.0/24
personality: IIS_7_0
request-body-limit: 4096
response-body-limit: 4096
double-decode-path: no
double-decode-query: no
profiling:
rules:
enabled: yes
filename: rule_perf.log
append: yes
sort: avgticks
limit: 100
packets:
enabled: yes
filename: packet_stats.log
append: yes
csv:
enabled: no
filename: packet_stats.csv
locks:
enabled: no
filename: lock_stats.log
append: yes
coredump:
max-dump: unlimited
napatech:
hba: -1
use-all-streams: yes
streams: [1, 2, 3]

775
code/chef/templates/mac_os_x/tor.rules.erb Executable file
View file

@ -0,0 +1,775 @@
#
# Emerging Threats Tor rules.
#
# These will tell you if someone using Tor for source anonymization is communicating with your network.
#
# Tor in itself isn't inherently hostile. In many environments that may be a very suspicious way
# to communicate.
#
# More information available at doc.emergingthreats.net/bin/view/Main/TorRules
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# VERSION 3093
# Updated 2017-09-22 00:30:01
alert ip [103.234.220.197,103.236.201.110,103.236.201.57,103.27.124.82,103.29.70.23,103.35.74.75,103.35.74.77,103.3.61.114,103.56.207.84,103.8.79.229] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520000; rev:3093;)
alert ip [104.192.0.50,104.200.20.46,104.218.63.73,104.218.63.74,104.218.63.75,104.218.63.76,104.223.123.100,104.223.123.101,104.223.123.98,104.223.123.99] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520002; rev:3093;)
alert ip [104.236.141.156,104.237.203.98,104.244.74.78,106.187.37.101,107.181.174.84,107.189.49.130,109.126.9.228,109.169.33.163,109.201.133.100,109.69.67.17] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520004; rev:3093;)
alert ip [1.161.250.166,118.163.74.160,120.29.217.46,124.109.1.207,125.212.241.182,126.72.58.19,128.199.47.160,128.52.128.105,128.70.19.225,130.204.161.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520006; rev:3093;)
alert ip [131.111.179.83,133.218.187.161,137.74.167.96,137.74.169.241,137.74.73.179,13.79.231.167,138.197.207.243,138.197.216.132,138.197.4.77,138.197.85.80] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520008; rev:3093;)
alert ip [138.68.40.100,139.162.105.26,139.162.10.72,139.162.16.13,139.162.226.245,139.162.28.23,139.162.28.31,139.59.62.94,141.138.141.208,141.170.2.53] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520010; rev:3093;)
alert ip [141.255.189.161,14.202.230.49,142.4.211.161,142.44.156.140,142.44.166.241,143.106.60.70,144.217.161.119,144.217.167.240,144.217.240.34,144.217.60.211] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520012; rev:3093;)
alert ip [144.217.60.239,144.217.94.195,144.217.94.96,145.239.29.201,145.239.74.47,145.239.82.79,146.0.79.144,146.185.177.103,147.135.156.122,148.251.43.239] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520014; rev:3093;)
alert ip [149.202.185.34,149.202.238.204,149.56.106.210,149.56.201.79,149.56.223.240,151.80.238.152,151.80.38.67,154.127.60.92,154.16.149.35,154.16.149.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520016; rev:3093;)
alert ip [155.133.82.112,155.4.250.85,156.67.106.251,156.67.106.30,156.67.106.32,158.255.6.242,158.69.215.7,158.69.83.25,162.213.0.243,162.220.246.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520018; rev:3093;)
alert ip [162.221.201.57,162.243.166.137,162.247.72.199,162.247.72.200,162.247.72.201,162.247.72.202,162.247.72.213,162.247.72.216,162.247.72.217,162.247.72.7] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520020; rev:3093;)
alert ip [162.247.73.204,162.247.73.206,163.172.101.137,163.172.136.101,163.172.137.222,163.172.138.11,163.172.139.161,163.172.140.123,163.172.151.250,163.172.151.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520022; rev:3093;)
alert ip [163.172.160.182,163.172.162.106,163.172.163.85,163.172.170.212,163.172.171.163,163.172.179.129,163.172.212.115,163.172.217.50,163.172.223.200,163.172.223.87] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520024; rev:3093;)
alert ip [163.172.67.180,164.132.106.162,164.132.51.91,164.77.133.220,165.255.108.14,166.70.207.2,167.114.251.167,167.114.34.150,167.114.89.195,167.160.84.183] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520026; rev:3093;)
alert ip [169.239.183.210,170.250.140.52,171.25.193.20,171.25.193.235,171.25.193.25,171.25.193.77,171.25.193.78,172.104.146.56,172.104.148.28,172.104.180.171] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520028; rev:3093;)
alert ip [172.104.187.79,172.104.41.83,172.98.193.43,173.14.173.227,173.208.153.75,173.254.216.66,173.254.216.67,173.254.216.68,173.254.216.69,173.255.226.142] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520030; rev:3093;)
alert ip [173.255.229.8,173.255.231.125,173.255.253.173,176.10.104.240,176.10.104.243,176.10.107.180,176.10.99.200,176.10.99.201,176.10.99.202,176.10.99.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520032; rev:3093;)
alert ip [176.10.99.204,176.10.99.205,176.10.99.206,176.10.99.207,176.10.99.208,176.10.99.209,176.121.10.44,176.121.10.52,176.126.252.11,176.214.189.247] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520034; rev:3093;)
alert ip [176.31.180.157,176.31.45.3,176.36.117.185,176.38.163.77,176.58.100.98,178.156.202.125,178.17.170.13,178.17.170.135,178.17.170.156,178.17.170.164] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520036; rev:3093;)
alert ip [178.17.170.194,178.17.170.195,178.17.170.196,178.17.171.111,178.17.171.40,178.17.171.43,178.17.171.49,178.17.174.10,178.17.174.14,178.17.174.198] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520038; rev:3093;)
alert ip [178.17.174.32,178.175.131.194,178.18.83.215,178.202.169.177,178.20.55.16,178.20.55.18,178.209.42.84,178.238.237.44,178.32.181.96,178.32.181.97] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520040; rev:3093;)
alert ip [178.32.181.98,178.32.181.99,178.32.53.94,178.62.85.101,178.63.110.151,179.43.146.230,18.248.1.85,18.248.2.85,184.105.220.24,185.100.84.108] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520042; rev:3093;)
alert ip [185.100.84.82,185.100.85.101,185.100.85.112,185.100.85.147,185.100.85.190,185.100.85.192,185.100.85.61,185.100.86.128,185.100.86.141,185.100.86.154] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520044; rev:3093;)
alert ip [185.100.86.167,185.100.86.86,185.100.87.82,185.103.99.60,185.104.120.2,185.104.120.4,185.104.120.7,185.10.68.119,185.10.68.139,185.10.68.191] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520046; rev:3093;)
alert ip [185.107.81.233,185.107.81.234,185.11.167.4,185.11.167.55,185.11.167.56,185.11.167.57,185.11.167.58,185.11.167.59,185.11.167.60,185.112.157.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520048; rev:3093;)
alert ip [185.112.254.195,185.117.118.234,185.157.232.64,185.159.128.193,185.159.131.99,185.16.200.176,185.163.1.11,185.165.168.229,185.165.168.42,185.165.168.77] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 26"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520050; rev:3093;)
alert ip [185.170.42.18,185.175.208.179,185.175.208.180,185.189.14.230,185.189.14.61,185.34.33.2,185.38.14.171,185.38.14.215,185.61.138.207,185.61.149.193] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 27"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520052; rev:3093;)
alert ip [185.62.57.91,185.65.205.10,185.66.200.10,185.70.11.132,185.72.244.24,185.82.216.233,185.82.216.241,185.86.149.175,185.87.185.45,187.104.48.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 28"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520054; rev:3093;)
alert ip [187.20.55.95,188.165.62.9,188.209.52.238,188.226.212.13,18.85.22.204,189.84.21.44,190.10.8.50,191.96.249.110,192.160.102.164,192.160.102.165] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 29"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520056; rev:3093;)
alert ip [192.160.102.166,192.160.102.168,192.160.102.169,192.160.102.170,192.195.80.10,192.34.80.176,192.36.27.4,192.42.116.16,192.81.131.49,193.107.85.56] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 30"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520058; rev:3093;)
alert ip [193.107.85.57,193.107.85.62,193.110.157.151,193.15.16.4,193.164.131.95,193.171.202.146,193.201.225.45,193.233.60.154,193.70.39.41,193.70.89.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 31"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520060; rev:3093;)
alert ip [193.70.89.20,194.218.3.79,194.54.162.212,195.123.212.118,195.123.212.34,195.219.163.68,195.219.166.53,195.22.126.177,195.22.126.178,195.228.45.176] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 32"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520062; rev:3093;)
alert ip [195.254.135.76,196.41.123.180,197.231.221.211,198.167.223.38,198.167.223.50,198.211.103.26,198.211.122.191,198.50.159.204,198.50.200.129,198.50.200.131] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 33"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520064; rev:3093;)
alert ip [198.50.200.134,198.50.200.135,198.50.200.147,198.58.100.240,198.58.107.53,198.73.50.71,198.96.155.3,199.127.226.150,199.249.223.40,199.249.223.60] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 34"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520066; rev:3093;)
alert ip [199.249.223.61,199.249.223.62,199.249.223.63,199.249.223.64,199.249.223.65,199.249.223.66,199.249.223.67,199.249.223.68,199.249.223.69,199.249.223.71] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 35"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520068; rev:3093;)
alert ip [199.249.223.72,199.249.223.73,199.249.223.74,199.249.223.75,199.249.223.76,199.249.223.77,199.249.223.78,199.249.223.79,199.249.223.81,199.249.224.40] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 36"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520070; rev:3093;)
alert ip [199.249.224.41,199.249.224.42,199.249.224.43,199.249.224.44,199.249.224.45,199.249.224.46,199.249.224.47,199.249.224.48,199.249.224.49,199.68.196.124] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 37"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520072; rev:3093;)
alert ip [199.87.154.255,204.11.50.131,204.194.29.4,204.8.156.142,204.85.191.30,204.85.191.31,205.166.94.153,205.168.84.133,206.248.184.127,206.55.74.0] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 38"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520074; rev:3093;)
alert ip [207.244.70.35,208.67.1.79,208.67.1.82,208.67.1.83,209.123.234.23,210.3.102.152,211.21.48.217,212.16.104.33,212.19.17.213,212.21.66.6] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 39"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520076; rev:3093;)
alert ip [212.47.227.114,212.47.229.60,212.47.239.73,212.47.243.140,212.47.246.21,212.81.199.159,212.83.140.95,212.83.40.239,212.92.219.15,213.108.105.71] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 40"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520078; rev:3093;)
alert ip [213.108.105.92,213.136.74.184,213.61.149.125,213.61.149.126,213.95.21.54,216.218.134.12,216.218.222.11,216.218.222.12,216.218.222.13,216.239.90.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 41"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520080; rev:3093;)
alert ip [217.115.10.131,217.170.197.83,217.182.207.27,217.182.74.253,217.182.76.240,217.182.78.177,222.110.3.1,223.26.48.248,23.129.64.11,23.129.64.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 42"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520082; rev:3093;)
alert ip [23.129.64.13,23.129.64.14,23.129.64.15,23.129.64.16,23.129.64.17,23.129.64.18,23.129.64.19,23.129.64.20,23.92.27.23,23.92.28.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 43"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520084; rev:3093;)
alert ip [23.95.70.22,24.207.212.154,2.44.188.87,31.185.104.19,31.185.104.20,31.185.104.21,31.185.27.203,35.184.106.64,36.226.247.96,36.227.172.7] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 44"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520086; rev:3093;)
alert ip [37.139.8.104,37.187.105.104,37.187.53.94,37.187.7.74,37.218.240.21,37.218.240.50,37.218.240.68,37.218.240.80,37.220.35.202,37.220.36.240] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 45"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520088; rev:3093;)
alert ip [37.48.120.196,37.48.120.9,37.59.112.7,37.59.119.196,37.97.228.159,41.206.188.206,41.231.53.101,41.78.128.113,45.33.23.23,45.33.48.204] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 46"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520090; rev:3093;)
alert ip [45.62.236.66,45.62.251.245,45.76.115.159,45.79.137.11,45.79.198.115,45.79.73.22,46.101.127.145,46.101.139.248,46.101.150.49,46.101.164.37] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 47"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520092; rev:3093;)
alert ip [46.165.223.217,46.165.230.5,46.165.254.166,46.17.97.112,46.182.106.190,46.182.18.214,46.182.18.29,46.182.18.40,46.182.18.46,46.182.19.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 48"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520094; rev:3093;)
alert ip [46.182.19.219,46.183.218.199,46.183.221.231,46.194.55.111,46.226.108.26,46.233.0.70,46.235.227.70,46.246.49.91,46.29.248.238,46.45.137.71] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 49"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520096; rev:3093;)
alert ip [46.4.55.177,46.4.81.178,50.247.195.124,50.76.159.218,51.15.134.120,51.15.141.220,51.15.212.104,51.15.34.210,51.15.40.233,51.15.43.205] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 50"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520098; rev:3093;)
alert ip [51.15.43.232,51.15.44.197,51.15.45.97,51.15.46.49,51.15.50.133,51.15.53.118,51.15.53.83,51.15.54.136,51.15.56.11,51.15.57.177] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 51"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520100; rev:3093;)
alert ip [51.15.57.79,51.15.60.255,51.15.60.62,51.15.62.146,51.15.63.229,51.15.63.98,51.15.64.212,51.15.70.13,51.15.70.177,51.15.70.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 52"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520102; rev:3093;)
alert ip [51.15.70.228,51.15.76.81,51.15.79.107,51.15.87.157,51.255.202.66,5.188.11.165,5.189.146.133,5.189.188.111,5.196.0.149,5.196.1.129] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 53"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520104; rev:3093;)
alert ip [5.196.121.161,5.196.66.162,5.199.130.188,52.15.62.13,5.254.112.154,5.254.79.66,5.39.217.14,54.36.81.57,5.56.214.118,5.79.68.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 54"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520106; rev:3093;)
alert ip [59.127.163.155,5.9.158.75,59.177.81.30,5.9.195.140,60.248.162.179,62.102.148.67,62.109.29.199,62.133.130.105,62.141.39.47,62.149.13.57] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 55"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520108; rev:3093;)
alert ip [62.176.4.10,62.198.32.223,62.210.105.116,62.210.105.86,62.210.115.87,62.210.129.246,62.210.149.35,62.210.37.82,62.212.73.141,62.219.3.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 56"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520110; rev:3093;)
alert ip [62.219.3.48,64.113.32.29,64.124.32.84,64.137.162.142,64.137.205.124,64.137.210.30,64.137.210.54,64.137.210.86,64.27.17.140,65.129.144.43] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 57"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520112; rev:3093;)
alert ip [65.181.123.254,65.19.167.130,65.19.167.131,65.19.167.132,66.155.4.213,66.180.193.219,66.70.217.179,67.205.146.164,67.215.255.140,69.164.207.234] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 58"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520114; rev:3093;)
alert ip [71.46.220.68,72.12.207.14,72.14.179.10,72.14.182.209,72.174.26.72,72.52.75.27,72.93.243.211,74.50.54.69,75.54.229.204,77.109.139.87] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 59"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520116; rev:3093;)
alert ip [77.246.163.141,77.247.181.165,77.250.227.12,77.81.107.138,78.107.237.16,78.129.137.28,78.131.53.162,78.13.201.140,78.142.175.70,78.31.164.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 60"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520118; rev:3093;)
alert ip [78.41.115.145,78.45.15.253,78.63.161.0,78.70.167.74,79.137.67.116,79.137.79.167,79.137.80.94,79.169.39.161,80.241.60.207,80.67.172.162] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 61"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520120; rev:3093;)
alert ip [80.79.23.7,80.82.67.186,80.85.84.23,81.171.19.32,82.146.58.35,82.165.100.196,82.211.0.201,82.221.101.67,82.221.112.122,82.221.128.217] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 62"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520122; rev:3093;)
alert ip [82.221.139.25,82.223.27.82,82.247.198.227,83.151.233.181,83.92.47.99,84.0.95.9,84.105.18.164,84.190.180.142,84.19.180.135,84.19.181.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 63"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520124; rev:3093;)
alert ip [84.200.50.18,84.200.82.163,84.209.48.106,84.217.13.138,84.3.0.53,84.48.199.78,84.53.192.243,84.53.225.118,85.119.83.78,85.143.95.50] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 64"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520126; rev:3093;)
alert ip [85.195.107.250,85.248.227.163,85.248.227.164,85.248.227.165,85.90.244.23,85.93.218.204,86.107.110.217,87.118.115.176,87.118.116.12,87.118.116.90] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 65"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520128; rev:3093;)
alert ip [87.118.122.254,87.118.122.30,87.118.122.50,87.118.83.3,87.118.92.43,87.120.254.189,87.120.254.81,87.120.254.92,87.140.25.245,87.81.148.61] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 66"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520130; rev:3093;)
alert ip [87.98.178.61,88.190.118.95,88.198.125.96,88.198.56.140,88.77.186.64,88.83.40.246,89.144.12.15,89.187.150.12,89.187.150.13,89.187.150.14] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 67"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520132; rev:3093;)
alert ip [89.187.150.15,89.212.99.66,89.234.157.254,89.236.34.117,89.248.166.157,89.31.57.58,89.31.96.168,89.32.127.178,89.34.237.121,89.38.208.57] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 68"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520134; rev:3093;)
alert ip [89.45.226.28,91.121.52.156,91.134.232.48,91.146.121.3,91.219.236.232,91.219.237.244,91.221.57.129,91.223.82.156,91.233.106.121,91.233.106.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 69"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520136; rev:3093;)
alert ip [91.250.241.241,92.169.87.4,92.222.38.67,92.222.6.12,92.222.74.226,92.27.153.74,92.63.173.28,93.115.95.201,93.115.95.202,93.115.95.204] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 70"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520138; rev:3093;)
alert ip [93.115.95.205,93.115.95.206,93.115.95.207,93.115.95.216,93.174.90.30,93.174.93.133,93.174.93.71,93.186.13.12,93.220.94.148,93.64.207.55] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 71"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520140; rev:3093;)
alert ip [94.102.50.42,94.130.28.151,94.142.242.84,94.198.100.17,94.23.239.44,94.242.205.2,94.242.246.23,94.242.246.24,94.242.57.161,94.242.57.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 72"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520142; rev:3093;)
# Non-Exit Nodes
alert ip [103.10.197.50,103.234.220.197,103.236.201.110,103.236.201.57,103.27.124.82,103.29.70.23,103.35.74.75,103.35.74.77,103.3.61.114,103.56.207.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522000; rev:3093;)
alert ip [103.8.79.229,104.192.0.50,104.200.20.46,104.218.63.73,104.218.63.74,104.218.63.75,104.218.63.76,104.223.123.100,104.223.123.101,104.223.123.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522002; rev:3093;)
alert ip [104.223.123.99,104.236.141.156,104.237.203.98,104.244.74.78,106.187.37.101,107.181.174.84,107.189.49.130,109.126.9.228,109.169.33.163,109.201.133.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522004; rev:3093;)
alert ip [109.69.67.17,1.161.250.166,118.163.74.160,120.29.217.46,124.109.1.207,125.212.241.182,126.72.58.19,128.199.47.160,128.52.128.105,128.70.19.225] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522006; rev:3093;)
alert ip [130.204.161.3,131.111.179.83,133.218.187.161,137.74.167.96,137.74.169.241,137.74.73.179,13.79.231.167,138.197.207.243,138.197.216.132,138.197.4.77] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522008; rev:3093;)
alert ip [138.197.85.80,138.68.40.100,139.162.105.26,139.162.10.72,139.162.16.13,139.162.226.245,139.162.28.23,139.162.28.31,139.59.62.94,141.138.141.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522010; rev:3093;)
alert ip [141.170.2.53,141.255.189.161,14.202.230.49,142.4.211.161,142.44.156.140,142.44.166.241,143.106.60.70,144.217.161.119,144.217.167.240,144.217.240.34] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522012; rev:3093;)
alert ip [144.217.60.211,144.217.60.239,144.217.94.195,144.217.94.96,145.239.29.201,145.239.74.47,145.239.82.79,146.0.79.144,146.185.177.103,147.135.156.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522014; rev:3093;)
alert ip [148.251.43.239,149.202.185.34,149.202.238.204,149.56.106.210,149.56.201.79,149.56.223.240,151.80.238.152,151.80.38.67,154.127.60.92,154.16.149.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522016; rev:3093;)
alert ip [154.16.149.74,155.133.82.112,155.4.250.85,156.67.106.251,156.67.106.30,156.67.106.32,158.255.6.242,158.69.215.7,158.69.83.25,162.213.0.243] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522018; rev:3093;)
alert ip [162.220.246.230,162.221.201.57,162.243.166.137,162.247.72.199,162.247.72.200,162.247.72.201,162.247.72.202,162.247.72.213,162.247.72.216,162.247.72.217] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522020; rev:3093;)
alert ip [162.247.72.7,162.247.73.204,162.247.73.206,163.172.101.137,163.172.136.101,163.172.137.222,163.172.138.11,163.172.139.161,163.172.140.123,163.172.151.250] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522022; rev:3093;)
alert ip [163.172.151.47,163.172.160.182,163.172.162.106,163.172.163.85,163.172.170.212,163.172.171.163,163.172.179.129,163.172.212.115,163.172.217.50,163.172.223.200] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522024; rev:3093;)
alert ip [163.172.223.87,163.172.67.180,164.132.106.162,164.132.51.91,164.77.133.220,165.255.108.14,166.70.207.2,167.114.251.167,167.114.34.150,167.114.89.195] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522026; rev:3093;)
alert ip [167.160.84.183,169.239.183.210,170.250.140.52,171.25.193.20,171.25.193.235,171.25.193.25,171.25.193.77,171.25.193.78,172.104.146.56,172.104.148.28] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522028; rev:3093;)
alert ip [172.104.180.171,172.104.187.79,172.104.41.83,172.98.193.43,173.14.173.227,173.208.153.75,173.254.216.66,173.254.216.67,173.254.216.68,173.254.216.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522030; rev:3093;)
alert ip [173.255.226.142,173.255.229.8,173.255.231.125,173.255.253.173,176.10.104.240,176.10.104.243,176.10.107.180,176.10.99.200,176.10.99.201,176.10.99.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522032; rev:3093;)
alert ip [176.10.99.203,176.10.99.204,176.10.99.205,176.10.99.206,176.10.99.207,176.10.99.208,176.10.99.209,176.121.10.44,176.121.10.52,176.126.252.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522034; rev:3093;)
alert ip [176.214.189.247,176.31.180.157,176.31.45.3,176.36.117.185,176.38.163.77,176.58.100.98,178.156.202.125,178.17.170.13,178.17.170.135,178.17.170.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522036; rev:3093;)
alert ip [178.17.170.164,178.17.170.194,178.17.170.195,178.17.170.196,178.17.171.111,178.17.171.40,178.17.171.43,178.17.171.49,178.17.174.10,178.17.174.14] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522038; rev:3093;)
alert ip [178.17.174.198,178.17.174.32,178.175.131.194,178.18.83.215,178.202.169.177,178.20.55.16,178.20.55.18,178.209.42.84,178.238.237.44,178.32.181.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522040; rev:3093;)
alert ip [178.32.181.97,178.32.181.98,178.32.181.99,178.32.53.94,178.62.85.101,178.63.110.151,179.43.146.230,18.248.1.85,18.248.2.85,184.105.220.24] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522042; rev:3093;)
alert ip [185.100.84.108,185.100.84.82,185.100.85.101,185.100.85.112,185.100.85.147,185.100.85.190,185.100.85.192,185.100.85.61,185.100.86.128,185.100.86.141] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522044; rev:3093;)
alert ip [185.100.86.154,185.100.86.167,185.100.86.86,185.100.87.82,185.103.99.60,185.104.120.2,185.104.120.4,185.104.120.7,185.10.68.119,185.10.68.139] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522046; rev:3093;)
alert ip [185.10.68.191,185.107.81.233,185.107.81.234,185.11.167.4,185.11.167.55,185.11.167.56,185.11.167.57,185.11.167.58,185.11.167.59,185.11.167.60] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522048; rev:3093;)
alert ip [185.112.157.135,185.112.254.195,185.117.118.234,185.157.232.64,185.159.128.193,185.159.131.99,185.16.200.176,185.163.1.11,185.165.168.229,185.165.168.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 26"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522050; rev:3093;)
alert ip [185.165.168.77,185.170.42.18,185.175.208.179,185.175.208.180,185.189.14.230,185.189.14.61,185.34.33.2,185.38.14.171,185.38.14.215,185.61.138.207] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 27"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522052; rev:3093;)
alert ip [185.61.149.193,185.62.57.91,185.65.205.10,185.66.200.10,185.70.11.132,185.72.244.24,185.82.216.233,185.82.216.241,185.86.149.175,185.87.185.45] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 28"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522054; rev:3093;)
alert ip [187.104.48.3,187.20.55.95,188.165.62.9,188.209.52.238,188.226.212.13,18.85.22.204,189.84.21.44,190.10.8.50,191.96.249.110,192.160.102.164] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 29"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522056; rev:3093;)
alert ip [192.160.102.165,192.160.102.166,192.160.102.168,192.160.102.169,192.160.102.170,192.195.80.10,192.34.80.176,192.36.27.4,192.42.116.16,192.81.131.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 30"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522058; rev:3093;)
alert ip [193.107.85.56,193.107.85.57,193.107.85.62,193.110.157.151,193.15.16.4,193.164.131.95,193.171.202.146,193.201.225.45,193.233.60.154,193.70.39.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 31"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522060; rev:3093;)
alert ip [193.70.89.19,193.70.89.20,194.218.3.79,194.54.162.212,195.123.212.118,195.123.212.34,195.219.163.68,195.219.166.53,195.22.126.177,195.22.126.178] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 32"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522062; rev:3093;)
alert ip [195.228.45.176,195.254.135.76,196.41.123.180,197.231.221.211,198.167.223.38,198.167.223.50,198.211.103.26,198.211.122.191,198.50.159.204,198.50.200.129] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 33"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522064; rev:3093;)
alert ip [198.50.200.131,198.50.200.134,198.50.200.135,198.50.200.147,198.58.100.240,198.58.107.53,198.73.50.71,198.96.155.3,199.127.226.150,199.249.223.40] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 34"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522066; rev:3093;)
alert ip [199.249.223.60,199.249.223.61,199.249.223.62,199.249.223.63,199.249.223.64,199.249.223.65,199.249.223.66,199.249.223.67,199.249.223.68,199.249.223.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 35"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522068; rev:3093;)
alert ip [199.249.223.71,199.249.223.72,199.249.223.73,199.249.223.74,199.249.223.75,199.249.223.76,199.249.223.77,199.249.223.78,199.249.223.79,199.249.223.81] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 36"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522070; rev:3093;)
alert ip [199.249.224.40,199.249.224.41,199.249.224.42,199.249.224.43,199.249.224.44,199.249.224.45,199.249.224.46,199.249.224.47,199.249.224.48,199.249.224.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 37"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522072; rev:3093;)
alert ip [199.68.196.124,199.87.154.255,204.11.50.131,204.194.29.4,204.8.156.142,204.85.191.30,204.85.191.31,205.166.94.153,205.168.84.133,206.248.184.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 38"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522074; rev:3093;)
alert ip [206.55.74.0,207.244.70.35,208.67.1.79,208.67.1.82,208.67.1.83,209.123.234.23,210.3.102.152,211.21.48.217,212.16.104.33,212.19.17.213] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 39"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522076; rev:3093;)
alert ip [212.21.66.6,212.47.227.114,212.47.229.60,212.47.239.73,212.47.243.140,212.47.246.21,212.81.199.159,212.83.140.95,212.83.40.239,212.92.219.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 40"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522078; rev:3093;)
alert ip [213.108.105.71,213.108.105.92,213.136.74.184,213.61.149.125,213.61.149.126,213.95.21.54,216.218.134.12,216.218.222.11,216.218.222.12,216.218.222.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 41"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522080; rev:3093;)
alert ip [216.239.90.19,217.115.10.131,217.170.197.83,217.182.207.27,217.182.74.253,217.182.76.240,217.182.78.177,222.110.3.1,223.26.48.248,23.129.64.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 42"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522082; rev:3093;)
alert ip [23.129.64.12,23.129.64.13,23.129.64.14,23.129.64.15,23.129.64.16,23.129.64.17,23.129.64.18,23.129.64.19,23.129.64.20,23.92.27.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 43"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522084; rev:3093;)
alert ip [23.92.28.23,23.95.70.22,24.207.212.154,2.44.188.87,31.185.104.19,31.185.104.20,31.185.104.21,31.185.27.203,35.184.106.64,36.226.247.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 44"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522086; rev:3093;)
alert ip [36.227.172.7,37.139.8.104,37.187.105.104,37.187.53.94,37.187.7.74,37.218.240.21,37.218.240.50,37.218.240.68,37.218.240.80,37.220.35.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 45"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522088; rev:3093;)
alert ip [37.220.36.240,37.48.120.196,37.48.120.9,37.59.112.7,37.59.119.196,37.97.228.159,41.206.188.206,41.231.53.101,41.78.128.113,45.33.23.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 46"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522090; rev:3093;)
alert ip [45.33.48.204,45.62.236.66,45.62.251.245,45.76.115.159,45.79.137.11,45.79.198.115,45.79.73.22,46.101.127.145,46.101.139.248,46.101.150.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 47"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522092; rev:3093;)
alert ip [46.101.164.37,46.165.223.217,46.165.230.5,46.165.254.166,46.17.97.112,46.182.106.190,46.182.18.214,46.182.18.29,46.182.18.40,46.182.18.46] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 48"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522094; rev:3093;)
alert ip [46.182.19.15,46.182.19.219,46.183.218.199,46.183.221.231,46.194.55.111,46.226.108.26,46.233.0.70,46.235.227.70,46.246.49.91,46.29.248.238] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 49"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522096; rev:3093;)
alert ip [46.45.137.71,46.4.55.177,46.4.81.178,50.247.195.124,50.76.159.218,51.15.134.120,51.15.141.220,51.15.212.104,51.15.34.210,51.15.40.233] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 50"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522098; rev:3093;)
alert ip [51.15.43.205,51.15.43.232,51.15.44.197,51.15.45.97,51.15.46.49,51.15.50.133,51.15.53.118,51.15.53.83,51.15.54.136,51.15.56.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 51"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522100; rev:3093;)
alert ip [51.15.57.177,51.15.57.79,51.15.60.255,51.15.60.62,51.15.62.146,51.15.63.229,51.15.63.98,51.15.64.212,51.15.70.13,51.15.70.177] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 52"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522102; rev:3093;)
alert ip [51.15.70.226,51.15.70.228,51.15.76.81,51.15.79.107,51.15.87.157,51.255.202.66,5.188.11.165,5.189.146.133,5.189.188.111,5.196.0.149] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 53"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522104; rev:3093;)
alert ip [5.196.1.129,5.196.121.161,5.196.66.162,5.199.130.188,52.15.62.13,5.254.112.154,5.254.79.66,5.39.217.14,54.36.81.57,5.56.214.118] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 54"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522106; rev:3093;)
alert ip [5.79.68.161,59.127.163.155,5.9.158.75,59.177.81.30,5.9.195.140,60.248.162.179,62.102.148.67,62.109.29.199,62.133.130.105,62.141.39.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 55"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522108; rev:3093;)
alert ip [62.149.13.57,62.176.4.10,62.198.32.223,62.210.105.116,62.210.105.86,62.210.115.87,62.210.129.246,62.210.149.35,62.210.37.82,62.212.73.141] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 56"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522110; rev:3093;)
alert ip [62.219.3.47,62.219.3.48,64.113.32.29,64.124.32.84,64.137.162.142,64.137.205.124,64.137.210.30,64.137.210.54,64.137.210.86,64.27.17.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 57"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522112; rev:3093;)
alert ip [65.129.144.43,65.181.123.254,65.19.167.130,65.19.167.131,65.19.167.132,66.155.4.213,66.180.193.219,66.70.217.179,67.205.146.164,67.215.255.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 58"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522114; rev:3093;)
alert ip [69.164.207.234,71.46.220.68,72.12.207.14,72.14.179.10,72.14.182.209,72.174.26.72,72.52.75.27,72.93.243.211,74.50.54.69,75.54.229.204] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 59"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522116; rev:3093;)
alert ip [77.109.139.87,77.246.163.141,77.247.181.165,77.250.227.12,77.81.107.138,78.107.237.16,78.129.137.28,78.131.53.162,78.13.201.140,78.142.175.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 60"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522118; rev:3093;)
alert ip [78.31.164.41,78.41.115.145,78.45.15.253,78.63.161.0,78.70.167.74,79.137.67.116,79.137.79.167,79.137.80.94,79.169.39.161,80.241.60.207] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 61"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522120; rev:3093;)
alert ip [80.67.172.162,80.79.23.7,80.82.67.186,80.85.84.23,81.171.19.32,82.146.58.35,82.165.100.196,82.211.0.201,82.221.101.67,82.221.112.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 62"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522122; rev:3093;)
alert ip [82.221.128.217,82.221.139.25,82.223.27.82,82.247.198.227,83.151.233.181,83.92.47.99,84.0.95.9,84.105.18.164,84.190.180.142,84.19.180.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 63"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522124; rev:3093;)
alert ip [84.19.181.25,84.200.50.18,84.200.82.163,84.209.48.106,84.217.13.138,84.3.0.53,84.48.199.78,84.53.192.243,84.53.225.118,85.119.83.78] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 64"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522126; rev:3093;)
alert ip [85.143.95.50,85.195.107.250,85.248.227.163,85.248.227.164,85.248.227.165,85.90.244.23,85.93.218.204,86.107.110.217,87.118.115.176,87.118.116.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 65"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522128; rev:3093;)
alert ip [87.118.116.90,87.118.122.254,87.118.122.30,87.118.122.50,87.118.83.3,87.118.92.43,87.120.254.189,87.120.254.81,87.120.254.92,87.140.25.245] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 66"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522130; rev:3093;)
alert ip [87.81.148.61,87.98.178.61,88.190.118.95,88.198.125.96,88.198.56.140,88.77.186.64,88.83.40.246,89.144.12.15,89.187.150.12,89.187.150.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 67"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522132; rev:3093;)
alert ip [89.187.150.14,89.187.150.15,89.212.99.66,89.234.157.254,89.236.34.117,89.248.166.157,89.31.57.58,89.31.96.168,89.32.127.178,89.34.237.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 68"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522134; rev:3093;)
alert ip [89.38.208.57,89.45.226.28,91.121.52.156,91.134.232.48,91.146.121.3,91.219.236.232,91.219.237.244,91.221.57.129,91.223.82.156,91.233.106.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 69"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522136; rev:3093;)
alert ip [91.233.106.172,91.250.241.241,92.169.87.4,92.222.38.67,92.222.6.12,92.222.74.226,92.27.153.74,92.63.173.28,93.115.95.201,93.115.95.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 70"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522138; rev:3093;)
alert ip [93.115.95.204,93.115.95.205,93.115.95.206,93.115.95.207,93.115.95.216,93.174.90.30,93.174.93.133,93.174.93.71,93.186.13.12,93.220.94.148] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 71"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522140; rev:3093;)
alert ip [93.64.207.55,94.102.50.42,94.130.28.151,94.142.242.84,94.198.100.17,94.23.239.44,94.242.205.2,94.242.246.23,94.242.246.24,94.242.57.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 72"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522142; rev:3093;)
alert ip [94.242.57.2,95.128.43.164,95.130.10.69,95.130.11.170,95.142.161.63,95.211.118.194,95.211.230.94,96.255.14.191,96.64.149.101,97.74.237.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 73"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522144; rev:3093;)
alert ip [100.11.34.118,100.11.83.28,100.15.39.173,100.16.230.154,100.36.175.42,100.36.19.97,100.38.8.218,101.0.93.66,101.100.141.55,101.100.144.174] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 74"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522146; rev:3093;)
alert ip [101.173.122.229,101.189.42.122,101.55.125.10,103.13.101.81,103.241.61.34,103.250.186.95,103.250.73.12,103.250.73.199,103.250.73.218,103.250.73.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522148; rev:3093;)
alert ip [103.250.73.232,103.250.73.251,103.250.73.5,103.35.56.22,103.73.189.114,103.73.65.32,103.73.67.198,103.85.158.48,104.128.225.205,104.128.226.73] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 76"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522150; rev:3093;)
alert ip [104.129.16.86,104.129.5.252,104.130.169.121,104.131.108.7,104.131.110.204,104.131.11.214,104.131.123.16,104.131.129.30,104.131.137.159,104.131.140.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 77"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522152; rev:3093;)
alert ip [104.131.148.86,104.131.149.84,104.131.181.174,104.131.187.45,104.131.19.119,104.131.204.147,104.131.205.192,104.131.206.23,104.131.245.55,104.131.28.54] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 78"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522154; rev:3093;)
alert ip [104.131.4.237,104.131.66.194,104.131.86.132,104.131.99.72,104.156.224.83,104.156.226.153,104.156.239.41,104.156.60.163,104.156.60.166,104.162.18.199] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 79"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522156; rev:3093;)
alert ip [104.168.167.34,104.168.62.174,104.168.87.167,104.191.31.69,104.192.5.248,104.200.131.232,104.200.16.227,104.200.20.142,104.200.67.249,104.206.168.60] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 80"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522158; rev:3093;)
alert ip [104.206.237.23,104.206.237.24,104.207.157.177,104.223.122.115,104.223.122.213,104.223.122.239,104.223.12.233,104.223.122.69,104.223.48.254,104.223.78.132] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 81"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522160; rev:3093;)
alert ip [104.232.119.93,104.233.123.73,104.233.80.8,104.236.101.108,104.236.10.21,104.236.103.167,104.236.131.15,104.236.151.160,104.236.164.161,104.236.175.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 82"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522162; rev:3093;)
alert ip [104.236.180.124,104.236.183.57,104.236.199.217,104.236.21.215,104.236.215.223,104.236.224.225,104.236.231.197,104.236.233.99,104.236.234.178,104.236.247.218] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 83"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522164; rev:3093;)
alert ip [104.236.33.174,104.236.44.133,104.236.46.10,104.236.52.16,104.236.87.90,104.236.90.134,104.238.136.10,104.238.150.212,104.238.158.127,104.238.159.191] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 84"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522166; rev:3093;)
alert ip [104.238.167.111,104.238.184.251,104.238.188.98,104.244.72.200,104.244.77.143,104.250.141.242,104.250.151.108,104.32.110.210,104.32.21.49,104.37.192.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 85"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522168; rev:3093;)
alert ip [104.37.61.159,104.40.58.52,105.184.110.89,106.186.18.40,106.248.228.2,106.68.157.189,107.136.214.218,107.145.157.164,107.150.18.14,107.150.7.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 86"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522170; rev:3093;)
alert ip [107.158.255.21,107.158.255.22,107.161.172.151,107.161.18.113,107.167.87.242,107.167.93.58,107.170.101.39,107.170.10.34,107.170.107.198,107.170.108.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 87"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522172; rev:3093;)
alert ip [107.170.113.28,107.170.119.31,107.170.143.117,107.170.150.7,107.170.153.80,107.170.158.212,107.170.188.155,107.170.193.14,107.170.232.75,107.170.241.112] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 88"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522174; rev:3093;)
alert ip [107.170.246.123,107.172.23.11,107.179.136.40,107.181.155.131,107.181.166.11,107.181.174.22,107.181.187.199,107.191.103.42,107.191.110.179,107.191.118.171] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 89"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522176; rev:3093;)
alert ip [107.191.126.184,107.191.40.51,107.191.45.209,107.191.46.204,107.191.47.87,107.212.34.52,108.14.251.33,108.161.133.189,108.167.45.153,108.168.65.115] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 90"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522178; rev:3093;)
alert ip [108.240.182.140,108.248.87.242,108.252.225.193,108.26.165.130,108.32.49.20,108.34.154.82,108.34.173.204,108.4.49.181,108.51.145.34,108.5.123.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 91"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522180; rev:3093;)
alert ip [108.52.47.127,108.53.208.157,108.54.199.58,108.58.144.234,108.61.165.0,108.61.165.169,108.61.166.134,108.61.182.74,108.61.208.98,108.61.29.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 92"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522182; rev:3093;)
alert ip [108.61.96.230,108.61.99.149,108.61.99.7,109.104.38.33,109.104.53.242,109.105.109.162,109.107.35.154,109.120.140.127,109.12.117.113,109.128.217.62] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 93"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522184; rev:3093;)
alert ip [109.129.103.61,109.147.247.134,109.147.85.253,109.148.135.48,109.150.115.227,109.156.178.140,109.159.89.26,109.164.236.231,109.188.73.216,109.189.157.63] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 94"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522186; rev:3093;)
alert ip [109.189.78.223,109.190.24.34,109.190.66.149,109.192.151.243,109.192.221.2,109.193.71.229,109.195.103.84,109.195.115.202,109.195.147.248,109.197.193.160] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 95"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522188; rev:3093;)
alert ip [109.197.63.45,109.201.148.8,109.218.182.235,109.228.51.164,109.230.215.24,109.230.215.42,109.230.231.165,109.230.236.89,109.234.36.196,109.235.67.219] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 96"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522190; rev:3093;)
alert ip [109.236.88.9,109.236.90.209,109.238.2.79,109.24.157.46,109.251.138.26,109.255.0.107,109.255.189.135,109.255.4.199,109.49.168.149,109.63.234.176] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 97"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522192; rev:3093;)
alert ip [109.68.174.60,109.68.191.132,109.68.191.133,109.68.191.159,109.70.118.164,109.73.50.56,109.74.194.124,109.74.195.190,109.74.197.251,109.74.200.101] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 98"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522194; rev:3093;)
alert ip [109.74.206.21,109.86.231.201,109.87.25.148,109.88.211.62,109.90.105.212,109.90.194.92,109.90.2.49,109.91.18.210,109.9.189.81,109.92.182.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 99"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522196; rev:3093;)
alert ip [109.95.51.107,110.174.43.136,110.175.89.172,110.4.47.139,111.217.70.205,111.220.142.172,111.69.187.64,111.90.140.240,111.90.140.7,111.90.141.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 100"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522198; rev:3093;)
alert ip [111.90.145.244,111.90.147.202,111.90.147.45,111.90.159.23,113.146.25.87,113.151.17.45,113.20.31.45,113.255.93.146,113.41.194.250,114.198.116.112] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 101"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522200; rev:3093;)
alert ip [115.124.112.235,115.146.127.224,115.162.69.72,115.70.57.112,116.127.71.162,116.255.86.18,116.72.19.109,116.93.119.79,116.98.47.44,118.127.108.136] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 102"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522202; rev:3093;)
alert ip [118.211.103.137,118.211.196.241,119.235.249.136,119.59.127.104,121.216.200.82,121.217.128.119,121.217.216.75,121.223.16.207,121.99.219.228,122.130.149.200] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 103"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522204; rev:3093;)
alert ip [122.173.149.16,122.252.153.13,122.58.16.118,122.61.174.190,123.2.59.76,124.168.121.129,124.171.62.248,124.244.71.219,1.244.227.61,125.143.58.243] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 104"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522206; rev:3093;)
alert ip [125.212.217.197,125.212.218.81,125.212.220.60,125.236.237.47,125.239.0.127,125.30.61.42,126.70.7.146,128.112.228.11,128.119.245.76,128.12.177.59] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 105"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522208; rev:3093;)
alert ip [128.131.169.91,128.153.146.125,128.199.131.168,128.199.132.7,128.199.133.154,128.199.136.79,128.199.138.74,128.199.139.224,128.199.163.108,128.199.179.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 106"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522210; rev:3093;)
alert ip [128.199.189.192,128.199.192.230,128.199.194.112,128.199.194.214,128.199.221.35,128.199.224.88,128.199.228.42,128.199.228.61,128.199.240.193,128.199.252.197] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 107"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522212; rev:3093;)
alert ip [128.199.35.162,128.199.35.5,128.199.52.7,128.199.55.207,128.199.81.48,128.199.85.165,128.199.97.254,128.208.2.233,128.31.0.34,128.39.8.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 108"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522214; rev:3093;)
alert ip [128.52.170.130,128.69.8.101,128.75.22.182,129.100.38.88,129.10.115.230,129.10.115.237,129.10.115.238,129.10.115.239,129.10.115.241,129.10.115.244] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 109"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522216; rev:3093;)
alert ip [129.10.115.245,129.10.115.246,129.10.115.247,129.10.115.248,129.13.131.140,129.21.131.156,129.242.219.85,130.149.14.31,130.180.111.94,130.180.23.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 110"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522218; rev:3093;)
alert ip [130.180.30.254,130.180.63.150,130.180.72.178,130.185.104.50,130.185.250.214,130.185.250.3,130.185.250.76,130.193.15.186,130.225.254.103,130.230.113.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 111"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522220; rev:3093;)
alert ip [130.230.113.229,130.230.113.230,130.230.113.231,130.230.113.232,130.230.113.233,130.230.113.234,130.230.113.235,130.230.113.236,130.230.113.237,130.243.26.64] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 112"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522222; rev:3093;)
alert ip [130.255.10.191,130.255.190.187,130.255.78.232,130.63.173.126,131.130.142.98,131.155.71.124,131.188.40.188,131.188.40.189,131.191.83.25,131.220.141.128] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 113"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522224; rev:3093;)
alert ip [13.124.107.51,131.255.4.48,131.255.4.79,131.255.5.233,131.255.5.239,131.255.5.250,131.255.5.251,131.255.5.66,131.255.7.57,132.216.54.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 114"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522226; rev:3093;)
alert ip [133.130.103.34,1.33.218.249,1.33.65.204,134.102.200.101,134.119.179.55,134.119.222.3,134.119.26.193,134.119.3.164,134.119.3.2,134.119.32.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 115"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522228; rev:3093;)
alert ip [134.130.181.212,134.130.181.43,134.130.181.49,134.19.177.109,134.91.78.143,135.23.121.228,135.23.221.151,135.23.96.205,136.168.201.153,136.243.102.134] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 116"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522230; rev:3093;)
alert ip [136.243.114.62,136.243.1.156,136.243.14.241,136.243.147.28,136.243.149.82,136.243.170.164,136.243.174.97,136.243.176.148,136.243.177.133,136.243.187.165] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 117"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522232; rev:3093;)
alert ip [136.243.214.137,136.243.243.6,136.243.70.199,136.243.90.139,136.29.17.133,136.32.238.141,136.32.72.40,136.32.88.247,136.33.135.41,136.57.59.67] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 118"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522234; rev:3093;)
alert ip [136.58.71.216,136.62.24.118,136.62.41.207,136.62.65.222,136.63.228.142,13.68.112.72,137.135.8.233,137.205.124.35,137.226.111.123,137.59.52.186] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 119"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522236; rev:3093;)
alert ip [137.74.112.46,137.74.116.214,137.74.117.52,137.74.164.213,137.74.198.250,137.74.224.132,137.74.25.175,137.74.40.76,137.74.40.77,138.117.148.45] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 120"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522238; rev:3093;)
alert ip [138.197.0.28,138.197.110.32,138.197.133.255,138.197.133.81,138.197.14.226,138.197.151.119,138.197.152.158,138.197.153.96,138.197.155.116,138.197.162.18] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 121"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522240; rev:3093;)
alert ip [138.197.168.41,138.197.172.27,138.197.196.50,138.197.202.35,138.197.205.50,138.197.210.209,138.197.214.11,138.197.36.234,138.197.46.213,138.197.67.206] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 122"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522242; rev:3093;)
alert ip [138.197.96.48,138.201.106.213,138.201.117.167,138.201.132.17,138.201.132.34,138.201.135.108,138.201.143.186,138.201.149.20,138.201.149.21,138.201.169.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 123"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522244; rev:3093;)
alert ip [138.201.211.234,138.201.211.235,138.201.213.18,138.201.245.87,138.201.247.18,138.201.247.2,138.201.249.231,138.201.250.33,138.201.255.245,138.201.3.75] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 124"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522246; rev:3093;)
alert ip [138.201.49.41,138.201.75.6,138.201.83.171,138.201.91.210,138.201.92.183,138.201.94.249,138.204.171.103,13.85.20.159,138.68.102.40,138.68.134.249] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 125"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522248; rev:3093;)
alert ip [138.68.150.168,138.68.15.191,138.68.159.142,138.68.167.23,138.68.174.81,138.68.243.240,138.68.245.159,138.68.2.89,138.68.46.132,138.68.69.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 126"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522250; rev:3093;)
alert ip [138.68.76.180,138.68.80.108,138.68.80.91,138.68.81.52,138.68.95.222,138.68.96.71,139.133.232.231,139.140.181.151,139.162.103.248,139.162.112.111] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 127"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522252; rev:3093;)
alert ip [139.162.130.249,139.162.142.120,139.162.142.27,139.162.146.177,139.162.150.16,139.162.151.86,139.162.181.19,139.162.185.120,139.162.191.243,139.162.19.233] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 128"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522254; rev:3093;)
alert ip [139.162.232.28,139.162.241.69,139.162.245.120,139.162.248.13,139.162.249.63,139.162.44.128,139.162.56.252,139.162.61.44,139.162.7.40,139.162.81.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 129"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522256; rev:3093;)
alert ip [139.162.9.145,139.162.96.82,13.93.114.153,139.59.0.94,139.59.113.97,139.59.117.110,139.59.117.212,139.59.131.98,139.59.134.207,139.59.145.185] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 130"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522258; rev:3093;)
alert ip [139.59.148.215,139.59.155.174,139.59.16.5,139.59.172.93,139.59.210.198,139.59.2.130,139.59.2.186,139.59.226.185,139.59.229.179,139.59.235.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 131"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522260; rev:3093;)
alert ip [139.59.240.91,139.59.29.107,139.59.29.46,139.59.31.227,139.59.31.76,139.59.36.149,139.59.36.152,139.59.36.57,139.59.37.101,139.59.44.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 132"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522262; rev:3093;)
alert ip [139.59.45.242,139.59.6.172,139.59.64.32,139.59.64.49,139.59.70.114,139.59.7.124,139.59.79.120,140.0.126.72,140.113.128.242,140.113.69.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 133"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522264; rev:3093;)
alert ip [140.121.136.124,140.121.80.170,140.138.144.170,141.0.146.4,141.105.67.58,141.105.70.132,141.136.222.176,141.14.220.177,141.145.121.11,141.20.103.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 134"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522266; rev:3093;)
alert ip [141.20.33.67,141.20.33.68,141.255.161.173,141.255.165.102,141.255.166.142,141.255.166.150,141.255.166.189,141.51.125.16,141.54.159.184,141.70.125.232] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 135"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522268; rev:3093;)
alert ip [14.203.77.193,142.4.211.189,142.4.214.187,142.4.32.196,142.44.156.134,142.44.174.243,142.54.186.178,143.106.60.86,143.176.52.51,144.136.5.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 136"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522270; rev:3093;)
alert ip [144.178.137.152,144.206.238.32,144.2.123.139,144.217.15.100,144.217.15.164,144.217.15.179,144.217.245.140,144.217.245.145,144.217.246.91,144.217.254.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 137"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522272; rev:3093;)
alert ip [144.217.255.69,144.217.56.135,144.217.56.140,144.217.56.141,144.217.56.158,144.217.65.215,144.217.7.136,144.217.80.139,144.217.87.78,144.217.95.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 138"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522274; rev:3093;)
alert ip [144.76.101.199,144.76.105.117,144.76.105.169,144.76.109.138,144.76.11.100,144.76.112.85,144.76.117.169,144.76.128.206,144.76.14.145,144.76.163.93] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 139"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522276; rev:3093;)
alert ip [144.76.172.187,144.76.253.229,144.76.26.175,144.76.30.167,144.76.31.202,144.76.37.242,144.76.41.171,144.76.44.168,144.76.45.74,144.76.48.4] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522278; rev:3093;)
alert ip [144.76.50.37,144.76.61.40,144.76.6.199,144.76.64.66,144.76.69.232,144.76.71.91,144.76.75.130,144.76.75.184,144.76.80.68,144.76.85.183] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 141"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522280; rev:3093;)
alert ip [144.76.91.135,144.76.91.46,144.76.96.7,145.132.191.48,145.132.42.234,145.133.41.132,145.220.0.15,145.239.225.197,145.239.65.59,145.239.76.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 142"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522282; rev:3093;)
alert ip [145.239.82.204,145.239.82.223,145.239.85.191,145.239.87.224,145.255.243.50,146.0.32.122,146.0.32.132,146.0.32.62,146.0.43.121,146.0.43.126] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 143"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522284; rev:3093;)
alert ip [146.0.77.50,146.115.162.91,146.185.141.163,146.185.150.219,146.185.155.218,146.185.157.61,146.185.160.30,146.185.170.35,146.185.171.181,146.185.176.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 144"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522286; rev:3093;)
alert ip [146.185.189.197,146.185.253.101,146.185.69.58,146.199.226.192,146.255.170.243,146.255.170.244,146.255.170.245,146.255.57.228,146.52.122.170,146.52.130.106] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 145"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522288; rev:3093;)
alert ip [146.52.167.241,146.52.207.49,146.52.208.228,146.52.253.105,146.52.72.148,146.60.209.102,147.135.209.40,147.135.210.101,147.147.186.50,147.175.187.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 146"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522290; rev:3093;)
alert ip [147.175.187.180,148.251.11.21,148.251.113.230,148.251.11.39,148.251.14.214,148.251.151.240,148.251.168.226,148.251.176.25,148.251.190.229,148.251.206.134] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 147"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522292; rev:3093;)
alert ip [148.251.214.53,148.251.221.163,148.251.227.14,148.251.238.253,148.251.254.229,148.251.40.40,148.251.42.164,148.251.55.246,148.59.220.246,149.154.152.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 148"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522294; rev:3093;)
alert ip [149.154.157.80,149.154.159.172,149.154.159.87,149.154.71.246,149.172.149.170,149.172.201.153,149.202.101.30,149.202.181.214,149.202.190.14,149.202.192.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 149"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522296; rev:3093;)
alert ip [149.202.2.106,149.202.220.80,149.202.238.198,149.202.238.220,149.202.4.241,149.202.57.214,149.202.58.41,149.210.164.228,149.210.221.48,149.210.226.155] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 150"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522298; rev:3093;)
alert ip [149.255.35.242,149.255.37.90,149.56.12.78,149.56.13.125,149.56.140.193,149.56.141.138,149.56.14.37,149.56.185.56,149.56.204.207,149.56.223.242] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 151"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522300; rev:3093;)
alert ip [149.56.223.244,149.56.233.142,149.56.25.84,149.56.26.237,149.56.45.200,149.86.117.215,149.91.82.97,150.101.243.99,150.146.2.245,150.95.137.40] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 152"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522302; rev:3093;)
alert ip [150.95.173.81,151.1.182.217,151.177.29.27,151.20.242.69,151.20.248.101,151.225.130.246,151.230.29.84,151.236.11.114,151.236.12.126,151.236.218.67] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 153"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522304; rev:3093;)
alert ip [151.236.6.110,151.237.229.131,151.27.116.117,151.32.117.175,151.45.72.30,151.53.20.161,151.80.115.180,151.80.128.12,151.80.141.122,151.80.144.153] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 154"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522306; rev:3093;)
alert ip [151.80.144.253,151.80.145.159,151.80.147.153,151.80.16.34,151.80.40.72,151.80.56.141,151.80.56.62,151.80.59.144,153.120.42.137,153.126.128.94] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 155"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522308; rev:3093;)
alert ip [153.126.158.65,153.126.196.95,153.127.199.124,153.149.98.251,153.202.228.115,153.92.126.234,153.92.127.239,154.35.175.225,154.5.54.64,155.133.38.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 156"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522310; rev:3093;)
alert ip [155.254.49.178,155.4.103.214,155.4.229.135,155.98.5.5,155.98.5.6,157.7.143.145,158.140.206.75,158.255.208.148,158.255.212.178,158.255.215.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 157"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522312; rev:3093;)
alert ip [158.255.4.241,158.255.7.61,158.58.170.183,158.58.170.195,158.58.173.24,158.58.173.78,158.69.102.208,158.69.172.226,158.69.204.36,158.69.205.215] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 158"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522314; rev:3093;)
alert ip [158.69.205.247,158.69.205.92,158.69.207.216,158.69.216.18,158.69.217.34,158.69.247.184,158.69.247.80,158.69.36.152,158.69.48.77,158.69.63.16] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 159"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522316; rev:3093;)
alert ip [158.69.63.178,158.69.92.127,159.148.186.130,159.148.186.144,159.148.186.162,159.148.186.172,159.148.186.196,159.148.186.208,159.148.186.236,159.148.186.240] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 160"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522318; rev:3093;)
alert ip [159.148.186.8,159.148.186.91,159.203.10.141,159.203.10.16,159.203.103.138,159.203.15.100,159.203.17.103,159.203.173.38,159.203.1.86,159.203.193.72] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 161"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522320; rev:3093;)
alert ip [159.203.224.25,159.203.22.51,159.203.234.244,159.203.27.5,159.203.29.240,159.203.32.149,159.203.3.224,159.203.38.250,159.203.41.119,159.203.42.107] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 162"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522322; rev:3093;)
alert ip [159.203.42.254,159.203.45.104,159.203.45.171,159.203.59.106,159.203.7.221,159.203.85.88,159.203.90.174,159.224.64.79,160.16.228.57,161.53.160.104] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 163"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522324; rev:3093;)
alert ip [161.97.251.142,162.213.3.221,162.213.38.245,162.216.16.23,162.218.239.125,162.220.165.185,162.220.217.50,162.220.218.109,162.221.202.230,162.226.56.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 164"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522326; rev:3093;)
alert ip [162.243.134.188,162.243.139.73,162.243.195.118,162.243.200.157,162.243.21.103,162.243.255.143,162.243.8.161,162.244.25.214,162.245.23.144,162.247.73.195] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 165"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522328; rev:3093;)
alert ip [162.247.75.118,162.252.243.20,163.172.110.48,163.172.115.22,163.172.128.13,163.172.129.29,163.172.130.220,163.172.131.164,163.172.131.183,163.172.131.192] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 166"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522330; rev:3093;)
alert ip [163.172.13.165,163.172.131.88,163.172.132.167,163.172.132.178,163.172.133.54,163.172.135.172,163.172.137.4,163.172.137.92,163.172.138.22,163.172.139.104] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 167"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522332; rev:3093;)
alert ip [163.172.139.111,163.172.139.145,163.172.139.170,163.172.141.10,163.172.141.195,163.172.141.33,163.172.142.172,163.172.14.221,163.172.142.92,163.172.143.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 168"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522334; rev:3093;)
alert ip [163.172.143.186,163.172.144.236,163.172.146.169,163.172.146.232,163.172.147.53,163.172.148.176,163.172.149.122,163.172.149.155,163.172.151.234,163.172.152.231] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 169"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522336; rev:3093;)
alert ip [163.172.152.237,163.172.153.12,163.172.153.78,163.172.154.162,163.172.154.245,163.172.156.137,163.172.156.181,163.172.157.124,163.172.157.213,163.172.159.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 170"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522338; rev:3093;)
alert ip [163.172.160.227,163.172.163.104,163.172.163.169,163.172.163.238,163.172.165.6,163.172.167.77,163.172.168.131,163.172.169.253,163.172.170.52,163.172.173.182] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 171"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522340; rev:3093;)
alert ip [163.172.173.184,163.172.173.34,163.172.175.174,163.172.175.232,163.172.176.167,163.172.176.45,163.172.177.114,163.172.178.182,163.172.179.131,163.172.180.59] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 172"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522342; rev:3093;)
alert ip [163.172.181.239,163.172.183.116,163.172.190.110,163.172.191.234,163.172.194.53,163.172.201.62,163.172.209.161,163.172.210.170,163.172.21.117,163.172.212.102] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 173"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522344; rev:3093;)
alert ip [163.172.213.201,163.172.215.236,163.172.215.60,163.172.215.78,163.172.216.195,163.172.223.132,163.172.223.215,163.172.228.191,163.172.25.118,163.172.27.62] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 174"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522346; rev:3093;)
alert ip [163.172.35.211,163.172.36.205,163.172.42.239,163.172.45.220,163.172.53.84,163.172.56.248,163.172.60.190,163.172.61.28,163.172.69.166,163.172.82.124] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 175"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522348; rev:3093;)
alert ip [163.172.82.3,163.172.84.95,163.172.86.92,163.172.89.227,163.172.90.128,163.172.94.119,164.132.209.131,164.132.212.100,164.132.225.248,164.132.226.30] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 176"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522350; rev:3093;)
alert ip [164.132.230.34,164.132.249.244,164.132.38.170,164.132.41.85,164.132.49.205,164.132.77.175,164.215.116.194,164.40.245.204,165.120.218.118,165.227.122.119] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 177"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522352; rev:3093;)
alert ip [165.227.130.126,165.227.130.167,165.227.135.224,165.227.136.69,165.227.154.118,165.227.20.47,165.227.8.231,165.227.8.5,165.227.90.183,165.227.94.10] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 178"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522354; rev:3093;)
alert ip [166.70.15.14,166.70.94.106,167.114.103.19,167.114.113.134,167.114.121.128,167.114.148.149,167.114.160.128,167.114.219.61,167.114.3.166,167.114.35.102] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 179"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522356; rev:3093;)
alert ip [167.114.35.107,167.114.35.28,167.114.67.158,167.114.67.4,167.114.71.189,167.114.7.166,167.114.76.195,167.160.161.167,167.160.185.136,167.160.84.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 180"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522358; rev:3093;)
alert ip [167.160.84.141,167.88.120.159,167.88.41.8,168.150.251.15,168.205.150.148,168.235.146.20,168.235.154.96,168.235.67.30,168.235.69.79,169.239.128.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522360; rev:3093;)
alert ip [171.233.89.98,171.25.193.9,172.10.235.73,172.104.110.120,172.104.131.38,172.104.148.154,172.104.43.169,172.104.62.11,172.104.67.176,172.104.78.197] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 182"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522362; rev:3093;)
alert ip [172.104.85.43,172.104.88.43,172.221.207.95,172.241.140.26,172.245.126.70,172.245.126.96,172.245.219.133,172.245.24.228,172.245.99.10,172.86.144.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 183"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522364; rev:3093;)
alert ip [172.86.148.10,172.92.128.70,172.93.48.155,172.93.51.60,172.93.51.83,172.93.55.183,172.97.103.47,173.160.180.189,173.170.41.8,173.18.41.24] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 184"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522366; rev:3093;)
alert ip [173.199.115.232,173.199.118.247,173.199.124.17,173.206.132.9,173.208.225.60,173.208.225.61,173.212.197.112,173.212.206.230,173.212.228.203,173.212.231.17] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 185"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522368; rev:3093;)
alert ip [173.212.242.110,173.212.244.108,173.228.91.29,173.22.92.184,173.230.128.232,173.230.153.109,173.230.154.90,173.239.79.203,173.239.79.210,173.247.26.92] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 186"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522370; rev:3093;)
alert ip [173.254.236.135,173.255.205.113,173.255.209.181,173.255.217.222,173.255.218.106,173.255.221.96,173.255.228.134,173.255.228.85,173.255.241.235,173.255.245.116] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 187"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522372; rev:3093;)
alert ip [173.255.246.162,173.255.250.126,173.255.250.231,173.31.224.94,173.3.242.35,173.48.183.150,173.48.246.133,173.48.58.162,173.52.78.215,173.59.249.182] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 188"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522374; rev:3093;)
alert ip [173.66.70.16,173.67.9.186,173.68.10.124,173.71.141.91,173.76.173.114,173.79.55.87,173.8.211.74,173.82.151.94,174.0.0.21,174.104.26.125] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 189"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522376; rev:3093;)
alert ip [174.109.111.95,174.111.240.217,174.127.228.138,174.138.81.62,174.141.200.41,174.27.71.92,174.28.49.129,174.34.225.215,174.50.172.90,174.51.114.139] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 190"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522378; rev:3093;)
alert ip [174.55.212.152,174.59.110.190,174.63.80.6,174.68.74.231,174.7.16.21,174.97.19.230,175.138.42.194,175.179.249.253,175.203.71.68,176.10.131.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 191"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522380; rev:3093;)
alert ip [176.10.137.12,176.10.140.175,176.10.217.142,176.10.253.40,176.103.49.29,176.103.56.31,176.103.57.208,176.103.57.235,176.107.177.15,176.107.185.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 192"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522382; rev:3093;)
alert ip [176.112.242.6,176.114.131.136,176.114.248.47,176.115.38.130,176.118.30.217,176.119.98.186,176.121.81.51,176.123.10.167,176.123.10.3,176.123.10.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 193"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522384; rev:3093;)
alert ip [176.123.10.42,176.123.10.67,176.123.10.89,176.123.10.99,176.123.2.254,176.123.26.23,176.123.29.56,176.123.7.197,176.126.242.49,176.14.216.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 194"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522386; rev:3093;)
alert ip [176.15.182.231,176.158.155.120,176.158.236.102,176.159.130.165,176.193.226.229,176.194.189.124,176.195.245.42,176.196.98.66,176.197.158.30,176.198.132.82] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 195"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522388; rev:3093;)
alert ip [176.198.68.117,176.20.196.56,176.20.234.102,176.212.75.157,176.28.9.120,176.31.101.92,176.31.102.212,176.31.103.150,176.31.110.48,176.31.116.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 196"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522390; rev:3093;)
alert ip [176.31.117.6,176.31.120.215,176.31.121.194,176.31.125.116,176.31.163.89,176.31.184.255,176.31.191.26,176.31.200.122,176.31.225.204,176.31.23.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 197"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522392; rev:3093;)
alert ip [176.31.240.78,176.31.255.189,176.31.28.63,176.31.35.149,176.31.43.51,176.31.80.115,176.36.215.251,176.38.177.208,176.46.239.67,176.53.22.142] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 198"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522394; rev:3093;)
alert ip [176.56.237.191,176.58.108.133,176.58.110.66,176.58.113.34,176.58.120.22,176.58.121.159,176.58.96.199,176.63.111.50,176.66.131.31,176.67.169.254] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 199"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522396; rev:3093;)
alert ip [176.9.102.35,176.9.103.8,176.9.104.232,176.9.110.138,176.9.114.182,176.9.1.211,176.9.122.51,176.9.133.154,176.9.140.108,176.9.143.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 200"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522398; rev:3093;)
alert ip [176.9.147.227,176.9.148.176,176.9.155.82,176.9.156.71,176.9.157.222,176.9.158.118,176.9.180.47,176.9.190.240,176.9.208.12,176.9.215.64] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 201"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522400; rev:3093;)
alert ip [176.9.31.215,176.9.38.38,176.9.39.218,176.9.43.26,176.9.46.90,176.9.50.240,176.9.53.52,176.9.54.142,176.9.54.3,176.9.85.141] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 202"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522402; rev:3093;)
alert ip [176.9.8.6,176.9.90.215,176.9.98.109,177.206.97.240,177.234.155.250,177.234.155.98,177.246.231.193,177.251.150.142,177.85.97.121,178.0.110.142] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 203"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522404; rev:3093;)
alert ip [178.12.225.211,178.132.78.148,178.137.126.19,178.140.104.18,178.140.197.96,178.14.113.18,178.150.0.243,178.150.0.249,178.150.100.55,178.157.198.187] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 204"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522406; rev:3093;)
alert ip [178.159.0.38,178.16.208.55,178.16.208.56,178.16.208.57,178.16.208.58,178.16.208.59,178.16.208.60,178.16.208.61,178.16.208.62,178.162.194.210] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 205"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522408; rev:3093;)
alert ip [178.162.194.82,178.162.199.66,178.162.66.212,178.163.100.154,178.165.72.60,178.17.170.149,178.17.170.77,178.17.171.86,178.17.174.2,178.17.174.79] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 206"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522410; rev:3093;)
alert ip [178.174.172.77,178.18.94.247,178.190.84.68,178.19.104.227,178.191.126.207,178.193.211.203,178.198.173.137,178.19.96.114,178.200.31.8,178.200.56.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 207"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522412; rev:3093;)
alert ip [178.200.73.64,178.201.88.59,178.202.140.94,178.203.190.146,178.209.46.173,178.209.52.162,178.213.227.68,178.215.87.31,178.217.184.32,178.238.224.132] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 208"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522414; rev:3093;)
alert ip [178.238.232.110,178.24.159.14,178.24.218.158,178.24.54.98,178.24.72.177,178.24.73.127,178.249.167.2,178.251.228.142,178.251.228.50,178.25.205.60] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 209"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522416; rev:3093;)
alert ip [178.25.217.23,178.252.28.200,178.254.13.92,178.254.20.134,178.254.21.218,178.254.25.6,178.254.30.86,178.254.37.97,178.254.39.85,178.254.40.5] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 210"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522418; rev:3093;)
alert ip [178.254.44.135,178.254.7.88,178.254.9.25,178.255.42.246,178.26.131.140,178.26.131.97,178.27.121.230,178.27.147.35,178.27.162.121,178.27.90.92] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 211"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522420; rev:3093;)
alert ip [178.32.100.87,178.32.138.157,178.32.189.88,178.32.190.15,178.32.192.9,178.32.216.146,178.32.216.97,178.32.217.68,178.32.221.151,178.32.221.207] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 212"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522422; rev:3093;)
alert ip [178.32.222.125,178.32.222.21,178.32.223.87,178.32.34.91,178.32.47.140,178.32.54.103,178.32.61.9,178.32.66.43,178.32.76.95,178.33.115.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 213"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522424; rev:3093;)
alert ip [178.33.183.251,178.45.197.178,178.49.253.215,178.62.104.146,178.62.109.164,178.62.112.71,178.62.122.241,178.62.125.125,178.62.13.27,178.62.173.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 214"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522426; rev:3093;)
alert ip [178.62.18.161,178.62.186.155,178.62.196.71,178.62.197.82,178.62.198.54,178.62.199.226,178.62.201.15,178.62.20.117,178.62.202.59,178.62.203.126] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 215"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522428; rev:3093;)
alert ip [178.62.210.138,178.62.217.134,178.62.221.190,178.62.22.36,178.62.237.106,178.62.24.212,178.62.244.168,178.62.251.184,178.62.252.234,178.62.252.82] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 216"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522430; rev:3093;)
alert ip [178.62.36.64,178.62.43.5,178.62.46.7,178.62.60.37,178.62.66.18,178.62.79.227,178.62.86.206,178.62.86.96,178.62.88.111,178.62.9.153] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 217"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522432; rev:3093;)
alert ip [178.62.93.173,178.62.93.36,178.62.94.243,178.62.98.217,178.63.116.157,178.63.138.17,178.63.154.93,178.63.162.212,178.63.18.25,178.63.19.103] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 218"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522434; rev:3093;)
alert ip [178.63.25.10,178.63.27.82,178.63.65.179,178.63.78.8,178.63.85.14,178.66.1.187,178.73.210.118,178.75.148.206,178.78.213.214,178.79.134.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 219"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522436; rev:3093;)
alert ip [178.79.136.230,178.79.139.17,178.79.157.60,178.79.158.221,178.79.159.147,178.79.159.224,178.79.160.57,178.79.161.152,178.79.161.177,178.79.163.169] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 220"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522438; rev:3093;)
alert ip [178.79.165.21,178.79.169.98,178.79.173.147,178.79.177.148,178.83.171.83,178.83.190.108,178.84.83.252,178.85.43.158,179.34.227.81,179.43.158.176] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 221"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522440; rev:3093;)
alert ip [179.43.168.166,179.43.169.14,179.43.183.102,179.43.188.206,179.43.189.210,179.48.248.17,180.181.117.164,180.181.144.13,180.26.33.202,181.1.2.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 222"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522442; rev:3093;)
alert ip [181.30.14.126,18.181.5.37,181.93.5.174,182.171.143.55,182.171.233.68,182.171.77.82,18.220.148.128,183.77.197.79,184.100.125.176,184.100.144.118] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 223"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522444; rev:3093;)
alert ip [184.100.231.37,184.106.109.244,184.146.26.218,184.152.4.239,184.160.119.133,184.167.146.119,184.183.5.203,184.56.173.16,184.60.135.64,184.90.73.82] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 224"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522446; rev:3093;)
alert ip [185.100.84.251,185.100.85.132,185.100.85.175,185.100.85.207,185.100.85.244,185.100.86.249,185.100.87.239,185.100.87.43,185.101.218.220,185.101.98.108] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 225"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522448; rev:3093;)
alert ip [185.103.135.19,185.103.158.97,185.103.243.74,185.104.184.51,185.104.185.170,185.104.248.164,185.10.68.118,185.10.68.159,185.107.224.208,185.109.146.148] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 226"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522450; rev:3093;)
alert ip [185.111.219.109,185.111.219.11,185.112.157.126,185.112.82.102,185.117.118.132,185.117.88.92,185.12.28.116,185.123.102.38,185.125.217.66,185.125.33.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 227"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522452; rev:3093;)
alert ip [185.128.40.90,185.129.249.124,185.129.60.131,185.133.210.188,185.13.38.197,185.13.39.197,185.140.54.65,185.141.25.172,185.14.185.118,185.145.128.50] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 228"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522454; rev:3093;)
alert ip [185.145.130.73,185.145.131.165,185.146.228.150,185.146.228.151,185.148.145.115,185.148.145.140,185.148.145.71,185.148.145.74,185.150.189.170,185.150.189.175] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 229"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522456; rev:3093;)
alert ip [185.150.190.10,185.150.190.24,185.150.191.56,185.15.244.124,185.153.198.118,185.153.198.222,185.155.96.235,185.155.96.249,185.156.173.148,185.157.160.48] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 230"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522458; rev:3093;)
alert ip [185.157.232.34,185.157.233.42,185.15.72.62,185.15.73.117,185.159.128.83,185.15.92.76,185.15.94.14,185.15.94.17,185.16.172.155,185.16.173.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 231"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522460; rev:3093;)
alert ip [185.16.173.86,185.162.10.157,185.163.45.150,185.163.45.244,185.165.168.168,185.165.168.170,185.165.168.73,185.170.112.183,185.181.229.77,185.182.50.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 232"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522462; rev:3093;)
alert ip [185.183.107.194,185.183.107.30,185.185.40.111,185.186.244.60,185.189.113.90,185.189.14.42,185.19.123.237,185.198.56.139,185.202.196.180,185.20.227.66] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 233"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522464; rev:3093;)
alert ip [185.203.117.50,185.206.145.235,185.206.36.169,185.208.210.20,185.208.210.29,185.208.210.30,185.21.100.163,185.21.101.50,185.21.216.157,185.21.216.183] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 234"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522466; rev:3093;)
alert ip [185.21.216.189,185.21.216.195,185.21.216.198,185.21.217.13,185.21.217.29,185.21.217.33,185.214.71.164,185.216.33.126,185.217.0.69,185.217.0.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 235"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522468; rev:3093;)
alert ip [185.217.0.97,185.22.173.162,185.22.67.211,185.25.216.237,185.25.48.76,185.26.156.28,185.26.156.45,185.26.156.50,185.29.156.231,185.32.160.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 236"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522470; rev:3093;)
alert ip [185.32.221.201,185.32.221.228,185.35.138.92,185.37.145.44,185.37.226.197,185.37.72.202,185.40.31.122,185.41.154.130,185.44.76.144,185.44.76.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 237"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522472; rev:3093;)
alert ip [185.46.201.244,185.47.63.128,185.4.92.67,185.56.89.141,185.58.21.199,185.5.9.188,185.61.148.121,185.61.148.189,185.61.149.116,185.61.150.240] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522474; rev:3093;)
alert ip [185.6.29.55,185.63.253.130,185.65.244.235,185.69.52.19,185.69.53.188,185.72.178.72,185.72.244.37,185.72.247.145,185.7.254.67,185.72.66.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 239"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522476; rev:3093;)
alert ip [185.72.66.252,185.73.220.8,185.73.240.205,185.76.145.109,185.77.129.35,185.78.67.40,185.80.222.105,185.80.222.158,185.80.222.164,185.81.109.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 240"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522478; rev:3093;)
alert ip [185.81.164.254,185.81.96.14,185.82.201.54,185.82.202.28,185.82.203.209,185.82.217.70,185.8.236.131,185.8.237.45,185.8.238.139,185.86.148.150] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 241"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522480; rev:3093;)
alert ip [185.86.149.205,185.86.149.230,185.86.149.75,185.86.149.85,185.86.150.78,185.8.63.38,185.86.79.46,185.87.185.221,185.87.186.27,185.87.50.190] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 242"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522482; rev:3093;)
alert ip [185.90.61.159,185.90.61.23,185.90.61.35,185.9.19.83,185.92.68.9,185.94.193.148,185.94.193.154,185.94.193.158,185.94.193.194,185.94.193.198] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 243"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522484; rev:3093;)
alert ip [185.96.180.164,185.96.180.29,185.96.88.164,185.96.88.29,185.97.32.34,185.97.32.36,185.99.134.220,186.120.225.119,186.203.12.18,186.222.7.86] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 244"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522486; rev:3093;)
alert ip [187.163.84.205,187.60.93.196,187.63.100.24,188.107.7.8,188.114.140.245,188.118.198.244,188.118.217.236,188.120.234.26,188.120.243.128,188.120.243.32] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 245"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522488; rev:3093;)
alert ip [188.121.184.145,188.134.5.47,188.134.5.92,188.134.6.66,188.138.102.98,188.138.112.60,188.138.61.165,188.138.70.162,188.138.75.101,188.141.73.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 246"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522490; rev:3093;)
alert ip [188.142.200.211,188.143.121.152,188.164.154.18,188.165.0.171,188.165.106.249,188.165.138.72,188.165.139.175,188.165.142.97,188.165.145.157,188.165.194.195] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 247"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522492; rev:3093;)
alert ip [188.165.19.61,188.165.212.152,188.165.213.156,188.165.218.31,188.165.220.21,188.165.222.39,188.165.228.38,188.165.228.64,188.165.236.18,188.165.27.75] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 248"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522494; rev:3093;)
alert ip [188.165.28.152,188.165.28.25,188.165.4.224,188.165.50.244,188.165.5.14,188.165.5.67,188.165.58.241,188.165.59.43,188.165.6.66,188.166.122.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 249"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522496; rev:3093;)
alert ip [188.166.133.133,188.166.158.100,188.166.168.73,188.166.16.91,188.166.178.56,188.166.19.224,188.166.20.124,188.166.209.214,188.166.219.207,188.166.23.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 250"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522498; rev:3093;)
alert ip [188.166.24.205,188.166.245.217,188.166.246.106,188.166.255.209,188.166.33.15,188.166.4.109,188.166.41.210,188.166.48.132,188.166.50.222,188.166.56.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 251"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522500; rev:3093;)
alert ip [188.166.67.231,188.166.8.152,188.166.87.161,188.166.94.214,188.168.34.90,188.172.153.42,188.174.161.111,188.174.172.50,188.174.178.230,188.181.93.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522502; rev:3093;)
alert ip [188.192.145.3,188.192.156.190,188.192.196.221,188.192.245.163,188.193.109.132,188.193.21.38,188.193.233.73,188.193.2.6,188.194.123.108,188.194.93.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 253"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522504; rev:3093;)
alert ip [188.195.172.223,188.195.173.25,188.195.52.10,18.82.0.86,18.82.1.29,188.213.170.104,188.213.28.222,188.213.49.133,188.213.49.55,188.214.128.111] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 254"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522506; rev:3093;)
alert ip [188.214.128.64,188.214.129.21,188.214.30.153,188.214.30.159,188.214.30.220,188.214.30.98,188.221.111.222,188.221.78.241,188.222.106.239,188.226.130.88] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 255"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522508; rev:3093;)
alert ip [188.226.148.15,188.226.149.124,188.226.221.243,188.226.222.19,188.226.237.154,188.226.247.86,188.226.71.132,188.227.201.133,188.230.91.173,18.82.3.136] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 256"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522510; rev:3093;)
alert ip [18.82.3.196,18.82.3.205,188.240.208.219,188.240.208.89,188.241.58.10,188.242.134.102,188.243.225.14,188.243.26.62,188.243.68.220,188.243.99.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 257"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522512; rev:3093;)
alert ip [188.244.43.25,188.246.204.67,188.25.182.181,188.25.243.6,188.32.115.6,188.32.242.244,188.36.77.241,188.40.100.199,188.40.107.205,188.40.109.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 258"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522514; rev:3093;)
alert ip [188.40.110.214,188.40.128.246,188.40.140.87,188.40.159.122,188.40.166.29,188.40.206.5,188.40.235.215,188.40.248.57,188.40.41.115,188.40.44.119] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 259"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522516; rev:3093;)
alert ip [188.40.49.86,188.40.51.232,188.40.76.115,188.40.91.87,188.4.217.205,188.42.216.83,188.42.253.7,188.42.254.47,188.64.45.105,188.68.33.125] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 260"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522518; rev:3093;)
alert ip [188.68.36.209,188.68.57.188,188.77.220.152,188.78.204.44,188.93.213.75,188.97.167.239,188.98.6.187,188.98.6.93,188.99.61.195,189.124.193.119] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 261"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522520; rev:3093;)
alert ip [189.207.214.180,189.60.72.157,189.62.119.168,190.10.8.152,190.10.8.68,190.111.29.98,190.1.228.61,190.123.47.116,190.156.200.202,190.17.26.56] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 262"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522522; rev:3093;)
alert ip [190.17.6.56,190.210.98.90,190.22.73.183,190.56.60.64,190.97.165.141,191.101.31.84,191.176.234.122,191.178.250.236,191.191.97.145,191.34.135.65] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 263"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522524; rev:3093;)
alert ip [192.110.160.146,192.111.150.62,192.124.250.83,192.155.83.101,192.155.95.222,192.157.239.243,192.161.235.132,192.162.133.3,192.162.141.53,192.162.26.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 264"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522526; rev:3093;)
alert ip [192.162.26.38,192.162.26.42,192.163.224.51,192.165.67.254,192.166.218.151,192.166.218.216,192.166.219.194,192.169.166.157,192.169.168.39,192.171.61.113] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 265"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522528; rev:3093;)
alert ip [192.173.158.64,192.184.81.160,192.184.82.128,192.184.85.92,192.187.126.204,192.195.83.134,192.210.192.229,192.210.203.16,192.211.49.217,192.222.191.249] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 266"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522530; rev:3093;)
alert ip [192.222.248.192,192.227.143.25,192.227.243.249,192.228.204.196,192.240.123.2,192.241.134.62,192.241.148.108,192.241.153.159,192.241.180.163,192.241.180.27] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 267"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522532; rev:3093;)
alert ip [192.241.187.237,192.241.189.130,192.241.195.178,192.241.197.81,192.241.206.171,192.241.210.101,192.241.216.120,192.241.233.203,192.249.63.151,192.30.32.44] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 268"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522534; rev:3093;)
alert ip [192.3.148.27,192.3.239.245,192.33.193.24,192.36.27.6,192.36.27.7,192.36.38.33,192.42.113.102,192.42.115.101,192.42.115.102,192.42.116.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 269"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522536; rev:3093;)
alert ip [192.44.30.40,192.52.167.70,192.52.167.71,192.52.183.232,192.52.2.49,192.71.245.137,192.71.245.36,192.81.132.46,192.81.214.126,192.81.217.126] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 270"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522538; rev:3093;)
alert ip [192.81.218.137,192.81.250.118,192.87.28.28,192.87.28.82,192.95.22.146,192.95.25.202,192.95.27.143,192.99.10.202,192.99.13.48,192.99.154.234] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 271"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522540; rev:3093;)
alert ip [192.99.246.101,192.99.54.179,192.99.54.193,192.99.54.5,192.99.57.111,192.99.59.70,192.99.6.28,192.99.63.44,192.99.69.17,192.99.9.138] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 272"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522542; rev:3093;)
alert ip [193.0.213.42,193.104.220.35,193.104.220.54,193.104.254.166,193.105.134.42,193.105.134.56,193.105.134.57,193.10.5.153,193.105.73.80,193.106.166.105] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 273"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522544; rev:3093;)
alert ip [193.108.249.215,193.11.112.188,193.111.140.153,193.111.141.160,193.11.114.43,193.11.114.45,193.11.114.46,193.11.114.69,193.111.26.37,193.11.164.243] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 274"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522546; rev:3093;)
alert ip [193.11.166.194,193.124.182.191,193.124.191.59,193.138.118.8,193.138.118.94,193.150.121.78,193.150.14.60,193.165.137.202,193.165.189.6,193.183.98.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 275"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522548; rev:3093;)
alert ip [193.190.168.51,193.190.168.53,193.19.118.171,193.200.241.195,193.224.163.43,193.227.196.10,193.228.143.17,193.228.143.225,193.23.244.244,193.233.60.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 276"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522550; rev:3093;)
alert ip [193.233.60.90,193.24.209.70,193.35.52.53,193.37.152.133,193.37.152.199,193.42.156.106,193.70.112.165,193.70.15.58,193.70.38.152,193.70.39.124] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 277"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522552; rev:3093;)
alert ip [193.70.43.102,193.70.43.20,193.70.43.76,193.70.73.242,193.70.90.199,193.7.177.223,194.104.0.100,194.109.206.212,194.1.238.115,194.126.175.157] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 278"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522554; rev:3093;)
alert ip [194.150.168.108,194.187.205.151,194.187.207.21,194.187.207.45,194.187.249.116,194.42.108.5,194.63.139.230,194.67.214.123,194.67.219.154,194.88.143.66] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 279"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522556; rev:3093;)
alert ip [194.96.126.205,195.113.199.99,195.12.190.38,195.123.209.96,195.123.210.38,195.12.48.109,195.12.48.212,195.12.48.76,195.12.48.77,195.12.48.78] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 280"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522558; rev:3093;)
alert ip [195.133.48.81,195.13.50.211,195.148.124.199,195.154.162.172,195.154.163.119,195.154.164.243,195.154.164.34,195.154.165.64,195.154.171.24,195.154.177.231] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 281"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522560; rev:3093;)
alert ip [195.154.181.146,195.154.200.129,195.154.209.91,195.154.221.65,195.154.226.249,195.154.235.34,195.154.237.147,195.154.240.145,195.154.241.125,195.154.242.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 282"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522562; rev:3093;)
alert ip [195.154.250.239,195.154.251.25,195.154.252.88,195.154.253.226,195.154.255.174,195.16.89.145,195.169.125.226,195.170.63.164,195.176.247.88,195.180.11.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 283"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522564; rev:3093;)
alert ip [195.181.208.180,195.181.211.88,195.181.223.225,195.181.246.187,195.191.158.17,195.191.233.221,195.200.236.197,195.216.94.52,195.22.127.160,195.225.211.26] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 284"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522566; rev:3093;)
alert ip [195.228.75.149,195.230.168.83,195.234.152.86,195.238.190.101,195.251.252.226,195.28.182.237,195.30.107.220,195.42.115.162,195.62.52.120,195.62.53.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 285"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522568; rev:3093;)
alert ip [195.71.68.84,195.88.208.149,195.91.211.69,195.91.244.98,198.100.144.33,198.100.147.184,198.100.148.112,198.100.148.146,198.101.8.214,198.105.223.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 286"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522570; rev:3093;)
alert ip [198.12.118.14,198.147.22.82,198.148.81.167,198.154.106.54,198.167.223.44,198.199.118.134,198.199.64.217,198.199.90.205,198.204.240.82,198.211.104.110] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 287"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522572; rev:3093;)
alert ip [198.211.120.25,198.211.124.214,198.211.125.242,198.23.161.150,198.233.204.165,198.244.104.174,198.245.50.175,198.245.50.57,198.252.121.79,198.255.94.114] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 288"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522574; rev:3093;)
alert ip [198.27.109.36,198.27.191.62,198.27.64.215,198.27.66.209,198.27.69.201,198.27.80.201,198.27.86.221,198.46.153.51,198.48.130.25,198.50.128.229] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 289"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522576; rev:3093;)
alert ip [198.50.128.234,198.50.135.213,198.50.146.252,198.50.147.70,198.50.191.95,198.50.236.124,198.51.75.52,198.58.102.234,198.58.110.223,198.71.81.66] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 290"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522578; rev:3093;)
alert ip [198.72.229.35,198.74.56.191,198.74.57.57,198.74.60.26,198.74.61.51,198.96.155.9,198.98.50.212,198.98.62.56,199.115.205.248,199.15.250.210] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 291"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522580; rev:3093;)
alert ip [199.175.49.147,199.181.238.127,199.184.246.250,199.188.194.53,199.189.62.251,199.19.213.176,199.195.249.221,199.19.85.252,199.200.15.10,199.231.85.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 292"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522582; rev:3093;)
alert ip [199.241.29.223,199.254.238.53,199.255.223.88,200.122.181.15,200.73.251.82,200.8.206.216,201.17.58.90,201.214.174.246,202.129.80.154,202.53.47.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 293"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522584; rev:3093;)
alert ip [203.141.154.202,203.186.69.98,203.206.25.146,203.220.189.110,203.7.77.255,204.13.164.110,204.152.220.247,204.152.220.248,204.186.244.66,204.27.63.234] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 294"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522586; rev:3093;)
alert ip [204.44.75.210,204.83.204.143,204.9.50.25,205.178.25.71,205.185.124.82,205.204.69.19,206.174.113.156,206.192.252.17,206.221.184.158,206.223.203.129] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 295"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522588; rev:3093;)
alert ip [206.248.134.68,206.40.118.229,206.55.74.1,206.63.229.144,207.154.208.184,207.154.208.75,207.154.217.3,207.154.226.140,207.154.239.150,207.154.248.123] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 296"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522590; rev:3093;)
alert ip [207.181.237.93,207.236.124.177,207.244.75.198,207.6.121.227,208.113.133.247,208.113.165.162,208.113.166.5,208.118.235.48,208.38.243.107,208.64.220.46] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 297"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522592; rev:3093;)
alert ip [208.79.209.124,208.80.154.39,208.83.223.34,208.94.242.26,208.95.3.28,209.102.247.122,209.126.71.233,209.141.34.240,209.141.35.232,209.141.36.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 298"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522594; rev:3093;)
alert ip [209.141.40.22,209.141.49.38,209.141.50.138,209.141.52.13,209.141.60.229,209.171.163.168,209.181.61.219,209.197.145.194,209.208.79.5,209.240.109.238] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 299"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522596; rev:3093;)
alert ip [209.44.114.178,209.58.160.138,209.58.178.49,209.58.180.90,209.6.79.180,209.90.224.5,209.95.48.163,210.1.204.177,210.152.241.60,210.185.115.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 300"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522598; rev:3093;)
alert ip [210.223.103.24,210.3.102.154,210.3.102.165,2.104.52.160,210.54.35.24,2.110.219.47,2.110.60.68,212.10.111.106,212.10.111.112,212.10.153.81] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 301"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522600; rev:3093;)
alert ip [212.107.138.107,212.110.189.186,212.111.40.177,212.111.41.143,212.114.228.30,212.117.180.107,212.117.180.33,212.117.180.45,212.119.243.30,212.129.0.231] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 302"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522602; rev:3093;)
alert ip [212.129.19.196,212.129.34.13,212.129.42.9,212.129.4.84,212.129.49.59,212.129.62.232,212.159.100.232,212.159.112.196,212.159.177.198,212.159.79.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522604; rev:3093;)
alert ip [212.16.170.158,212.17.102.77,212.181.206.122,212.186.197.229,212.186.71.38,212.186.79.250,212.187.200.170,212.198.84.177,212.201.68.152,212.224.76.148] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 304"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522606; rev:3093;)
alert ip [212.224.78.234,212.224.95.161,212.224.95.231,212.227.8.137,212.232.29.101,212.237.35.67,212.237.56.227,212.238.160.33,212.238.208.48,212.24.104.216] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 305"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522608; rev:3093;)
alert ip [212.24.105.154,212.24.106.116,212.24.110.13,212.24.111.7,212.251.211.254,212.3.112.226,212.47.227.58,212.47.227.71,212.47.227.75,212.47.229.138] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 306"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522610; rev:3093;)
alert ip [212.47.229.2,212.47.230.49,212.47.230.5,212.47.231.241,212.47.232.236,212.47.232.3,212.47.233.134,212.47.233.235,212.47.233.45,212.47.233.86] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 307"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522612; rev:3093;)
alert ip [212.47.234.192,212.47.234.212,212.47.235.80,212.47.236.95,212.47.237.191,212.47.237.32,212.47.238.193,212.47.238.65,212.47.239.101,212.47.239.151] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 308"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522614; rev:3093;)
alert ip [212.47.239.163,212.47.239.187,212.47.239.83,212.47.240.10,212.47.240.189,212.47.241.21,212.47.243.166,212.47.244.114,212.47.244.38,212.47.244.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 309"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522616; rev:3093;)
alert ip [212.47.245.76,212.47.246.18,212.47.246.211,212.47.246.229,212.47.248.10,212.47.248.113,212.47.250.57,212.47.252.91,212.50.120.191,212.51.134.123] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 310"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522618; rev:3093;)
alert ip [212.51.139.25,212.51.143.146,212.51.143.20,212.51.147.191,212.51.150.184,212.51.151.250,212.51.156.224,212.51.156.78,212.51.159.148,212.60.126.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 311"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522620; rev:3093;)
alert ip [212.60.130.72,212.69.166.122,212.71.253.226,212.7.217.52,212.74.233.18,212.74.233.21,212.74.254.243,212.83.143.46,212.83.154.33,212.83.158.20] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 312"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522622; rev:3093;)
alert ip [212.83.158.5,212.83.165.54,212.83.174.26,212.83.176.58,212.86.53.174,212.89.225.242,212.96.63.171,213.108.108.235,213.109.56.200,213.112.199.150] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 313"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522624; rev:3093;)
alert ip [213.113.116.117,213.113.214.106,213.113.52.10,213.114.144.249,213.114.154.207,213.114.155.106,213.114.226.17,213.114.231.7,213.124.169.159,213.124.179.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 314"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522626; rev:3093;)
alert ip [213.131.6.186,213.133.99.156,213.135.198.106,213.136.71.21,213.136.77.251,213.136.80.109,213.136.81.89,213.136.82.192,213.136.94.10,213.137.18.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 315"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522628; rev:3093;)
alert ip [213.138.100.68,213.138.102.209,213.138.109.144,213.138.113.232,213.140.92.199,213.141.138.174,213.141.150.19,213.144.146.77,213.144.157.75,213.152.161.30] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 316"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522630; rev:3093;)
alert ip [213.152.161.40,213.153.84.215,213.157.15.235,213.162.132.85,213.163.70.234,213.167.242.183,213.169.148.151,213.17.124.178,213.183.48.84,213.183.56.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 317"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522632; rev:3093;)
alert ip [213.184.126.2,213.184.126.242,213.184.127.226,213.188.245.139,213.195.109.234,213.197.22.124,213.202.233.36,213.202.247.35,213.21.26.171,213.21.26.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 318"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522634; rev:3093;)
alert ip [213.226.180.166,213.233.226.123,213.239.197.25,213.239.205.239,213.239.211.41,213.239.212.20,213.239.216.222,213.239.217.18,213.239.217.68,213.239.249.71] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 319"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522636; rev:3093;)
alert ip [213.243.172.46,213.246.56.79,213.246.56.95,213.251.226.175,213.254.32.26,213.32.119.219,213.32.21.55,213.32.241.238,213.32.55.195,213.32.66.192] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 320"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522638; rev:3093;)
alert ip [213.32.68.101,213.32.90.15,213.45.170.44,213.47.176.238,213.64.65.106,213.66.28.170,2.137.20.68,213.73.99.182,213.89.134.172,2.139.216.169] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 321"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522640; rev:3093;)
alert ip [213.93.31.148,213.95.86.180,213.99.222.33,216.12.171.170,216.127.173.78,216.127.187.29,216.158.226.216,216.185.144.100,216.19.178.143,216.195.133.27] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 322"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522642; rev:3093;)
alert ip [216.218.222.10,216.218.222.14,216.24.174.245,216.24.242.34,216.244.85.211,216.252.162.19,216.51.232.227,216.55.181.21,217.103.193.83,217.106.239.149] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 323"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522644; rev:3093;)
alert ip [217.107.193.10,217.112.131.24,217.112.131.98,217.113.158.52,217.115.127.58,217.11.57.226,217.117.227.226,217.12.199.108,217.12.199.190,217.12.199.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 324"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522646; rev:3093;)
alert ip [217.12.202.111,217.12.202.116,217.12.202.40,217.12.202.53,217.12.202.58,217.12.203.46,217.12.204.120,217.12.204.149,217.12.204.174,217.12.208.117] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 325"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522648; rev:3093;)
alert ip [217.12.210.207,217.12.210.95,217.122.175.19,217.12.223.214,217.12.223.215,217.12.223.216,217.12.223.217,217.12.223.218,217.147.214.107,217.150.227.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 326"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522650; rev:3093;)
alert ip [217.155.10.18,217.155.40.118,217.160.13.173,217.160.141.52,217.160.15.247,217.160.178.10,217.172.172.8,217.172.190.251,217.182.102.242,217.182.231.53] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 327"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522652; rev:3093;)
alert ip [217.182.73.4,217.182.75.181,217.182.75.36,217.182.85.154,217.182.86.44,217.182.90.137,217.182.94.173,217.197.240.244,217.197.83.162,217.197.86.173] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 328"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522654; rev:3093;)
alert ip [217.197.91.145,217.20.112.213,217.20.130.72,217.209.179.202,217.210.64.254,217.22.141.89,217.224.41.172,217.228.210.7,217.23.15.200,217.235.159.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 329"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522656; rev:3093;)
alert ip [217.235.69.101,217.235.76.75,217.23.7.103,217.238.228.212,217.238.239.185,217.249.80.63,217.251.89.171,217.63.200.51,217.64.127.174,217.69.144.94] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 330"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522658; rev:3093;)
alert ip [217.79.178.60,217.79.179.177,217.79.182.95,217.79.190.25,217.81.247.55,217.84.98.50,217.85.173.59,217.85.180.233,217.8.61.67,217.86.254.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 331"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522660; rev:3093;)
alert ip [217.86.26.49,217.87.104.63,217.92.54.146,217.95.26.97,2.190.11.52,219.111.151.219,219.117.206.46,219.117.241.101,220.135.161.179,220.233.123.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 332"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522662; rev:3093;)
alert ip [220.240.152.221,220.240.80.150,220.253.12.10,221.121.153.184,221.39.78.201,222.10.49.182,222.12.87.83,222.152.75.99,2.225.231.92,2.230.164.254] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522664; rev:3093;)
alert ip [223.16.90.167,223.197.177.165,223.197.177.49,2.234.130.233,2.235.216.169,2.236.9.67,2.242.70.119,23.105.70.174,2.31.69.65,23.226.231.158] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 334"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522666; rev:3093;)
alert ip [23.227.199.226,23.235.4.101,23.236.50.86,23.239.10.144,23.239.113.101,23.239.145.125,23.239.22.19,23.239.2.7,23.239.27.28,23.239.30.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 335"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522668; rev:3093;)
alert ip [23.240.32.151,23.244.69.180,23.253.57.42,23.254.128.38,23.254.165.250,23.254.166.222,23.254.167.231,23.81.66.90,23.91.124.124,23.92.138.206] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 336"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522670; rev:3093;)
alert ip [23.92.19.113,23.92.21.74,23.92.222.214,23.92.83.233,23.95.113.5,23.97.172.229,24.108.240.199,24.117.231.229,24.130.221.118,24.130.248.235] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 337"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522672; rev:3093;)
alert ip [24.14.136.134,24.147.89.4,24.148.59.185,24.151.1.51,24.154.185.97,24.157.146.7,24.163.106.7,24.17.211.5,24.209.62.187,24.21.143.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 338"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522674; rev:3093;)
alert ip [24.2.216.29,24.22.246.162,24.22.64.232,24.248.203.49,24.30.59.18,24.3.140.142,24.35.77.155,24.40.143.53,24.54.152.124,24.61.42.21] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 339"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522676; rev:3093;)
alert ip [24.6.174.94,24.71.168.153,24.77.115.137,24.80.227.241,24.85.72.185,24.8.76.174,24.96.173.104,24.98.72.86,2.7.154.187,27.50.87.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 340"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522678; rev:3093;)
alert ip [27.64.121.247,2.92.133.8,2.93.9.1,31.129.166.78,31.130.48.109,31.132.156.136,31.135.243.138,31.14.138.27,31.15.66.218,31.16.110.107] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 341"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522680; rev:3093;)
alert ip [31.16.53.18,31.170.105.77,31.170.82.41,31.171.155.102,31.171.155.103,31.171.155.108,31.171.155.29,31.171.244.193,31.17.179.130,31.178.139.138] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 342"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522682; rev:3093;)
alert ip [31.179.132.42,31.179.24.189,31.18.14.162,31.18.152.33,31.184.198.152,31.184.198.183,31.192.174.73,31.192.204.204,31.201.243.214,31.204.128.24] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 343"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522684; rev:3093;)
alert ip [31.207.227.140,31.208.41.41,31.208.8.205,31.209.52.65,31.214.157.83,31.220.45.216,31.220.7.143,31.28.168.174,31.31.73.200,31.31.73.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 344"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522686; rev:3093;)
alert ip [31.31.74.177,31.31.74.47,31.31.77.176,31.31.78.49,31.41.219.228,31.43.129.239,31.47.252.177,31.54.71.247,31.7.186.142,34.201.82.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 345"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522688; rev:3093;)
alert ip [34.202.25.15,34.214.31.61,34.250.125.1,34.250.46.74,34.251.131.79,34.251.231.72,34.251.248.90,35.157.59.169,35.163.47.243,35.164.117.159] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 346"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522690; rev:3093;)
alert ip [35.164.54.193,35.188.143.6,35.188.21.171,35.190.152.35,35.202.23.233,36.55.243.60,37.113.173.117,37.120.104.214,37.120.160.12,37.120.166.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 347"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522692; rev:3093;)
alert ip [37.120.169.95,37.120.172.242,37.120.173.146,37.120.174.249,37.120.178.124,37.120.178.6,37.120.184.45,37.120.185.98,37.120.8.167,37.122.208.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 348"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522694; rev:3093;)
alert ip [37.123.113.29,37.134.197.41,37.139.24.90,37.14.196.72,37.145.226.109,37.147.101.131,37.15.122.94,37.153.1.10,37.153.16.134,37.157.195.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 349"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522696; rev:3093;)
alert ip [37.157.195.87,37.157.196.142,37.187.0.83,37.187.101.179,37.187.101.180,37.187.102.108,37.187.102.186,37.187.102.202,37.187.103.156,37.187.104.111] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 350"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522698; rev:3093;)
alert ip [37.187.104.178,37.187.105.65,37.187.105.68,37.187.107.91,37.187.110.237,37.187.111.205,37.187.112.64,37.187.115.157,37.187.115.47,37.187.120.37] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 351"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522700; rev:3093;)
alert ip [37.187.1.29,37.187.130.226,37.187.16.175,37.187.16.43,37.187.176.64,37.187.17.67,37.187.177.2,37.187.180.112,37.187.180.18,37.187.180.4] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 352"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522702; rev:3093;)
alert ip [37.187.20.59,37.187.20.79,37.187.21.157,37.187.21.28,37.187.22.131,37.187.2.230,37.187.22.87,37.187.23.169,37.187.23.232,37.187.239.8] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 353"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522704; rev:3093;)
alert ip [37.187.30.2,37.187.30.78,37.187.3.106,37.187.31.39,37.187.4.8,37.187.4.81,37.187.51.225,37.187.72.24,37.187.78.210,37.187.90.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 354"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522706; rev:3093;)
alert ip [37.187.90.149,37.187.96.183,37.187.96.78,37.187.96.84,37.187.97.31,37.187.97.95,37.187.98.185,37.187.99.84,37.191.156.74,37.191.160.173] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 355"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522708; rev:3093;)
alert ip [37.191.229.34,37.191.234.150,37.193.70.65,37.200.98.117,37.200.99.251,37.201.127.126,37.201.135.18,37.201.175.13,37.201.46.246,37.205.11.149] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 356"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522710; rev:3093;)
alert ip [37.205.8.191,37.205.9.131,37.209.119.10,37.218.247.217,37.220.18.41,37.221.162.226,37.221.171.234,37.221.196.137,37.221.196.31,37.221.198.199] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 357"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522712; rev:3093;)
alert ip [37.221.213.59,37.228.129.56,37.228.134.103,37.229.212.29,37.230.119.37,37.233.99.157,37.235.48.247,37.235.49.124,37.235.49.138,37.235.49.34] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 358"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522714; rev:3093;)
alert ip [37.235.52.67,37.235.55.83,37.235.56.180,37.235.60.77,37.24.229.143,37.247.49.139,37.252.185.87,37.252.190.176,37.35.107.238,37.4.236.212] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 359"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522716; rev:3093;)
alert ip [37.48.120.47,37.48.122.22,37.48.71.227,37.48.83.229,37.58.57.231,37.59.102.148,37.59.107.185,37.59.118.7,37.59.119.118,37.59.125.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 360"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522718; rev:3093;)
alert ip [37.59.127.105,37.59.29.31,37.59.37.59,37.59.39.161,37.59.40.193,37.59.51.217,37.59.72.132,37.61.209.150,37.8.236.184,37.97.185.116] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 361"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522720; rev:3093;)
alert ip [37.97.202.76,38.131.227.141,38.229.70.51,38.229.70.52,38.229.70.53,38.229.70.54,38.229.70.61,38.229.79.2,40.134.93.214,40.83.147.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 362"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522722; rev:3093;)
alert ip [42.112.16.193,42.112.16.194,42.112.16.198,42.112.16.200,42.112.16.42,42.112.20.116,42.124.36.252,43.231.114.52,43.240.12.58,43.252.37.14] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 363"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522724; rev:3093;)
alert ip [43.255.32.133,45.123.118.101,45.20.67.1,45.249.61.131,45.249.61.132,45.249.90.26,45.32.117.1,45.32.146.85,45.32.151.73,45.32.154.242] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 364"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522726; rev:3093;)
alert ip [45.32.158.56,45.32.167.8,45.32.171.227,45.32.195.199,45.32.207.172,45.32.219.222,45.32.234.214,45.32.238.101,45.32.240.31,45.32.245.73] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 365"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522728; rev:3093;)
alert ip [45.32.246.15,45.32.250.46,45.32.30.178,45.32.31.42,45.32.36.228,45.32.40.253,45.33.100.121,45.33.111.116,45.33.121.242,45.33.124.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 366"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522730; rev:3093;)
alert ip [45.33.34.211,45.33.60.105,45.33.60.47,45.33.75.28,45.33.83.135,45.33.90.50,45.34.143.4,45.35.72.85,45.50.173.159,45.50.77.52] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 367"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522732; rev:3093;)
alert ip [45.55.108.110,45.55.12.23,45.55.129.39,45.55.167.33,45.55.182.63,45.55.19.132,45.55.194.175,45.55.236.19,45.55.8.14,45.56.76.112] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 368"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522734; rev:3093;)
alert ip [45.56.89.8,45.56.99.84,45.58.192.155,45.58.49.251,45.58.60.127,45.62.116.32,45.62.211.6,45.62.233.205,45.62.235.202,45.62.235.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 369"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522736; rev:3093;)
alert ip [45.62.235.44,45.62.243.158,45.62.243.36,45.63.14.225,45.63.24.140,45.63.24.164,45.63.25.179,45.63.25.235,45.63.26.48,45.63.28.115] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 370"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522738; rev:3093;)
alert ip [45.63.67.113,45.63.77.230,45.63.8.229,45.63.89.53,45.63.9.89,45.76.10.133,45.76.107.140,45.76.119.205,45.76.131.160,45.76.140.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 371"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522740; rev:3093;)
alert ip [45.76.142.198,45.76.149.112,45.76.177.51,45.76.192.217,45.76.196.74,45.76.26.158,45.76.32.13,45.76.39.74,45.76.42.132,45.76.42.26] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 372"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522742; rev:3093;)
alert ip [45.76.5.206,45.76.6.23,45.76.80.29,45.76.82.223,45.76.86.86,45.76.89.215,45.76.92.117,45.76.94.126,45.76.94.181,45.76.95.199] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 373"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522744; rev:3093;)
alert ip [45.77.0.145,45.77.114.107,45.77.53.109,45.77.56.54,45.77.61.195,45.77.62.230,45.77.64.193,45.77.66.39,45.79.106.154,45.79.106.247] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 374"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522746; rev:3093;)
alert ip [45.79.108.96,45.79.109.55,45.79.138.8,45.79.181.153,45.79.184.114,45.79.189.111,45.79.218.205,45.79.67.237,45.79.76.174,45.79.84.186] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 375"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522748; rev:3093;)
alert ip [45.79.85.112,45.79.88.43,45.79.89.133,45.79.92.94,45.79.95.244,45.79.99.101,46.101.100.94,46.101.101.102,46.101.102.71,46.101.104.245] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 376"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522750; rev:3093;)
alert ip [46.101.131.100,46.101.141.15,46.101.142.174,46.101.149.105,46.101.151.222,46.101.152.147,46.101.169.151,46.101.170.138,46.101.183.160,46.101.192.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 377"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522752; rev:3093;)
alert ip [46.101.216.71,46.101.220.187,46.101.231.44,46.101.37.23,46.101.6.132,46.101.9.51,46.101.98.130,46.105.121.81,46.105.123.162,46.105.185.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 378"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522754; rev:3093;)
alert ip [46.105.227.109,46.105.63.44,46.105.84.178,46.105.95.112,46.124.76.233,46.127.12.33,46.127.20.181,46.127.31.29,46.127.3.164,46.128.114.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 379"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522756; rev:3093;)
alert ip [46.128.251.202,46.128.34.32,46.128.60.60,46.128.6.254,46.142.48.128,46.144.166.250,46.148.18.34,46.148.212.113,46.151.27.101,46.161.146.75] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 380"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522758; rev:3093;)
alert ip [46.162.192.166,46.163.76.170,46.163.78.14,46.163.81.190,46.164.242.169,46.165.197.96,46.165.221.166,46.165.221.207,46.165.242.166,46.165.250.224] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 381"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522760; rev:3093;)
alert ip [46.165.253.180,46.165.254.40,46.166.162.34,46.166.165.118,46.166.165.129,46.166.165.57,46.166.165.87,46.166.167.46,46.167.245.43,46.167.245.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 382"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522762; rev:3093;)
alert ip [46.173.38.149,46.17.42.50,46.17.63.214,46.182.132.129,46.182.142.222,46.182.18.111,46.182.18.223,46.182.18.245,46.182.19.151,46.182.208.28] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 383"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522764; rev:3093;)
alert ip [46.188.4.37,46.188.44.25,46.19.137.186,46.19.143.139,46.20.246.119,46.20.35.114,46.208.95.155,46.21.144.10,46.21.147.19,46.219.2.21] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 384"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522766; rev:3093;)
alert ip [46.22.209.99,46.22.212.230,46.227.96.218,46.228.18.237,46.229.238.172,46.23.70.195,46.23.72.81,46.238.12.208,46.23.85.31,46.239.108.194] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 385"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522768; rev:3093;)
alert ip [46.242.3.30,46.244.143.143,46.246.26.104,46.246.39.219,46.246.93.70,46.249.27.184,46.249.37.109,46.249.37.143,46.251.85.30,46.252.26.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 386"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522770; rev:3093;)
alert ip [46.28.109.231,46.28.110.219,46.28.110.244,46.28.204.20,46.28.205.187,46.28.205.75,46.28.207.107,46.28.207.69,46.28.64.234,46.28.68.150] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 387"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522772; rev:3093;)
alert ip [46.28.68.157,46.28.69.53,46.29.248.136,46.36.39.134,46.38.231.209,46.38.233.242,46.38.234.158,46.38.237.221,46.38.241.16,46.38.250.39] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 388"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522774; rev:3093;)
alert ip [46.38.251.194,46.38.48.225,46.38.51.18,46.39.102.250,46.39.183.60,46.39.227.136,46.39.251.87,46.39.253.63,46.4.0.89,46.4.103.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 389"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522776; rev:3093;)
alert ip [46.4.111.124,46.41.132.84,46.4.122.173,46.4.124.165,46.4.125.2,46.4.144.81,46.41.59.223,46.4.174.52,46.4.183.122,46.4.25.214] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 390"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522778; rev:3093;)
alert ip [46.4.253.194,46.4.34.242,46.43.50.92,46.4.40.67,46.4.49.201,46.4.57.151,46.4.58.90,46.4.77.210,46.4.78.3,46.4.81.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 391"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522780; rev:3093;)
alert ip [46.5.233.143,46.59.151.24,46.59.156.138,46.59.209.134,46.59.219.11,46.59.220.98,46.59.72.157,46.59.99.37,46.6.100.154,46.6.79.80] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 392"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522782; rev:3093;)
alert ip [46.6.82.38,46.7.12.146,46.72.216.20,46.7.90.69,46.83.59.214,46.83.63.158,46.84.27.129,46.84.64.91,46.84.66.213,46.87.74.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 393"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522784; rev:3093;)
alert ip [46.91.217.213,46.9.195.188,46.93.224.82,46.93.90.218,47.150.71.57,47.151.150.13,47.152.227.184,47.154.80.129,47.184.12.62,47.211.130.217] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 394"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522786; rev:3093;)
alert ip [47.21.17.46,47.33.13.234,47.34.248.45,47.36.210.167,47.40.229.162,47.52.119.59,47.55.183.10,47.89.178.105,47.89.179.48,47.89.185.247] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 395"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522788; rev:3093;)
alert ip [47.89.191.36,47.89.22.90,47.90.204.139,47.90.204.154,49.212.166.38,50.0.60.210,50.111.33.100,50.116.10.242,50.116.21.172,50.116.39.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 396"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522790; rev:3093;)
alert ip [50.116.40.6,50.116.47.139,50.116.48.133,50.116.49.46,50.116.5.153,50.116.56.48,50.116.7.64,50.193.143.42,50.193.202.38,50.1.99.207] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 397"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522792; rev:3093;)
alert ip [50.244.200.221,50.31.252.11,50.31.252.43,50.38.36.6,50.53.113.124,50.65.176.4,50.66.85.45,50.7.115.12,50.7.115.67,50.7.116.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 398"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522794; rev:3093;)
alert ip [50.7.151.127,50.7.151.32,50.7.151.47,50.7.176.2,50.7.177.26,50.7.178.146,50.7.178.34,50.7.178.98,50.7.179.202,50.7.179.251] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 399"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522796; rev:3093;)
alert ip [50.7.184.58,50.7.186.38,50.74.108.76,50.76.49.97,50.7.74.171,50.7.74.172,50.89.199.56,5.101.102.82,5.101.103.70,5.10.178.94] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 400"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522798; rev:3093;)
alert ip [5.104.106.38,5.104.90.29,51.141.6.250,51.15.11.64,51.15.128.190,51.15.129.69,51.15.130.249,51.15.130.76,51.15.131.121,51.15.131.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 401"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522800; rev:3093;)
alert ip [51.15.13.245,51.15.133.16,51.15.135.5,51.15.137.146,51.15.137.183,51.15.138.145,51.15.139.200,51.15.141.181,51.15.142.10,51.15.142.73] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 402"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522802; rev:3093;)
alert ip [51.15.143.126,51.15.143.178,51.15.143.20,51.15.143.239,51.15.166.221,51.15.171.97,51.15.177.148,51.15.193.126,51.15.3.40,51.15.34.125] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 403"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522804; rev:3093;)
alert ip [51.15.34.165,51.15.36.164,51.15.36.183,51.15.36.42,51.15.37.171,51.15.37.252,51.15.37.97,51.15.38.13,51.15.38.131,51.15.39.53] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 404"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522806; rev:3093;)
alert ip [51.15.39.65,51.15.40.11,51.15.4.10,51.15.41.61,51.15.42.19,51.15.44.251,51.15.44.54,51.15.4.55,51.15.45.92,51.15.46.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 405"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522808; rev:3093;)
alert ip [51.15.46.240,51.15.46.45,51.15.46.47,51.15.47.17,51.15.47.62,51.15.48.254,51.15.49.157,51.15.49.8,51.15.50.109,51.15.50.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 406"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522810; rev:3093;)
alert ip [51.15.51.7,51.15.52.120,51.15.52.244,51.15.53.199,51.15.53.75,51.15.54.132,51.15.54.182,51.15.55.114,51.15.56.101,51.15.56.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 407"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522812; rev:3093;)
alert ip [51.15.56.123,51.15.56.40,51.15.58.152,51.15.58.212,51.15.59.29,51.15.60.102,51.15.60.93,51.15.61.46,51.15.61.7,51.15.62.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 408"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522814; rev:3093;)
alert ip [51.15.62.52,51.15.65.104,51.15.66.23,51.15.66.75,51.15.67.196,51.15.67.36,51.15.67.77,51.15.68.208,51.15.69.160,51.15.69.4] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 409"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522816; rev:3093;)
alert ip [51.15.69.92,51.15.71.243,51.15.71.41,51.15.72.156,51.15.72.209,51.15.72.230,51.15.72.253,51.15.73.133,51.15.73.178,51.15.74.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 410"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522818; rev:3093;)
alert ip [51.15.76.141,51.15.76.56,51.15.77.102,51.15.77.244,51.15.77.25,51.15.78.0,51.15.78.99,51.15.8.23,51.15.9.100,5.11.66.213] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 411"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522820; rev:3093;)
alert ip [51.174.197.117,51.175.193.142,51.175.4.172,51.175.50.162,51.175.64.222,5.12.14.91,51.254.101.176,51.254.101.242,51.254.115.225,51.254.120.82] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 412"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522822; rev:3093;)
alert ip [51.254.124.210,51.254.131.226,51.254.135.213,51.254.136.195,51.254.164.50,51.254.202.160,51.254.209.197,51.254.218.247,51.254.220.21,51.254.221.144] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 413"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522824; rev:3093;)
alert ip [51.254.35.151,51.254.38.249,51.254.45.43,51.255.113.29,51.255.168.229,51.255.169.10,51.255.175.53,51.255.198.77,51.255.203.235,51.255.206.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 414"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522826; rev:3093;)
alert ip [51.255.211.235,51.255.39.110,51.255.40.231,51.255.41.65,51.255.41.91,51.255.44.183,51.255.48.78,51.255.50.238,51.255.50.60,51.255.75.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 415"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522828; rev:3093;)
alert ip [51.255.95.102,5.13.235.160,5.135.115.34,5.135.145.195,5.135.152.143,5.135.152.66,5.135.155.121,5.135.159.128,5.135.162.217,5.135.162.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 416"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522830; rev:3093;)
alert ip [5.135.163.78,5.135.176.38,5.135.178.184,5.135.181.213,5.135.182.130,5.135.184.24,5.135.185.145,5.135.186.73,5.135.188.128,5.135.191.185] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 417"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522832; rev:3093;)
alert ip [5.135.199.13,5.135.234.164,5.135.43.38,5.135.65.145,5.141.9.164,5.141.95.84,5.145.46.166,5.146.129.127,5.147.113.133,5.147.125.93] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 418"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522834; rev:3093;)
alert ip [5.147.152.177,5.147.172.122,5.147.248.158,5.148.175.35,5.148.180.48,5.150.221.137,5.150.233.239,5.15.205.85,51.52.35.169,5.158.176.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 419"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522836; rev:3093;)
alert ip [5.164.247.4,5.165.33.31,5.167.155.131,5.172.146.219,5.186.143.227,5.187.48.62,5.187.49.158,5.189.132.79,5.189.138.9,5.189.139.38] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 420"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522838; rev:3093;)
alert ip [5.189.140.21,5.189.142.118,5.189.143.28,5.189.150.139,5.189.153.185,5.189.159.21,5.189.164.230,5.189.169.190,5.189.181.61,5.189.183.90] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 421"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522840; rev:3093;)
alert ip [5.19.162.103,5.19.184.37,5.19.204.140,51.9.208.170,5.196.20.5,5.196.20.85,5.196.222.56,5.196.23.64,5.196.239.114,5.196.26.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 422"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522842; rev:3093;)
alert ip [5.196.29.217,5.196.58.96,5.196.71.24,5.196.72.233,5.196.88.122,5.199.133.193,5.199.142.112,5.199.142.236,5.199.167.207,5.200.23.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 423"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522844; rev:3093;)
alert ip [5.206.225.118,52.10.125.140,52.165.217.243,52.169.10.90,52.173.146.98,52.183.47.155,52.208.34.152,52.209.187.176,52.210.94.70,52.214.216.237] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 424"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522846; rev:3093;)
alert ip [52.215.92.62,52.242.26.186,52.27.7.31,5.228.12.221,5.230.145.65,52.35.11.2,52.36.85.58,52.39.6.26,52.42.94.200,52.48.130.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 425"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522848; rev:3093;)
alert ip [5.249.145.164,5.249.149.153,5.249.159.198,5.249.159.209,52.51.121.89,5.2.54.152,5.255.61.130,5.255.82.75,5.255.86.131,5.255.90.162] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 426"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522850; rev:3093;)
alert ip [52.56.124.204,52.59.252.78,52.60.215.15,52.63.134.148,52.66.117.126,52.66.79.102,52.6.9.146,5.2.70.162,5.2.73.217,5.2.74.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 427"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522852; rev:3093;)
alert ip [5.2.75.42,5.28.106.163,52.90.84.21,5.29.115.159,52.91.227.251,5.34.180.231,5.34.183.205,5.39.218.131,5.39.33.176,5.39.33.178] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 428"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522854; rev:3093;)
alert ip [5.39.64.7,5.39.77.208,5.39.80.135,5.39.80.28,5.39.81.102,5.39.82.192,5.39.83.217,5.39.83.27,5.39.86.206,5.39.89.124] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 429"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522856; rev:3093;)
alert ip [5.39.91.86,5.39.92.199,5.39.94.169,5.39.95.142,54.153.249.26,54.179.98.204,54.187.239.16,54.201.201.93,54.202.82.18,54.218.172.0] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 430"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522858; rev:3093;)
alert ip [54.233.155.67,54.241.9.145,54.244.208.214,54.245.9.252,54.36.38.63,5.44.101.190,5.45.100.22,5.45.107.56,5.45.108.48,5.45.109.62] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 431"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522860; rev:3093;)
alert ip [5.45.111.145,5.45.97.127,54.71.227.111,54.86.232.140,54.88.165.229,54.92.68.99,54.94.154.154,54.94.85.201,5.51.106.108,5.51.204.241] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 432"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522862; rev:3093;)
alert ip [5.57.243.84,5.61.239.34,5.61.34.63,5.79.74.220,5.79.75.37,5.79.86.15,58.176.161.172,5.8.54.12,5.8.54.27,58.93.43.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 433"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522864; rev:3093;)
alert ip [58.96.66.25,5.9.102.198,5.9.110.236,5.9.112.137,5.9.121.207,5.9.121.79,5.9.121.87,5.9.122.110,5.9.129.218,5.9.140.173] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 434"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522866; rev:3093;)
alert ip [5.9.142.76,5.9.147.226,5.9.149.100,5.9.149.55,5.9.149.70,5.9.150.40,5.9.153.114,5.9.156.17,5.9.171.38,5.9.181.162] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 435"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522868; rev:3093;)
alert ip [5.9.188.182,5.9.191.52,5.9.212.204,5.9.239.228,5.9.253.234,5.9.25.79,5.9.39.113,5.9.40.121,5.9.43.3,5.9.50.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 436"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522870; rev:3093;)
alert ip [5.9.56.12,5.9.58.137,5.9.61.207,5.9.62.17,5.9.7.130,5.9.79.142,5.9.79.154,5.9.81.41,5.9.83.204,5.9.88.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 437"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522872; rev:3093;)
alert ip [5.9.98.43,60.112.213.201,60.225.57.95,60.234.102.113,60.48.251.22,61.68.248.113,61.68.41.40,61.68.46.18,62.102.148.172,62.103.152.170] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 438"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522874; rev:3093;)
alert ip [62.103.152.219,62.103.152.227,62.103.152.228,62.108.196.73,62.109.20.48,62.109.4.115,62.113.216.173,62.113.216.177,62.113.227.124,62.113.241.182] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 439"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522876; rev:3093;)
alert ip [62.113.241.207,62.113.254.114,62.12.115.107,62.138.10.60,62.138.10.61,62.138.10.62,62.138.7.171,62.138.7.231,62.141.36.150,62.141.48.175] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 440"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522878; rev:3093;)
alert ip [62.141.51.90,62.141.52.185,62.141.54.86,62.143.28.23,62.149.2.188,62.152.43.203,62.157.77.139,62.167.72.32,62.168.3.212,62.173.154.153] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 441"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522880; rev:3093;)
alert ip [62.176.239.229,62.180.109.11,62.194.12.77,62.194.76.2,62.197.207.182,62.199.169.123,62.210.105.47,62.210.107.86,62.210.109.48,62.210.123.24] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 442"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522882; rev:3093;)
alert ip [62.210.125.130,62.210.132.56,62.210.137.230,62.210.138.3,62.210.170.143,62.210.180.21,62.210.190.5,62.210.203.90,62.210.206.159,62.210.206.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 443"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522884; rev:3093;)
alert ip [62.210.206.53,62.210.213.17,62.210.217.207,62.210.244.146,62.210.24.46,62.210.247.178,62.210.254.132,62.210.36.16,62.210.36.46,62.210.69.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 444"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522886; rev:3093;)
alert ip [62.210.69.236,62.210.74.110,62.210.75.84,62.210.76.88,62.210.82.244,62.210.84.34,62.210.90.164,62.210.90.75,62.210.92.11,62.210.93.142] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 445"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522888; rev:3093;)
alert ip [62.212.72.243,62.213.214.207,62.214.6.61,62.216.5.120,62.216.54.29,62.217.124.253,62.219.182.42,62.219.46.133,62.220.148.87,62.220.148.97] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 446"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522890; rev:3093;)
alert ip [62.224.109.251,62.224.67.233,62.235.105.147,62.242.177.175,62.245.57.78,62.249.170.186,62.251.50.232,62.251.89.74,62.37.150.20,62.4.15.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 447"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522892; rev:3093;)
alert ip [62.6.132.155,62.64.191.92,62.65.107.36,62.68.14.206,62.72.82.222,62.75.147.82,62.75.203.76,62.75.255.37,62.78.245.129,64.137.144.195] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 448"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522894; rev:3093;)
alert ip [64.137.162.93,64.137.163.132,64.137.166.21,64.137.181.8,64.137.191.74,64.137.193.88,64.137.193.91,64.137.193.92,64.137.195.214,64.137.203.62] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 449"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522896; rev:3093;)
alert ip [64.137.212.51,64.137.220.124,64.137.227.206,64.137.230.59,64.137.240.201,64.137.242.125,64.137.243.27,64.137.243.67,64.137.247.191,64.137.249.201] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 450"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522898; rev:3093;)
alert ip [64.178.138.94,64.228.188.98,64.237.51.46,64.33.179.214,64.91.6.244,64.94.238.142,65.102.134.108,65.183.146.221,65.183.218.89,65.19.167.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 451"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522900; rev:3093;)
alert ip [65.19.167.134,65.19.178.177,65.19.178.241,65.24.56.15,65.50.203.5,65.94.17.75,66.111.2.20,66.111.2.34,66.111.62.85,66.148.116.90] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 452"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522902; rev:3093;)
alert ip [66.170.11.203,66.172.12.174,66.175.217.78,66.175.221.24,66.175.223.145,66.186.230.154,66.191.220.212,66.215.142.69,66.228.39.82,66.228.39.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 453"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522904; rev:3093;)
alert ip [66.228.51.186,66.234.218.247,66.235.24.122,66.240.174.9,66.242.92.203,66.246.75.167,66.24.84.54,66.55.215.216,66.55.64.181,66.55.67.28] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 454"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522906; rev:3093;)
alert ip [66.70.211.20,66.90.101.117,67.10.7.28,67.160.203.232,67.162.129.215,67.162.205.205,67.165.240.50,67.170.176.90,67.180.116.128,67.186.115.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 455"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522908; rev:3093;)
alert ip [67.188.115.214,67.205.128.47,67.205.130.27,67.205.137.40,67.207.83.202,67.22.162.61,67.227.198.183,67.227.240.79,67.241.73.26,67.249.138.113] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 456"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522910; rev:3093;)
alert ip [67.254.247.220,67.2.57.141,67.43.0.209,68.102.158.81,68.104.222.58,68.105.130.111,68.112.152.187,68.118.104.181,68.129.4.212,68.148.246.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 457"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522912; rev:3093;)
alert ip [68.151.164.43,68.168.108.152,68.172.40.110,68.174.152.193,68.196.189.216,68.201.5.172,68.203.1.218,68.203.91.245,68.206.20.134,68.2.206.4] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 458"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522914; rev:3093;)
alert ip [68.224.246.169,68.224.252.210,68.230.137.166,68.231.202.157,68.42.193.252,68.61.169.59,68.69.166.68,68.8.163.148,68.82.19.43,68.83.2.168] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 459"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522916; rev:3093;)
alert ip [69.115.102.229,69.115.145.16,69.11.9.116,69.136.179.201,69.138.251.81,69.143.186.130,69.156.146.183,69.16.137.20,69.162.107.5,69.163.35.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 460"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522918; rev:3093;)
alert ip [69.164.195.92,69.164.198.32,69.164.210.140,69.164.210.142,69.164.211.18,69.164.212.180,69.164.214.250,69.164.216.230,69.164.216.82,69.164.221.153] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 461"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522920; rev:3093;)
alert ip [69.164.221.65,69.164.221.78,69.172.169.175,69.174.176.16,69.181.73.164,69.193.72.100,69.202.208.57,69.251.207.212,69.28.82.48,69.30.215.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 462"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522922; rev:3093;)
alert ip [69.30.218.186,69.61.35.184,69.62.162.178,69.64.46.27,69.84.70.38,69.85.115.246,69.85.92.224,69.90.132.10,69.90.132.11,69.90.132.248] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 463"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522924; rev:3093;)
alert ip [69.90.151.229,69.93.127.57,69.93.99.14,70.115.155.92,70.119.125.160,70.124.157.109,70.160.231.36,70.164.197.204,70.173.177.224,70.187.153.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 464"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522926; rev:3093;)
alert ip [70.38.31.121,70.59.88.17,70.63.170.86,70.67.185.41,70.78.109.149,70.79.195.48,70.92.77.22,70.95.78.84,71.10.114.10,71.125.33.223] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 465"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522928; rev:3093;)
alert ip [71.14.188.3,71.161.106.188,71.165.151.35,71.172.62.72,71.19.144.184,71.19.149.21,71.19.154.138,71.19.155.187,71.19.157.127,71.19.157.213] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 466"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522930; rev:3093;)
alert ip [71.191.89.250,71.202.232.139,71.202.61.123,71.204.171.134,71.204.188.148,71.238.214.21,71.245.80.14,71.248.178.98,71.39.169.105,71.54.138.21] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 467"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522932; rev:3093;)
alert ip [71.57.153.248,71.82.236.51,71.8.59.240,71.86.238.225,72.11.61.169,72.11.62.32,72.12.96.84,72.14.177.164,72.14.183.14,72.14.190.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 468"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522934; rev:3093;)
alert ip [72.174.129.181,72.174.70.108,72.179.146.98,72.197.6.110,72.234.155.136,72.238.131.236,72.38.1.135,72.42.158.117,72.46.49.24,72.5.72.227] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 469"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522936; rev:3093;)
alert ip [72.66.111.33,72.69.168.215,72.83.36.237,73.110.152.214,73.146.11.203,73.153.100.155,73.158.169.40,73.160.247.47,73.168.232.114,73.170.141.73] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 470"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522938; rev:3093;)
alert ip [73.170.159.10,73.176.222.34,73.193.242.57,73.197.11.4,73.201.115.116,73.201.16.196,73.202.4.42,73.225.68.25,73.233.243.74,73.24.36.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 471"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522940; rev:3093;)
alert ip [73.245.139.113,73.246.41.113,73.25.143.5,73.252.227.171,73.254.86.153,73.40.36.170,73.43.58.31,73.45.37.75,73.58.226.233,73.89.148.177] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 472"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522942; rev:3093;)
alert ip [73.89.87.77,74.103.247.168,74.115.25.12,74.116.186.120,74.121.182.206,74.139.147.78,74.140.170.197,74.207.231.186,74.207.236.197,74.207.237.44] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 473"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522944; rev:3093;)
alert ip [74.207.242.7,74.208.220.222,74.208.234.191,74.208.247.181,74.208.78.130,74.221.46.242,74.222.20.106,74.57.235.186,74.71.234.81,74.86.24.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 474"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522946; rev:3093;)
alert ip [74.88.96.7,74.91.21.2,75.119.251.14,75.127.15.73,75.127.96.101,75.134.154.177,75.135.123.77,75.144.22.203,75.155.22.50,75.161.120.237] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 475"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522948; rev:3093;)
alert ip [75.166.226.179,75.169.5.197,75.176.45.87,75.182.207.22,75.182.90.20,75.87.191.70,76.10.157.58,76.102.13.241,76.105.231.45,76.118.18.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 476"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522950; rev:3093;)
alert ip [76.119.135.44,76.12.219.104,76.126.253.76,76.127.209.65,76.14.112.233,76.167.215.227,76.182.208.232,76.19.132.163,76.217.12.234,76.244.38.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 477"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522952; rev:3093;)
alert ip [76.244.39.154,76.251.164.153,76.255.206.36,76.26.203.243,76.73.234.173,76.85.96.65,76.98.28.62,77.102.174.224,77.102.66.183,77.120.122.102] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 478"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522954; rev:3093;)
alert ip [77.120.122.131,77.120.94.233,77.129.60.166,77.139.132.109,77.140.150.239,77.140.201.83,77.140.93.127,77.148.42.134,77.161.34.157,77.166.206.198] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 479"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522956; rev:3093;)
alert ip [77.170.230.163,77.174.168.42,77.177.30.182,77.178.71.4,77.179.213.231,77.180.116.249,77.180.119.47,77.180.40.15,77.181.119.74,77.185.251.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 480"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522958; rev:3093;)
alert ip [77.187.165.8,77.198.99.139,77.20.129.236,77.203.13.57,77.21.150.101,77.21.35.84,77.2.186.111,77.23.37.2,77.23.56.30,77.238.69.216] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 481"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522960; rev:3093;)
alert ip [77.243.191.50,77.244.37.157,77.246.163.142,77.246.193.59,77.248.157.83,77.250.55.228,77.251.239.123,77.27.140.228,77.37.142.179,77.37.160.18] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 482"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522962; rev:3093;)
alert ip [77.37.162.132,77.37.218.145,77.43.219.246,77.47.119.55,77.47.40.159,77.47.47.126,77.48.73.246,77.56.224.131,77.57.114.44,77.57.126.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 483"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522964; rev:3093;)
alert ip [77.64.230.73,77.66.12.185,77.68.11.42,77.68.42.132,77.70.5.60,77.70.63.220,77.72.150.150,77.73.64.51,77.73.67.139,77.74.96.43] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 484"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522966; rev:3093;)
alert ip [77.75.166.43,77.78.163.128,77.7.96.234,77.81.104.124,77.87.49.6,77.87.50.6,77.94.116.249,78.107.239.213,78.108.77.86,78.109.23.1] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 485"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522968; rev:3093;)
alert ip [78.118.163.95,78.120.51.57,78.124.107.98,78.130.128.106,78.130.195.135,78.13.71.147,78.142.140.242,78.142.145.141,78.142.19.11,78.142.19.215] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 486"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522970; rev:3093;)
alert ip [78.142.19.226,78.156.110.135,78.156.114.237,78.156.117.236,78.192.124.148,78.192.89.9,78.193.140.4,78.193.218.97,78.193.40.205,78.193.40.254] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 487"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522972; rev:3093;)
alert ip [78.194.220.54,78.194.2.61,78.194.37.29,78.200.39.175,78.213.146.86,78.215.220.29,78.219.4.95,78.24.75.53,78.247.96.188,78.27.109.107] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 488"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522974; rev:3093;)
alert ip [78.34.249.163,78.34.65.120,78.35.204.169,78.35.56.203,78.36.44.54,78.43.30.83,78.43.32.13,78.43.34.2,78.46.112.219,78.46.127.239] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 489"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522976; rev:3093;)
alert ip [78.46.139.153,78.46.139.182,78.46.141.74,78.46.145.58,78.46.151.11,78.46.162.123,78.46.185.124,78.46.189.152,78.46.193.41,78.46.203.18] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 490"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522978; rev:3093;)
alert ip [78.46.209.112,78.46.220.130,78.46.221.48,78.46.223.134,78.46.233.214,78.46.239.183,78.46.247.36,78.46.249.71,78.46.253.198,78.46.37.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 491"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522980; rev:3093;)
alert ip [78.46.37.26,78.46.38.250,78.46.44.222,78.46.45.242,78.46.51.124,78.46.53.11,78.46.60.30,78.46.64.245,78.46.82.123,78.46.90.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 492"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522982; rev:3093;)
alert ip [78.46.95.20,78.46.99.169,78.47.117.28,78.47.134.195,78.47.134.196,78.47.142.211,78.47.158.122,78.47.162.163,78.47.167.67,78.47.174.155] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 493"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522984; rev:3093;)
alert ip [78.47.176.74,78.47.18.110,78.47.221.71,78.47.224.202,78.47.224.219,78.47.229.107,78.47.239.80,78.47.35.35,78.47.61.129,78.47.61.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 494"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522986; rev:3093;)
alert ip [78.47.70.123,78.47.9.21,78.47.98.200,78.49.109.5,78.49.115.119,78.49.9.91,78.50.161.130,78.51.79.138,78.52.105.103,78.53.55.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 495"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522988; rev:3093;)
alert ip [78.55.15.45,78.55.194.217,78.55.80.168,78.56.124.16,78.56.40.22,78.84.251.67,78.90.15.229,78.90.227.228,78.94.141.202,78.94.186.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 496"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522990; rev:3093;)
alert ip [78.94.74.236,78.94.92.170,79.111.0.58,79.111.23.100,79.120.10.98,79.120.41.147,79.120.85.102,79.124.58.78,79.124.60.246,79.124.7.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 497"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522992; rev:3093;)
alert ip [79.132.85.150,79.133.210.11,79.136.153.114,79.136.39.109,79.136.43.29,79.136.70.125,79.136.70.93,79.137.106.154,79.137.112.4,79.137.112.5] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 498"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522994; rev:3093;)
alert ip [79.137.116.43,79.137.33.131,79.137.33.24,79.137.35.149,79.137.39.39,79.137.70.81,79.140.41.117,79.140.41.118,79.140.41.13,79.143.178.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 499"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522996; rev:3093;)
alert ip [79.143.183.44,79.143.186.17,79.143.191.22,79.161.248.2,79.172.18.18,79.172.193.32,79.172.204.36,79.172.28.205,79.194.172.217,79.194.87.56] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 500"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522998; rev:3093;)
alert ip [79.194.94.47,79.195.91.6,79.196.254.35,79.205.62.110,79.208.139.197,79.210.105.152,79.211.250.142,79.215.237.119,79.217.46.88,79.217.94.117] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 501"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523000; rev:3093;)
alert ip [79.218.71.143,79.219.217.191,79.225.88.54,79.226.48.28,79.227.188.114,79.231.218.192,79.232.209.58,79.232.88.62,79.233.223.52,79.234.191.179] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 502"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523002; rev:3093;)
alert ip [79.237.12.160,79.240.236.253,79.243.104.218,79.247.169.250,79.250.140.151,79.251.253.10,79.252.118.111,79.252.207.114,79.253.74.57,79.30.186.6] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 503"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523004; rev:3093;)
alert ip [79.98.104.68,79.98.105.18,79.98.108.57,79.98.220.119,80.100.206.150,80.100.250.244,80.100.44.12,80.108.195.250,80.109.112.130,80.109.127.173] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 504"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523006; rev:3093;)
alert ip [80.119.137.65,80.127.107.154,80.127.107.179,80.127.117.180,80.127.118.93,80.127.137.14,80.127.137.19,80.127.151.162,80.127.152.4,80.128.158.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 505"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523008; rev:3093;)
alert ip [80.12.94.184,80.130.35.112,80.131.139.4,80.131.250.156,80.132.187.84,80.135.188.23,80.137.64.222,80.140.45.226,80.143.170.167,80.144.48.145] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 506"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523010; rev:3093;)
alert ip [80.147.33.157,80.169.241.76,80.186.207.144,80.195.23.109,80.203.137.23,80.209.253.48,80.218.186.191,80.218.245.212,80.218.37.232,80.219.119.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 507"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523012; rev:3093;)
alert ip [80.219.136.45,80.220.89.55,80.223.174.207,80.229.140.239,80.229.152.228,80.232.242.31,80.233.134.147,80.233.134.149,80.237.231.134,80.238.105.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 508"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523014; rev:3093;)
alert ip [80.240.216.253,80.241.213.87,80.241.220.57,80.241.222.169,80.243.104.182,80.244.241.254,80.244.243.158,80.248.208.131,80.252.24.116,80.255.0.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 509"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523016; rev:3093;)
alert ip [80.255.6.11,80.255.6.92,80.56.77.242,80.60.245.234,80.64.65.25,80.66.135.123,80.68.92.249,80.71.133.119,80.73.242.142,80.7.54.187] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 510"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523018; rev:3093;)
alert ip [80.81.12.29,80.81.17.31,80.81.243.27,80.85.84.222,80.85.84.72,80.90.250.69,80.99.48.193,81.0.226.3,81.102.219.11,81.103.36.9] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 511"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523020; rev:3093;)
alert ip [81.105.101.129,81.108.197.189,81.132.255.225,81.141.6.226,81.143.236.158,81.165.85.244,81.166.86.51,81.169.130.214,81.169.136.206,81.169.138.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 512"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523022; rev:3093;)
alert ip [81.169.141.222,81.169.152.100,81.169.166.74,81.169.175.164,81.169.211.90,81.169.222.158,81.169.243.74,81.169.246.204,81.169.248.93,81.170.148.194] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 513"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523024; rev:3093;)
alert ip [81.170.217.242,81.171.19.175,81.17.16.43,81.17.17.130,81.17.17.131,81.17.30.33,81.17.30.44,81.17.30.48,81.174.151.215,81.174.156.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 514"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523026; rev:3093;)
alert ip [81.174.231.18,81.177.22.73,81.182.31.72,81.189.17.180,81.19.3.71,81.193.75.91,81.197.116.202,81.200.59.162,81.218.109.195,81.218.138.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 515"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523028; rev:3093;)
alert ip [81.218.91.154,81.2.197.33,81.2.209.10,81.221.144.163,81.22.255.146,81.2.237.218,81.225.209.79,81.2.254.143,81.227.128.7,81.228.192.157] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 516"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523030; rev:3093;)
alert ip [81.228.199.75,81.230.166.145,81.233.10.199,81.236.177.247,81.241.121.149,81.245.124.251,81.249.244.44,81.25.54.131,81.30.158.213,81.30.158.81] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 517"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523032; rev:3093;)
alert ip [81.35.215.194,81.4.109.47,81.4.121.48,81.43.149.140,81.56.192.231,81.56.96.154,81.57.208.135,81.67.45.173,81.7.10.193,81.7.10.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 518"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523034; rev:3093;)
alert ip [81.7.10.29,81.7.10.93,81.7.11.142,81.7.11.154,81.7.11.186,81.7.11.22,81.7.11.253,81.7.11.33,81.7.11.38,81.7.11.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 519"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523036; rev:3093;)
alert ip [81.7.11.96,81.7.13.248,81.7.13.84,81.7.14.253,81.7.14.31,81.7.16.139,81.7.16.177,81.7.16.18,81.7.16.182,81.7.16.59] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 520"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523038; rev:3093;)
alert ip [81.7.18.84,81.7.19.110,81.7.3.67,81.82.204.148,81.89.63.150,81.95.13.55,81.95.52.68,81.97.143.247,82.102.142.210,82.103.140.87] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 521"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523040; rev:3093;)
alert ip [82.116.120.3,82.118.17.122,82.118.17.137,82.118.17.235,82.118.242.124,82.118.242.126,82.118.242.128,82.118.242.147,82.118.242.173,82.119.233.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 522"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523042; rev:3093;)
alert ip [82.130.11.148,82.131.107.121,82.131.107.240,82.135.88.37,82.141.39.114,82.146.47.17,82.161.182.20,82.161.210.87,82.161.212.209,82.161.214.117] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 523"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523044; rev:3093;)
alert ip [82.161.50.30,82.165.142.79,82.165.148.163,82.169.80.71,82.181.116.199,82.181.238.144,82.192.250.215,82.192.80.194,82.194.170.30,82.196.11.10] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 524"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523046; rev:3093;)
alert ip [82.196.14.142,82.196.3.85,82.196.6.199,82.196.7.26,82.196.96.127,82.199.155.89,82.202.193.92,82.202.193.94,82.209.179.225,82.209.68.18] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 525"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523048; rev:3093;)
alert ip [82.211.0.180,82.211.0.185,82.211.31.247,82.211.34.97,82.211.60.207,82.211.61.199,82.21.211.29,82.212.221.34,82.213.211.186,82.217.214.215] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 526"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523050; rev:3093;)
alert ip [82.217.245.7,82.219.9.89,82.221.100.29,82.221.104.108,82.221.105.198,82.221.111.151,82.221.111.187,82.221.128.20,82.221.131.59,82.221.131.9] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 527"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523052; rev:3093;)
alert ip [82.221.139.190,82.223.21.74,82.223.36.196,82.226.140.119,82.227.48.17,82.228.252.20,82.229.138.31,82.229.182.19,82.229.26.235,82.243.133.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 528"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523054; rev:3093;)
alert ip [82.247.103.117,82.247.250.162,82.251.17.70,82.251.33.136,82.27.118.130,82.27.255.3,82.28.190.60,82.38.188.37,82.39.122.197,82.41.10.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 529"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523056; rev:3093;)
alert ip [82.44.203.124,82.44.211.228,82.50.191.96,82.5.42.105,82.64.7.146,82.64.9.116,82.66.140.131,8.26.94.18,82.69.76.35,82.71.246.79] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 530"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523058; rev:3093;)
alert ip [82.71.25.129,82.71.7.191,82.80.33.99,82.80.54.64,82.94.132.34,82.94.204.170,82.94.226.146,82.94.251.227,82.95.100.241,82.95.107.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 531"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523060; rev:3093;)
alert ip [82.95.66.203,83.128.173.61,83.134.110.38,83.134.30.70,83.135.106.5,83.135.108.192,83.135.65.74,83.135.66.172,83.143.245.86,83.144.105.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 532"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523062; rev:3093;)
alert ip [83.145.241.231,83.146.231.159,83.149.125.193,83.149.126.139,83.149.20.38,83.149.70.130,83.150.29.178,83.150.59.185,83.150.82.122,83.157.96.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 533"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523064; rev:3093;)
alert ip [83.160.139.183,83.161.249.125,83.162.178.67,83.162.188.100,83.162.199.60,83.162.202.182,83.162.47.26,83.163.201.168,83.163.77.195,83.171.176.227] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 534"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523066; rev:3093;)
alert ip [83.173.198.226,83.175.100.130,83.194.3.100,83.202.164.197,83.212.100.100,83.212.101.60,83.212.102.114,83.212.102.18,83.212.104.124,83.212.105.144] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 535"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523068; rev:3093;)
alert ip [83.212.168.186,83.212.96.120,83.212.96.170,83.212.96.206,83.220.174.128,83.222.144.185,83.226.202.54,83.227.113.24,83.227.84.31,83.227.85.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 536"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523070; rev:3093;)
alert ip [83.228.93.76,83.233.213.202,83.233.76.111,83.234.1.41,83.240.14.219,83.248.84.123,83.249.111.190,83.250.10.13,83.251.198.255,83.252.97.5] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 537"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523072; rev:3093;)
alert ip [83.253.136.88,83.254.19.5,83.254.93.78,83.33.79.205,83.37.107.244,83.37.125.244,83.40.159.127,83.55.10.34,83.60.126.121,8.37.14.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 538"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523074; rev:3093;)
alert ip [83.76.91.146,83.85.252.55,83.86.120.4,83.87.163.195,83.97.85.145,84.10.12.74,84.106.234.152,84.107.116.107,84.112.147.73,84.112.41.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 539"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523076; rev:3093;)
alert ip [84.114.3.54,84.114.57.193,84.115.197.133,84.115.25.42,84.118.164.156,84.128.105.189,84.130.124.138,84.132.221.14,84.133.3.94,84.133.79.167] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 540"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523078; rev:3093;)
alert ip [84.142.199.143,84.147.44.33,84.154.219.13,84.156.27.127,84.157.130.216,84.157.50.116,84.158.221.123,84.159.89.43,84.160.71.137,84.16.241.89] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 541"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523080; rev:3093;)
alert ip [84.164.218.243,84.168.200.152,84.170.120.107,84.17.21.50,84.173.201.133,84.176.97.168,84.179.218.191,84.180.110.191,84.180.215.81,84.182.191.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 542"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523082; rev:3093;)
alert ip [84.182.57.238,84.187.131.93,84.190.34.220,84.191.36.51,84.19.178.155,84.19.178.79,84.19.179.106,84.19.179.229,84.195.229.182,84.198.103.245] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 543"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523084; rev:3093;)
alert ip [84.200.106.6,84.200.206.99,84.200.77.243,84.200.8.207,84.200.8.33,84.208.170.253,84.209.131.13,84.211.49.30,84.216.252.200,84.219.130.131] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 544"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523086; rev:3093;)
alert ip [84.226.125.7,84.2.34.74,84.236.38.14,84.240.60.234,84.241.65.20,84.244.31.52,84.245.15.253,84.245.25.64,84.245.27.209,84.245.30.154] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 545"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523088; rev:3093;)
alert ip [84.248.100.7,84.248.120.6,84.248.223.126,84.249.11.195,84.250.184.214,84.250.227.192,84.250.229.213,84.250.39.220,8.42.76.105,84.27.95.53] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 546"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523090; rev:3093;)
alert ip [84.31.70.198,84.38.134.12,84.38.68.90,84.40.112.70,84.44.179.22,84.44.199.57,84.45.76.10,84.45.76.11,84.45.76.12,84.45.76.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 547"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523092; rev:3093;)
alert ip [84.46.45.105,84.46.47.170,84.47.78.125,84.50.177.101,84.52.225.99,84.53.247.169,84.55.82.94,84.57.132.42,84.63.193.31,84.63.245.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 548"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523094; rev:3093;)
alert ip [84.73.20.157,84.73.220.65,84.74.101.248,84.74.253.127,84.74.80.210,84.75.179.223,84.75.94.209,84.80.80.69,84.81.140.11,84.92.97.97] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 549"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523096; rev:3093;)
alert ip [84.9.49.106,85.10.113.36,85.10.196.12,85.10.198.236,85.10.201.47,85.10.203.71,85.10.240.250,85.113.226.98,85.113.39.154,85.114.133.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 550"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523098; rev:3093;)
alert ip [85.119.82.151,85.119.83.141,85.1.32.115,85.140.184.38,85.14.244.114,85.14.245.175,85.14.249.247,85.144.52.175,85.152.229.51,85.159.211.55] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 551"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523100; rev:3093;)
alert ip [85.159.237.210,85.164.238.48,85.169.111.217,85.17.112.163,85.17.112.32,85.171.173.161,85.17.164.165,85.17.164.172,85.17.194.180,85.17.214.177] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 552"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523102; rev:3093;)
alert ip [85.176.222.176,85.179.90.198,85.180.41.212,85.180.89.64,85.181.54.110,85.183.102.49,85.184.160.128,85.195.207.92,85.195.215.194,85.195.235.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 553"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523104; rev:3093;)
alert ip [85.195.237.134,85.195.237.40,85.195.252.93,85.195.255.205,85.195.82.76,85.197.31.100,85.204.121.218,85.21.144.224,85.21.144.33,85.212.37.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 554"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523106; rev:3093;)
alert ip [85.212.60.178,85.212.60.3,85.212.8.191,85.214.101.233,85.214.115.214,85.214.124.168,85.214.128.199,85.214.136.179,85.214.144.127,85.214.144.159] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 555"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523108; rev:3093;)
alert ip [85.214.20.43,85.214.206.219,85.214.212.153,85.214.222.152,85.214.236.207,85.214.44.172,85.214.54.254,85.214.56.180,85.214.58.236,85.214.62.48] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 556"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523110; rev:3093;)
alert ip [85.214.62.94,85.214.69.75,85.214.74.47,85.216.128.76,85.218.19.154,85.218.82.169,85.220.190.246,85.220.42.195,85.222.0.229,85.227.129.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 557"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523112; rev:3093;)
alert ip [85.229.228.174,85.229.37.150,85.229.84.141,85.230.184.93,85.230.21.88,85.23.194.151,85.23.194.153,85.235.225.239,85.235.250.88,85.237.43.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 558"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523114; rev:3093;)
alert ip [85.24.183.236,85.24.188.22,85.244.122.69,85.246.242.197,85.25.111.77,85.25.13.222,85.25.132.5,85.25.133.34,85.25.150.216,85.25.159.253] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 559"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523116; rev:3093;)
alert ip [85.25.159.65,85.25.210.223,85.25.213.211,85.25.248.108,85.25.44.141,85.255.1.158,85.31.186.253,85.5.164.201,85.52.147.46,85.90.247.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 560"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523118; rev:3093;)
alert ip [85.93.16.47,85.93.17.143,85.93.217.20,86.103.181.196,86.103.207.103,86.104.15.15,86.105.212.130,86.105.212.204,86.106.137.6,86.107.110.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 561"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523120; rev:3093;)
alert ip [86.107.110.254,86.107.110.34,86.107.110.51,86.107.110.82,86.110.117.166,86.115.45.141,86.123.52.188,86.124.38.162,86.142.149.240,86.143.8.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 562"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523122; rev:3093;)
alert ip [86.150.235.216,86.164.122.208,86.171.122.38,86.17.252.138,86.174.156.27,86.179.31.216,86.181.198.165,86.19.102.206,86.194.79.171,86.201.56.209] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 563"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523124; rev:3093;)
alert ip [86.215.161.214,86.23.4.224,86.237.8.54,86.239.246.46,86.248.190.6,86.25.228.206,86.253.207.211,86.29.208.115,86.31.40.147,86.3.172.141] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 564"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523126; rev:3093;)
alert ip [86.56.172.235,86.59.119.83,86.59.119.88,86.59.21.163,86.59.21.38,86.7.140.31,86.73.143.244,86.83.122.203,86.86.173.62,86.87.106.215] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 565"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523128; rev:3093;)
alert ip [86.88.32.199,87.100.131.62,87.102.15.216,87.102.172.100,87.106.140.24,87.106.14.159,87.106.145.238,87.106.208.236,87.106.249.118,87.106.59.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 566"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523130; rev:3093;)
alert ip [87.118.110.113,87.118.111.27,87.118.112.136,87.118.112.63,87.118.114.134,87.118.116.227,87.118.122.120,87.118.122.201,87.118.126.206,87.118.126.218] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 567"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523132; rev:3093;)
alert ip [87.118.89.28,87.118.94.2,87.120.254.161,87.120.254.204,87.121.98.208,87.121.98.43,87.122.110.161,87.122.110.190,87.122.96.132,87.123.149.181] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 568"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523134; rev:3093;)
alert ip [87.123.35.186,87.128.103.242,87.128.111.190,87.139.33.217,87.140.70.14,87.140.80.53,87.146.194.183,87.148.147.123,87.149.117.13,87.150.13.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 569"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523136; rev:3093;)
alert ip [87.151.25.84,87.15.243.146,87.153.102.225,87.157.177.171,87.157.183.223,87.159.56.141,87.163.50.7,87.169.255.104,87.170.157.10,87.172.1.40] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 570"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523138; rev:3093;)
alert ip [87.17.221.66,87.173.60.125,87.174.237.66,87.176.52.57,87.176.54.116,87.177.140.98,87.177.171.142,87.180.36.240,87.181.87.166,87.182.204.132] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 571"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523140; rev:3093;)
alert ip [87.183.239.19,87.184.200.45,87.185.40.120,87.186.43.179,87.187.212.74,87.187.216.139,87.187.218.184,87.187.36.44,87.193.179.238,87.193.208.14] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 572"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523142; rev:3093;)
alert ip [87.205.153.191,87.206.52.43,87.219.93.174,87.230.25.149,87.231.28.173,87.236.194.23,87.236.215.156,87.236.215.83,87.236.27.155,87.254.66.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 573"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523144; rev:3093;)
alert ip [87.52.3.33,87.72.197.113,87.72.239.187,87.72.73.231,87.73.84.77,87.78.98.152,87.79.181.31,87.79.79.94,87.79.95.151,87.88.49.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 574"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523146; rev:3093;)
alert ip [87.92.163.24,87.98.180.9,87.98.185.5,87.98.243.150,87.98.245.84,88.109.16.208,88.113.152.171,88.130.97.249,88.130.99.84,88.152.235.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 575"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523148; rev:3093;)
alert ip [88.156.10.253,88.156.182.196,88.159.152.177,88.159.164.249,88.159.254.102,88.159.76.202,88.163.244.124,88.165.244.169,88.17.157.204,88.176.12.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 576"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523150; rev:3093;)
alert ip [88.180.173.63,88.187.120.90,88.187.233.27,88.188.17.198,88.191.138.57,88.191.212.33,88.193.129.197,88.193.138.181,88.193.200.225,88.198.107.179] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 577"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523152; rev:3093;)
alert ip [88.198.109.149,88.198.110.194,88.198.119.197,88.198.13.116,88.198.148.255,88.198.164.219,88.198.192.156,88.198.19.4,88.198.194.89,88.198.207.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 578"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523154; rev:3093;)
alert ip [88.198.44.145,88.198.6.3,88.198.70.137,88.204.112.242,88.208.121.78,88.208.220.123,88.21.232.113,88.217.143.53,88.64.76.6,88.66.247.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 579"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523156; rev:3093;)
alert ip [88.66.85.27,88.67.47.98,88.7.230.172,88.73.134.236,88.74.215.91,88.80.214.189,88.86.102.163,88.91.112.31,88.98.252.234,88.99.104.94] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 580"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523158; rev:3093;)
alert ip [88.99.141.248,88.99.14.92,88.99.162.199,88.99.169.186,88.99.170.243,88.99.172.64,88.99.174.144,88.99.186.21,88.99.189.0,88.99.199.87] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 581"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523160; rev:3093;)
alert ip [88.99.21.163,88.99.21.171,88.99.216.194,88.99.217.110,88.99.2.24,88.99.27.131,88.99.31.186,88.99.35.178,88.99.36.32,88.99.70.107] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 582"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523162; rev:3093;)
alert ip [88.99.90.203,88.99.96.224,89.0.158.33,89.0.53.125,89.100.9.6,89.102.142.167,89.107.155.162,89.111.20.68,89.12.177.229,89.1.28.168] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 583"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523164; rev:3093;)
alert ip [89.13.225.51,89.13.237.53,89.133.129.147,89.13.44.164,89.13.67.50,89.14.152.171,89.150.174.50,89.16.176.158,89.162.0.126,89.163.141.115] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 584"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523166; rev:3093;)
alert ip [89.163.141.116,89.163.146.41,89.163.210.163,89.163.210.164,89.163.211.42,89.163.216.165,89.163.219.118,89.163.219.27,89.163.224.187,89.163.224.250] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 585"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523168; rev:3093;)
alert ip [89.163.224.70,89.163.225.115,89.163.225.145,89.163.225.6,89.163.225.7,89.163.242.53,89.163.245.116,89.163.245.181,89.163.245.184,89.163.245.199] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 586"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523170; rev:3093;)
alert ip [89.163.246.127,89.163.246.250,89.163.247.115,89.163.249.200,89.163.249.201,89.166.124.13,89.173.212.31,89.175.27.163,89.176.17.234,89.179.119.165] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 587"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523172; rev:3093;)
alert ip [89.18.172.112,89.18.173.41,89.183.209.51,89.187.143.81,89.188.109.210,89.191.217.1,89.207.129.150,89.217.38.172,89.217.96.72,89.22.100.64] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523174; rev:3093;)
alert ip [89.221.210.122,89.221.210.151,89.223.27.241,89.22.97.193,89.2.29.89,89.23.229.110,89.234.182.176,89.234.186.18,89.236.144.248,89.238.178.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 589"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523176; rev:3093;)
alert ip [89.238.178.123,89.238.178.238,89.238.66.240,89.244.173.134,89.244.205.159,89.245.104.57,89.247.11.173,89.247.199.126,89.247.202.92,89.247.47.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 590"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523178; rev:3093;)
alert ip [89.247.61.188,89.247.6.83,89.248.170.227,89.249.65.6,89.33.246.114,89.33.6.24,89.34.237.13,89.34.237.21,89.34.237.230,89.35.134.154] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 591"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523180; rev:3093;)
alert ip [89.35.178.104,89.35.29.19,89.35.29.26,89.35.39.108,89.3.76.94,89.39.67.33,89.40.116.223,89.40.119.43,89.40.125.73,89.40.126.152] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 592"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523182; rev:3093;)
alert ip [89.45.67.137,89.46.100.162,89.46.100.71,89.46.222.254,89.46.70.98,89.67.100.248,89.71.161.30,89.73.57.178,89.82.171.44,89.89.43.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 593"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523184; rev:3093;)
alert ip [90.146.141.214,90.155.76.242,90.184.239.156,90.215.206.6,90.224.9.202,90.225.80.159,90.228.240.43,90.230.158.145,90.254.70.1,90.34.208.210] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 594"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523186; rev:3093;)
alert ip [90.3.4.65,90.45.213.132,90.65.63.146,90.79.101.154,90.79.169.1,90.87.129.49,90.90.170.255,90.92.136.122,91.100.103.196,91.105.203.92] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 595"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523188; rev:3093;)
alert ip [91.106.170.116,91.106.172.58,91.106.193.118,91.109.29.241,91.121.109.209,91.121.116.34,91.121.1.20,91.121.147.65,91.121.154.109,91.121.155.33] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 596"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523190; rev:3093;)
alert ip [91.121.158.17,91.121.160.215,91.121.160.6,91.121.166.152,91.121.16.67,91.121.177.171,91.121.183.178,91.121.192.154,91.121.195.169,91.121.205.56] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 597"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523192; rev:3093;)
alert ip [91.121.218.189,91.121.224.10,91.121.230.208,91.121.230.212,91.121.230.214,91.121.230.216,91.121.230.218,91.121.23.100,91.121.28.66,91.121.67.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 598"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523194; rev:3093;)
alert ip [91.121.73.223,91.121.76.175,91.121.78.119,91.121.79.188,91.121.82.25,91.121.83.108,91.121.84.137,91.121.85.130,91.121.89.201,91.121.98.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 599"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523196; rev:3093;)
alert ip [91.122.100.13,91.122.31.175,91.122.46.175,91.122.47.234,91.122.52.237,91.123.24.138,91.124.27.210,91.126.45.228,91.130.33.90,91.134.131.128] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 600"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523198; rev:3093;)
alert ip [91.134.133.88,91.134.135.12,91.134.137.99,91.134.140.21,91.134.180.240,91.134.217.18,91.134.237.118,91.136.164.146,91.138.71.236,91.143.80.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 601"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523200; rev:3093;)
alert ip [91.143.91.142,91.143.93.29,91.145.118.93,91.146.122.45,91.155.183.84,91.155.228.254,91.16.120.166,91.16.12.249,91.16.71.63,91.176.189.201] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 602"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523202; rev:3093;)
alert ip [91.176.51.65,91.17.82.134,91.18.230.84,91.186.57.78,91.18.81.173,91.188.125.128,91.190.234.66,91.19.232.150,91.194.90.103,91.198.212.250] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 603"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523204; rev:3093;)
alert ip [91.200.13.76,91.200.162.25,91.200.162.9,91.203.138.58,91.203.146.126,91.203.147.165,91.203.5.146,91.203.5.165,91.205.173.82,91.205.89.126] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 604"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523206; rev:3093;)
alert ip [91.210.104.91,91.210.106.134,91.211.107.172,91.211.247.112,91.211.247.71,91.213.233.107,91.213.233.138,91.213.233.194,91.213.233.60,91.213.8.101] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 605"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523208; rev:3093;)
alert ip [91.213.8.89,91.214.169.69,91.218.112.34,91.2.18.68,91.219.236.250,91.219.237.117,91.219.237.154,91.219.237.19,91.219.238.112,91.219.238.221] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 606"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523210; rev:3093;)
alert ip [91.219.238.224,91.219.239.121,91.219.239.92,91.219.28.211,91.219.28.85,91.219.28.99,91.219.29.157,91.219.29.188,91.219.29.238,91.220.145.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 607"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523212; rev:3093;)
alert ip [91.220.220.5,91.221.119.33,91.221.66.21,91.221.66.220,91.224.149.33,91.224.156.117,91.22.57.79,91.226.212.67,91.228.52.186,91.228.53.86] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 608"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523214; rev:3093;)
alert ip [91.229.20.27,91.229.76.124,91.231.86.101,91.231.86.204,91.233.106.237,91.233.116.119,91.233.116.51,91.233.133.244,91.236.116.36,91.236.116.7] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 609"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523216; rev:3093;)
alert ip [91.236.116.8,91.236.116.87,91.236.116.88,91.236.239.135,91.236.239.140,91.236.251.42,91.236.251.72,91.237.244.62,91.237.247.62,91.237.52.170] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 610"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523218; rev:3093;)
alert ip [91.237.88.108,91.239.232.81,91.240.229.195,91.247.251.26,91.248.53.93,91.250.100.7,91.250.84.156,91.34.243.67,91.37.97.140,91.39.101.21] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 611"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523220; rev:3093;)
alert ip [91.40.39.184,91.45.230.139,91.46.61.152,91.49.132.129,91.49.140.172,91.49.45.62,91.49.51.27,91.50.170.219,91.50.246.218,91.51.107.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 612"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523222; rev:3093;)
alert ip [91.51.134.4,91.54.179.239,91.54.201.162,91.62.254.228,91.63.50.152,91.64.27.10,91.64.51.214,91.65.105.24,91.65.134.181,91.65.191.101] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 613"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523224; rev:3093;)
alert ip [91.65.61.217,91.66.76.145,91.69.192.38,91.7.58.246,91.77.252.217,91.79.27.85,91.8.214.141,91.90.166.69,91.9.202.182,91.92.115.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 614"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523226; rev:3093;)
alert ip [91.9.216.25,91.96.2.188,91.97.3.133,92.104.238.109,92.111.4.177,92.151.189.187,92.167.38.82,92.169.22.209,92.169.48.59,92.177.28.114] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 615"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523228; rev:3093;)
alert ip [92.191.127.225,92.191.202.80,92.194.213.142,92.200.11.177,92.201.106.193,92.201.58.171,92.204.82.227,92.206.26.29,92.211.43.219,92.220.233.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 616"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523230; rev:3093;)
alert ip [92.220.40.210,92.222.115.28,92.222.162.54,92.222.180.10,92.222.181.104,92.222.181.123,92.222.207.227,92.222.22.113,92.222.22.37,92.222.22.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 617"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523232; rev:3093;)
alert ip [92.222.24.63,92.222.26.216,92.222.39.183,92.222.39.196,92.222.4.102,92.222.69.173,92.222.74.203,92.222.9.53,92.223.105.32,92.223.72.168] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 618"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523234; rev:3093;)
alert ip [92.226.164.131,92.243.0.179,92.243.30.208,92.243.69.105,92.247.51.169,92.249.143.119,92.255.176.138,92.255.207.89,92.27.7.209,92.39.246.45] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 619"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523236; rev:3093;)
alert ip [92.43.29.220,92.5.217.154,92.52.32.77,92.55.0.224,92.62.46.190,92.63.174.36,92.63.174.71,92.75.240.25,92.77.131.143,92.90.196.61] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 620"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523238; rev:3093;)
alert ip [93.100.231.62,93.100.237.212,93.104.208.119,93.104.209.158,93.104.209.61,93.104.213.65,93.104.83.158,93.115.241.194,93.115.241.2,93.115.241.50] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 621"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523240; rev:3093;)
alert ip [93.115.29.86,93.115.82.180,93.115.84.143,93.115.91.66,93.115.95.38,93.115.96.15,93.115.97.242,93.123.90.13,93.137.196.134,93.144.157.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 622"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523242; rev:3093;)
alert ip [93.144.207.182,93.152.159.223,93.157.51.22,93.158.216.142,93.170.77.90,93.180.136.43,93.180.154.94,93.180.156.84,93.180.157.154,93.181.102.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 623"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523244; rev:3093;)
alert ip [93.184.24.182,93.186.200.68,93.188.161.109,93.188.161.36,93.190.141.115,93.195.42.20,93.198.166.25,93.198.177.109,93.198.177.91,93.200.157.179] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 624"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523246; rev:3093;)
alert ip [93.202.182.34,93.202.247.222,93.203.122.229,93.204.19.216,93.205.162.51,93.205.164.158,93.205.168.70,93.206.105.74,93.211.208.22,93.212.72.106] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 625"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523248; rev:3093;)
alert ip [93.215.24.154,93.215.33.5,93.218.105.12,93.218.57.71,93.21.95.172,93.219.95.188,93.220.11.110,93.220.2.212,93.220.76.73,93.225.115.240] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 626"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523250; rev:3093;)
alert ip [93.225.189.24,93.226.250.177,93.227.133.182,93.227.45.40,93.228.169.102,93.228.170.48,93.230.171.235,93.230.27.178,93.231.225.100,93.231.227.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 627"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523252; rev:3093;)
alert ip [93.233.108.105,93.237.129.27,93.237.143.17,93.237.145.128,93.238.176.157,93.239.20.192,93.244.1.171,93.244.226.172,93.29.252.27,93.55.225.152] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 628"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523254; rev:3093;)
alert ip [93.58.11.24,93.72.198.81,93.72.89.51,93.73.103.6,93.76.246.35,93.80.95.169,93.89.101.27,93.91.157.42,93.92.203.113,93.92.205.248] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 629"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523256; rev:3093;)
alert ip [93.95.100.138,93.95.100.166,93.95.100.202,93.95.227.245,93.95.228.49,94.100.21.162,94.100.23.18,94.100.23.26,94.100.31.194,94.100.6.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 630"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523258; rev:3093;)
alert ip [94.100.6.27,94.112.217.77,94.126.170.165,94.130.10.251,94.130.21.85,94.130.31.206,94.130.32.101,94.130.34.199,94.130.52.205,94.130.58.99] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 631"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523260; rev:3093;)
alert ip [94.130.68.230,94.130.69.171,94.130.79.44,94.132.132.205,94.134.172.71,94.140.120.130,94.140.120.44,94.142.241.138,94.142.245.206,94.14.38.250] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 632"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523262; rev:3093;)
alert ip [94.155.122.185,94.155.49.47,94.156.128.10,94.156.175.120,94.156.175.157,94.156.175.174,94.16.137.7,94.16.173.106,94.176.139.186,94.177.228.80] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 633"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523264; rev:3093;)
alert ip [94.177.246.37,94.180.103.5,94.180.91.6,94.181.44.45,94.181.45.237,94.185.90.86,94.19.12.244,94.19.14.183,94.198.100.18,94.198.100.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 634"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523266; rev:3093;)
alert ip [94.198.68.92,94.198.98.21,94.198.98.35,94.198.98.61,94.198.98.71,94.21.108.113,94.212.20.248,94.214.190.171,94.214.240.71,94.222.19.206] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 635"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523268; rev:3093;)
alert ip [94.223.83.204,94.225.100.84,94.226.151.128,94.228.86.11,94.22.93.92,94.230.202.199,94.23.1.164,94.23.13.107,94.23.144.49,94.23.150.210] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 636"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523270; rev:3093;)
alert ip [94.23.153.241,94.23.154.36,94.23.168.235,94.23.173.93,94.23.174.26,94.23.17.58,94.23.18.169,94.23.20.28,94.23.203.74,94.23.204.175] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 637"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523272; rev:3093;)
alert ip [94.23.207.40,94.23.212.220,94.23.213.46,94.23.247.125,94.23.247.42,94.23.248.158,94.23.252.71,94.23.27.228,94.23.29.204,94.23.7.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 638"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523274; rev:3093;)
alert ip [94.23.78.159,94.23.78.34,94.23.89.90,94.23.9.194,94.241.32.11,94.242.209.121,94.242.209.244,94.242.222.129,94.242.222.176,94.242.222.217] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 639"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523276; rev:3093;)
alert ip [94.242.222.62,94.242.222.66,94.242.228.174,94.242.250.118,94.242.254.91,94.242.255.112,94.242.57.112,94.242.57.164,94.242.58.151,94.242.58.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 640"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523278; rev:3093;)
alert ip [94.242.58.233,94.242.59.147,94.242.59.47,94.247.43.246,94.248.21.145,94.252.108.192,94.254.19.150,94.254.35.25,94.254.40.64,94.31.53.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 641"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523280; rev:3093;)
alert ip [94.60.255.42,94.74.81.113,94.79.137.182,94.79.173.226,95.105.221.15,95.109.122.144,95.111.56.101,95.113.220.3,95.113.254.113,95.129.164.103] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 642"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523282; rev:3093;)
alert ip [95.130.11.15,95.130.11.186,95.130.11.5,95.130.12.119,95.130.12.12,95.130.9.76,95.133.43.144,95.141.32.76,95.141.35.15,95.141.44.61] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 643"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523284; rev:3093;)
alert ip [95.141.44.66,95.141.46.172,95.141.83.146,95.142.160.233,95.143.172.140,95.143.172.188,95.143.172.212,95.143.172.214,95.143.192.12,95.143.192.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 644"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523286; rev:3093;)
alert ip [95.143.193.145,95.143.193.19,95.143.193.20,95.146.129.169,95.151.73.17,95.153.31.8,95.153.32.10,95.156.95.8,95.161.4.34,95.165.133.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 645"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523288; rev:3093;)
alert ip [95.165.143.112,95.165.166.133,95.169.188.103,95.183.48.40,95.183.50.138,95.183.51.126,95.183.51.160,95.183.52.172,95.183.55.53,95.183.55.64] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 646"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523290; rev:3093;)
alert ip [95.188.94.18,95.211.101.141,95.211.138.51,95.211.138.7,95.211.153.12,95.211.156.164,95.211.160.148,95.211.169.34,95.211.186.80,95.211.205.138] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 647"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523292; rev:3093;)
alert ip [95.211.209.73,95.211.210.72,95.211.211.240,95.211.224.12,95.211.225.167,95.211.7.158,95.211.94.113,95.213.11.175,95.213.149.166,95.213.182.28] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 648"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523294; rev:3093;)
alert ip [95.213.207.165,95.215.44.102,95.215.44.105,95.215.44.167,95.215.44.88,95.215.45.138,95.215.45.142,95.215.45.188,95.215.45.236,95.215.46.123] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 649"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523296; rev:3093;)
alert ip [95.215.46.69,95.215.47.206,95.215.61.4,95.223.83.22,95.23.149.72,95.27.167.103,95.27.196.229,95.28.56.2,95.31.19.171,95.31.24.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 650"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523298; rev:3093;)
alert ip [95.31.38.209,95.33.74.90,95.37.235.44,95.42.126.167,95.57.120.117,95.58.170.163,95.71.126.230,95.71.255.254,95.72.8.104,95.79.229.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 651"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523300; rev:3093;)
alert ip [95.79.96.7,95.80.44.100,95.80.45.74,95.84.164.34,95.84.209.126,95.85.1.113,95.85.19.162,95.85.20.73,95.85.32.10,95.85.34.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 652"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523302; rev:3093;)
alert ip [95.85.37.111,95.85.38.152,95.85.8.226,95.86.193.186,95.88.112.11,95.90.178.205,95.91.100.114,95.91.1.149,95.91.38.156,96.126.105.219] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 653"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523304; rev:3093;)
alert ip [96.126.125.187,96.126.96.9,96.126.96.90,96.18.182.94,96.230.56.58,96.234.163.101,96.239.122.20,96.240.10.123,96.242.253.84,96.248.12.242] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 654"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523306; rev:3093;)
alert ip [96.253.78.108,96.255.206.102,96.35.69.1,96.65.123.249,96.65.68.193,96.68.219.29,96.68.60.77,96.81.131.84,96.92.118.50,96.92.142.205] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 655"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523308; rev:3093;)
alert ip [96.9.242.48,97.107.132.24,97.107.138.68,97.107.139.108,97.107.139.28,97.107.142.234,97.113.14.165,97.86.44.160,97.90.130.111,97.95.35.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 656"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523310; rev:3093;)
alert ip [97.99.128.23,98.115.57.155,98.116.98.49,98.193.192.116,98.200.162.245,98.201.49.226,98.206.202.53,98.214.167.61,98.216.134.151,98.217.121.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 657"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523312; rev:3093;)
alert ip [98.217.8.51,98.220.250.164,98.233.45.225,98.235.185.167,99.164.139.172,99.225.25.117,99.230.190.118,99.247.229.177,99.248.248.37,99.51.71.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 658"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523314; rev:3093;)