Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Bleedingsnort.com Daily Update

from [bleeding] Network Security [Permanent Link]
Subject: [Snort-sigs] Bleedingsnort.com Daily Update
Date: Tue, 1 Feb 2005 20:00:02 -0500 (EST) 

[***] Results from Oinkmaster started Tue Feb  1 20:00:02 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (16):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Search Relevancy Spyware"; 
uricontent:"/SearchRelevancy/SearchRelevancy.dll"; nocase; 
flow:established,to_server; sid:2001696; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Flingstone Spyware Install"; 
uricontent:"/softwares/cxtpls_loader_ff.exe"; nocase; 
flow:established,to_server; sid:2001710; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Windupdates.com Spyware Install"; 
uricontent:"/cab/CDTInc/ie/"; nocase; uricontent:".cab"; nocase; 
flow:established,to_server; sid:2001700; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Config Download"; 
uricontent:"/agentprefs.sah" nocase; flow:established,to_server; sid:2001709; 
rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Heartbeat"; 
uricontent:"/s.dll?MfcISAPICommand=heartbeat&param=" nocase; 
flow:established,to_server; sid:2001708; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Context Plus Spyware Install"; 
uricontent:"/AproposClientInstaller.exe"; nocase; flow:established,to_server; 
sid:2001704; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Context Plus Spyware Activity"; 
content:"User-Agent\: AproposClient AutoLoader"; nocase; 
flow:established,to_server; sid:2001703; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware YourSiteBar Activity"; classtype:trojan-activity; 
reference:url,www.ysbweb.com; content:"User-Agent\: istsvc"; nocase; 
flow:to_server,established; sid:2001699; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Activity"; 
content:"User-Agent\: SAH Agent" nocase; flow:established,to_server; 
sid:2001707; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware YourSiteBar Data Submision"; 
classtype:trojan-activity; reference:url,www.ysbweb.com; 
uricontent:"/ist/scripts/istsvc_ads_data.php?version="; nocase; 
flow:to_server,established; sid:2001698; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Activity"; 
content:"User-Agent\: Bundle" nocase; flow:established,to_server; sid:2001702; 
rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Data Submission"; 
classtype:trojan-activity; reference:url,www.isearchtech.com; 
uricontent:"/ist/scripts/istsvc_ads_data.php?version="; nocase; 
flow:to_server,established; sid:2001697; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE 
Malware Likely Spambot Web-based Control Traffic"; content:"User-Agent\: 
Godzilla"; nocase; classtype:trojan-activity; flow:to_server,established; 
sid:2001711; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Flingstone Spyware Install"; 
uricontent:"/softwares/SportsInteraction.exe"; nocase; 
flow:established,to_server; sid:2001705; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Context Plus Spyware Activity"; 
uricontent:"User-Agent\: EnvoloAutoUpdater AutoLoader"; nocase; 
flow:established,to_server; sid:2001706; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Windupdates.com Spyware Loggin Data"; 
uricontent:"/logging.php?p="; nocase; content:"Host\: public.windupdates.com"; 
nocase; flow:established,to_server; sid:2001701; rev:2;)

     -> Added to bleeding-virus.rules (1):
        alert TCP $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Bagle.BJ 
[alias .AY, .BC] - download attempt"; content:"GET /error.jpg"; nocase; 
reference:url,secunia.com/virus_information/14877/; classtype:trojan-activity; 
flow:established; sid: 2001695; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-dos.rules (2):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE DOS squ1rt Apache DoS"; flow: to_server,established; 
flowbits: isset,http.get; dsize: 1448; content:"|20202020|"; depth: 4; content: 
"|20202020|"; offset: 1436; depth: 4; sid:2001636; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE DOS squ1rt Apache DoS"; flow: to_server,established; 
flowbits: isset,http.get; dsize: 1448; content:"|20202020|"; depth: 4; content: 
"|20202020|"; offset: 1436; depth: 4; classtype:attempted-dos; sid:2001636; 
rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE DOS HTTP GET with newline appended"; content:"GET / 
HTTP/1.0|0a|"; flow:to_server,established; flowbits:set,http.get; 
flowbits:noalert; sid:2001635; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE DOS HTTP GET with newline appended"; content:"GET / 
HTTP/1.0|0a|"; flow:to_server,established; flowbits:set,http.get; 
flowbits:noalert; classtype:attempted-dos; sid:2001635; rev:2;)

     -> Modified active in bleeding-exploit.rules (16):
        old: alert tcp any $HTTP_PORTS -> any any ( msg:"BLEEDING-EDGE EXPLOIT 
IE IFRAME Exploit"; 
pcre:"/(EMBED|FRAME|SRC)\s*=\s*["']*?(file|http)\://\w{578}|/W{578}/im"; 
pcre:"/(EMBED|FRAME|SRC|NAME)\s*=\s*["']\w{2086}|\W{2086}/im"; 
flow:from_server,established; sid:2001401; rev:10;)
        new: alert tcp any $HTTP_PORTS -> any any ( msg:"BLEEDING-EDGE EXPLOIT 
IE IFRAME Exploit"; 
pcre:"/(EMBED|FRAME|SRC)\s*=\s*["']*?(file|http)\://\w{578}|/W{578}/im"; 
pcre:"/(EMBED|FRAME|SRC|NAME)\s*=\s*["']\w{2086}|\W{2086}/im"; 
flow:from_server,established; classtype:misc-attack; sid:2001401; rev:11;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in"; 
uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; 
flow:to_server,established; sid:2001667; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in"; 
uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001667; rev:4;)
        old: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT 
NTDump Session Established Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 
00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; 
flow:to_server,established; sid:2001543; rev:3;)
        new: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT 
NTDump Session Established Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 
00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; 
flow:to_server,established; classtype:misc-activity; sid:2001543; rev:4;)
        old: alert tcp any any -> any 139 (msg:"BLEEDING-EDGE Pwdump3e Session 
Established Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 
52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; 
flow:to_server,established; sid:2000565; rev:2;)
        new: alert tcp any any -> any 139 (msg:"BLEEDING-EDGE Pwdump3e Session 
Established Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 
52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; 
flow:to_server,established; classtype:suspicious-login; sid:2000565; rev:3;)
        old: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE MS04011 
Lsasrv.dll RPC exploit (WinXP)";content:"|95 14 40 00 03 00 00 00 7C 70 40 00 
01|"; content:"|78 85 13 00 AB5B A6 E9 31 31|"; flow:to_server,established; 
sid:2000033; rev:2;)
        new: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE MS04011 
Lsasrv.dll RPC exploit (WinXP)";content:"|95 14 40 00 03 00 00 00 7C 70 40 00 
01|"; content:"|78 85 13 00 AB5B A6 E9 31 31|"; flow:to_server,established; 
classtype:misc-activity; sid:2000033; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: 
"BLEEDING-EDGE MS04-032 Bad EMF file"; content: "|01 00 00 00|"; depth: 4; 
content: "|20 45 4d 46|"; depth: 44; offset: 40; byte_test: 4, >, 256, 60, 
little; flow:from_server,established; sid:2001374; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: 
"BLEEDING-EDGE MS04-032 Bad EMF file"; content: "|01 00 00 00|"; depth: 4; 
content: "|20 45 4d 46|"; depth: 44; offset: 40; byte_test: 4, >, 256, 60, 
little; flow:from_server,established; classtype:misc-activity; sid:2001374; 
rev:3;)
        old: alert tcp $HOME_NET 139 -> any any (msg:"BLEEDING-EDGE Pwdump3e 
Password Hash Retrieval port 139"; content:"\:|00|5|00|0|00|0"; 
flow:from_server,established; sid:2000568; rev:3;)
        new: alert tcp $HOME_NET 139 -> any any (msg:"BLEEDING-EDGE Pwdump3e 
Password Hash Retrieval port 139"; content:"\:|00|5|00|0|00|0"; 
flow:from_server,established; classtype:misc-attack; sid:2000568; rev:4;)
        old: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT 
NTDump.exe Service Started port 445"; content:"|4e 00 74 00 44 00 75 00 6d 00 
70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; flow:to_server,established; 
sid:2001544; rev:3;)
        new: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT 
NTDump.exe Service Started port 445"; content:"|4e 00 74 00 44 00 75 00 6d 00 
70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; flow:to_server,established; 
classtype:misc-activity; sid:2001544; rev:4;)
        old: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE EXPLOIT 
NTDump Session Established Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 
00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; 
flow:to_server,established; sid:2001052; rev:3;)
        new: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE EXPLOIT 
NTDump Session Established Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 
00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; 
flow:to_server,established; classtype:misc-activity; sid:2001052; rev:5;)
        old: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE MS04011 
Lsasrv.dll RPC exploit (Win2k)";content:"|00 00 00 00 9A A8 40 00 01 00 00 00 
00 00 00 00|"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; 
flow:to_server,established; sid:2000046; rev:2;)
        new: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE MS04011 
Lsasrv.dll RPC exploit (Win2k)";content:"|00 00 00 00 9A A8 40 00 01 00 00 00 
00 00 00 00|"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; 
flow:to_server,established; classtype:misc-activity; sid:2000046; rev:3;)
        old: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE Pwdump3e 
pwservice.exe Access port 139"; 
content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; 
flow:to_server,established; sid:2000567; rev:3;)
        new: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE Pwdump3e 
pwservice.exe Access port 139"; 
content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; 
flow:to_server,established; classtype:misc-attack; sid:2000567; rev:4;)
        old: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE Pwdump3e Session 
Established Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 
52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; 
flow:to_server,established; sid:2000566; rev:2;)
        new: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE Pwdump3e Session 
Established Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 
52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; 
flow:to_server,established; classtype:suspicious-login; sid:2000566; rev:3;)
        old: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE EXPLOIT 
NTDump.exe Service Started port 139"; content:"|4e 00 74 00 44 00 75 00 6d 00 
70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; flow:to_server,established; 
sid:2001053; rev:3;)
        new: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE EXPLOIT 
NTDump.exe Service Started port 139"; content:"|4e 00 74 00 44 00 75 00 6d 00 
70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; flow:to_server,established; 
classtype:misc-activity; sid:2001053; rev:4;)
        old: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE Pwdump3e 
pwservice.exe Access port 445"; 
content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; 
flow:to_server,established; sid:2000564; rev:4;)
        new: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE Pwdump3e 
pwservice.exe Access port 445"; 
content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; 
flow:to_server,established; classtype:misc-attack; sid:2000564; rev:5;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in (to 
blahot.com)"; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; 
nocase; content:"Host\: www.blahot.com"; nocase; flow:to_server,established; 
sid:2001671; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in (to 
blahot.com)"; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; 
nocase; content:"Host\: www.blahot.com"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001671; rev:4;)
        old: alert tcp $HOME_NET 445 -> any any (msg:"BLEEDING-EDGE Pwdump3e 
Password Hash Retrieval port 445"; content:"\:|00|5|00|0|00|0"; 
flow:from_server,established; sid:2000563; rev:4;)
        new: alert tcp $HOME_NET 445 -> any any (msg:"BLEEDING-EDGE Pwdump3e 
Password Hash Retrieval port 445"; content:"\:|00|5|00|0|00|0"; 
flow:from_server,established; classtype:misc-attack; sid:2000563; rev:5;)

     -> Modified active in bleeding-inappropriate.rules (10):
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( 
msg:"BLEEDING-EDGE Inappropriate Sextracker Tracking Code Detected"; 
content:"BEGIN SEXLIST REFERRER-STATS CODE"; nocase; 
flow:from_server,established; sid:2001392; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( 
msg:"BLEEDING-EDGE Inappropriate Sextracker Tracking Code Detected"; 
content:"BEGIN SEXLIST REFERRER-STATS CODE"; nocase; 
flow:from_server,established; classtype:kickass-porn; sid:2001392; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Kiddy Porn early teen"; content:"early teen"; nocase; 
threshold: type threshold, track by_dst,count 5, seconds 360; 
flow:from_server,established; sid:2001348; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Kiddy Porn early teen"; content:"early teen"; nocase; 
threshold: type threshold, track by_dst,count 5, seconds 360; 
flow:from_server,established; classtype:policy-violation; sid:2001348; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( 
msg:"BLEEDING-EDGE INAPPROPRIATE Kiddy Porn zeps"; content:" zeps "; nocase; 
flow:from_server,established; sid:2001387; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( 
msg:"BLEEDING-EDGE INAPPROPRIATE Kiddy Porn zeps"; content:" zeps "; nocase; 
flow:from_server,established; classtype:policy-violation; sid:2001387; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Inappropriate Likely Porn"; pcre:"/ (FREE 
XXX|dildo|masturbat|oral sex|ejaculat|up 
skirt|tits|bondage|lolita|clitoris|cock suck|hardcore (teen|anal|sex|porn)|raw 
sex|((fuck|sex|porn|xxx) (movies|dvd))|((naked|nude) (celeb|lesbian)))\b/i"; 
classtype:kickass-porn; sid:2001608; rev:1;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Inappropriate Likely Porn"; pcre:"/ (FREE 
XXX|dildo|masturbat|oral sex|ejaculat|up 
skirt|tits|bondage|lolita|clitoris|cock suck|hardcore (teen|anal|sex|porn)|raw 
sex|((fuck|sex|porn|xxx) (movies|dvd))|((naked|nude) (celeb|lesbian)))\b/i"; 
flow:established,from_server; classtype:kickass-porn; sid:2001608; rev:2;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( 
msg:"BLEEDING-EDGE INAPPROPRIATE Kiddy Porn childlover"; content:" childlover 
"; nocase; flow:from_server,established; sid:2001389; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( 
msg:"BLEEDING-EDGE INAPPROPRIATE Kiddy Porn childlover"; content:" childlover 
"; nocase; flow:from_server,established; classtype:policy-violation; 
sid:2001389; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( 
msg:"BLEEDING-EDGE INAPPROPRIATE Kiddy Porn pthc"; content:" pthc "; nocase; 
flow:from_server,established; sid:2001386; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( 
msg:"BLEEDING-EDGE INAPPROPRIATE Kiddy Porn pthc"; content:" pthc "; nocase; 
flow:from_server,established; classtype:policy-violation; sid:2001386; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( 
msg:"BLEEDING-EDGE INAPPROPRIATE Kiddy Porn r@ygold"; content:" r@ygold "; 
nocase; flow:from_server,established; sid:2001388; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( 
msg:"BLEEDING-EDGE INAPPROPRIATE Kiddy Porn r@ygold"; content:" r@ygold "; 
nocase; flow:from_server,established; classtype:policy-violation; sid:2001388; 
rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Kiddy Porn pre-teen"; content:"pre-teen"; nocase; 
threshold: type threshold, track by_dst,count 5, seconds 360; 
flow:from_server,established; sid:2001347; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Kiddy Porn pre-teen"; content:"pre-teen"; nocase; 
threshold: type threshold, track by_dst,count 5, seconds 360; 
flow:from_server,established; classtype:policy-violation; sid:2001347; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( 
msg:"BLEEDING-EDGE Inappropriate Sextracker Tracking Code Detected"; 
content:"BEGIN SEXTRACKER CODE"; nocase; flow:from_server,established; 
sid:2001393; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( 
msg:"BLEEDING-EDGE Inappropriate Sextracker Tracking Code Detected"; 
content:"BEGIN SEXTRACKER CODE"; nocase; flow:from_server,established; 
classtype:kickass-porn; sid:2001393; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Kiddy Porn preteen"; content:"preteen"; nocase; threshold: 
type threshold, track by_dst,count 5, seconds 360; 
flow:from_server,established; sid:2001346; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Kiddy Porn preteen"; content:"preteen"; nocase; threshold: 
type threshold, track by_dst,count 5, seconds 360; 
flow:from_server,established; classtype:policy-violation; sid:2001346; rev:3;)

     -> Modified active in bleeding-malware.rules (86):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Oenji.com Install"; 
uricontent:"/Bundled/OemjiInstall"; nocase; classtype:trojan-activity; 
flow:to_server,established; sid:2001538; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Oenji.com Install"; 
uricontent:"/Bundled/OemjiInstall"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001538; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware SurfAssistant.com Spyware Activity"; 
content:"User-Agent\: ML"; flow:to_server,established; sid:2001515; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware SurfAssistant.com Spyware Activity"; 
content:"User-Agent\: ML"; flow:to_server,established; 
classtype:trojan-activity; sid:2001515; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; 
uricontent:"/dkprogs/mstasks3.txt"; nocase; flow:to_server,established; 
sid:2001483; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; 
uricontent:"/dkprogs/mstasks3.txt"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001483; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Casalemedia Access, Likely Spyware"; pcre:"/Host\: 
\w*.ak-networks.com/im"; flow:to_server,established; sid:2001529; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Casalemedia Access, Likely Spyware"; pcre:"/Host\: 
\w*.ak-networks.com/im"; flow:to_server,established; classtype:trojan-activity; 
sid:2001529; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; 
uricontent:"/dkprogs/dktibs.php"; nocase; flow:to_server,established; 
sid:2001474; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; 
uricontent:"/dkprogs/dktibs.php"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001474; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install"; 
uricontent:"http\://pizdato.biz/gamma-test.htm"; nocase; 
flow:to_server,established; sid:2001476; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install"; 
uricontent:"http\://pizdato.biz/gamma-test.htm"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001476; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; 
uricontent:"/x30/d.exe"; nocase; flow:to_server,established; sid:2001484; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; 
uricontent:"/x30/d.exe"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001484; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Coolsearch Spyware Install"; 
content:"http\://coolsearch.biz/united.htm"; nocase; 
flow:to_server,established; sid:2001479; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Coolsearch Spyware Install"; 
content:"http\://coolsearch.biz/united.htm"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001479; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware"; 
pcre:"/Host\: \w*\.spyspotter.com/im"; flow:to_server,established; sid:2001537; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware"; 
pcre:"/Host\: \w*\.spyspotter.com/im"; flow:to_server,established; 
classtype:trojan-activity; sid:2001537; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware E2give Related Reporting"; 
uricontent:"/count/count.php?&mm2cpr"; nocase; flow:to_server,established; 
sid:2001423; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware E2give Related Reporting"; 
uricontent:"/count/count.php?&mm2cpr"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001423; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Smartpops.com Spyware Update"; 
uricontent:"/data/spv15.dat?v="; nocase; flow:to_server,established; 
sid:2001513; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Smartpops.com Spyware Update"; 
uricontent:"/data/spv15.dat?v="; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001513; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; 
uricontent:"/silent_install.exe"; content:"Host\: install.searchmiracle.com"; 
nocase; reference:url,www.searchmiracle.com; nocase; 
flow:to_server,established; sid:2001534; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; 
uricontent:"/silent_install.exe"; content:"Host\: install.searchmiracle.com"; 
nocase; reference:url,www.searchmiracle.com; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001534; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware E2give Related Downloading IeBHOs.dll"; 
uricontent:"/downloads/IeBHOs.dll"; nocase; flow:to_server,established; 
sid:2001415; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware E2give Related Downloading IeBHOs.dll"; 
uricontent:"/downloads/IeBHOs.dll"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001415; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware ak-networks.com Access, Likely Spyware"; 
content:"Host\: app.desktop.ak-networks.com"; nocase; 
flow:to_server,established; sid:2001528; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware ak-networks.com Access, Likely Spyware"; 
content:"Host\: app.desktop.ak-networks.com"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001528; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Install Report"; 
pcre:"//user\d+/counter.htm/im"; flow:to_server,established; sid:2001541; 
rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Install Report"; 
pcre:"//user\d+/counter.htm/im"; flow:to_server,established; 
classtype:trojan-activity; sid:2001541; rev:4;)
        old: alert tcp $HOME_NET any -> any any (msg:"BLEEDING_EDGE Malware 
JoltID Agent P2P via Proxy Server"; content:"POST http\://"; nocase; 
content:"\:3531/.pkt"; within:20; nocase; flow:to_server,established; 
sid:2001679; rev:3;)
        new: alert tcp $HOME_NET any -> any any (msg:"BLEEDING_EDGE Malware 
JoltID Agent P2P via Proxy Server"; content:"POST http\://"; nocase; 
content:"\:3531/.pkt"; within:20; nocase; classtype:trojan-activity; 
flow:to_server,established; sid:2001679; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Activity"; 
uricontent:"User-Agent\: NSISDL"; nocase; content:"medialoads.com"; nocase; 
flow:to_server,established; sid:2001504; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Activity"; 
uricontent:"User-Agent\: NSISDL"; nocase; content:"medialoads.com"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001504; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Comet Systems Spyware Traffic"; 
uricontent:"/context/1/up_context_1.xml"; nocase; flow:to_server,established; 
sid:2001655; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Comet Systems Spyware Traffic"; 
uricontent:"/context/1/up_context_1.xml"; nocase; flow:to_server,established; 
classtype:policy-violation; sid:2001655; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Look2me Spyware Activity"; content:"Referer\: 
Look2Me"; nocase; flow:to_server,established; sid:2001499; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Look2me Spyware Activity"; content:"Referer\: 
Look2Me"; nocase; flow:to_server,established; classtype:trojan-activity; 
sid:2001499; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Casino on Net Install"; 
reference:url,www.888casino.net; uricontent:"/newdownload/newsetup/"; nocase; 
content:"casinone"; nocase; flow:to_server,established; sid:2001041; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Casino on Net Install"; 
reference:url,www.888casino.net; uricontent:"/newdownload/newsetup/"; nocase; 
content:"casinone"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001041; rev:3;)
        old: alert tcp $HOME_NET any -> 216.151.85.195 $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Unknown Suspicious PrintMe Suspected Spyware"; 
content:"PrintMe"; classtype:bad-unknown; sid:2001665; rev:1;)
        new: alert tcp $HOME_NET any -> 216.151.85.195 $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Unknown Suspicious PrintMe Suspected Spyware"; 
content:"PrintMe"; classtype:bad-unknown; flow:established; sid:2001665; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware ICQ-Update.biz Reporting Install"; 
uricontent:"log.php?IP="; nocase; content:"&Port1="; nocase; content:"Host\: 
www.icq-update.biz"; nocase; flow:to_server,established; sid:2001490; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware ICQ-Update.biz Reporting Install"; 
uricontent:"log.php?IP="; nocase; content:"&Port1="; nocase; content:"Host\: 
www.icq-update.biz"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001490; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmiracle.com Access, Likely Spyware"; 
pcre:"/Host\: \w*.searchmiracle.com/im"; flow:to_server,established; 
sid:2001532; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmiracle.com Access, Likely Spyware"; 
pcre:"/Host\: \w*.searchmiracle.com/im"; flow:to_server,established; 
classtype:trojan-activity; sid:2001532; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Media-Motor Related Downloading MediaMotor25.exe"; 
uricontent:"/soft/MediaMotor25.exe"; nocase; flow:to_server,established; 
sid:2001414; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Media-Motor Related Downloading MediaMotor25.exe"; 
uricontent:"/soft/MediaMotor25.exe"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001414; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Tibsystems Spyware Activity"; 
uricontent:"/d4.fcgi?v="; nocase; flow:to_server,established; sid:2001488; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Tibsystems Spyware Activity"; 
uricontent:"/d4.fcgi?v="; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001488; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Receiving Commands"; 
uricontent:"/xpsystem/commands.ini"; nocase; flow:to_server,established; 
sid:2001475; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Receiving Commands"; 
uricontent:"/xpsystem/commands.ini"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001475; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spyspotter.com Install"; 
uricontent:"/SpySpotterInstall.cab"; nocase; classtype:trojan-activity; 
flow:to_server,established; sid:2001536; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spyspotter.com Install"; 
uricontent:"/SpySpotterInstall.cab"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001536; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  
(msg:"BLEEDING-EDGE Malware Mastermind Related Downloading Daily Executable"; 
content:"/soft/loads/"; nocase; within:5; content:".exe"; nocase; 
flow:to_server,established; sid:2001412; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  
(msg:"BLEEDING-EDGE Malware Mastermind Related Downloading Daily Executable"; 
content:"/soft/loads/"; nocase; within:5; content:".exe"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001412; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Casino on Net Reporting Data"; 
reference:url,www.888casino.net; uricontent:"/logs.asp?MSGID=100"; nocase; 
flow:to_server,established; sid:2001031; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Casino on Net Reporting Data"; 
reference:url,www.888casino.net; uricontent:"/logs.asp?MSGID=100"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001031; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; 
uricontent:"/fa/xpl3.htm"; nocase; flow:to_server,established; sid:2001470; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; 
uricontent:"/fa/xpl3.htm"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001470; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; 
uricontent:"/dkprogs/toolbar.txt"; nocase; flow:to_server,established; 
sid:2001473; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; 
uricontent:"/dkprogs/toolbar.txt"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001473; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware SurfAssistant.com Spyware Install"; 
uricontent:"/distribution/questmod-1.dll"; nocase; flow:to_server,established; 
sid:2001510; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware SurfAssistant.com Spyware Install"; 
uricontent:"/distribution/questmod-1.dll"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001510; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Casino on Net Ping Hit"; 
reference:url,www.888casino.net; uricontent:"/Ping/Ping.txt"; nocase; 
flow:to_server,established; sid:2001032; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Casino on Net Ping Hit"; 
reference:url,www.888casino.net; uricontent:"/Ping/Ping.txt"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001032; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"BLEEDING-EDGE 
Malware Mastermind Related Reporting 8081"; content:"/a?l=PeAyF1sgrZYw&i="; 
nocase; flow:to_server,established; sid:2001410; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"BLEEDING-EDGE 
Malware Mastermind Related Reporting 8081"; content:"/a?l=PeAyF1sgrZYw&i="; 
nocase; flow:to_server,established; classtype:trojan-activity; sid:2001410; 
rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Config"; 
uricontent:"/dw/cgi/download.cgi?sn=&pid="; nocase; 
content:"Host\:config.medialoads.com"; nocase; flow:to_server,established; 
sid:2001503; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Config"; 
uricontent:"/dw/cgi/download.cgi?sn=&pid="; nocase; 
content:"Host\:config.medialoads.com"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001503; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Spyware Install Reporting"; 
uricontent:"/xpsystem/report.php?user_id="; nocase; 
uricontent:"&status=0&country_id="; nocase; flow:to_server,established; 
sid:2001472; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Spyware Install Reporting"; 
uricontent:"/xpsystem/report.php?user_id="; nocase; 
uricontent:"&status=0&country_id="; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001472; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Reporting"; 
uricontent:"/dw/cgi/download.cgi?sn="; nocase; 
content:"Host\:config.medialoads.com"; nocase; flow:to_server,established; 
sid:2001508; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Reporting"; 
uricontent:"/dw/cgi/download.cgi?sn="; nocase; 
content:"Host\:config.medialoads.com"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001508; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spyware Stormer Reporting Data"; 
uricontent:"/showme.aspx?keyword="; nocase; content:"ecomdata1="; nocase; 
reference:url,www.spywarestormer.com; flow:established,to_server; sid:2001570; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spyware Stormer Reporting Data"; 
uricontent:"/showme.aspx?keyword="; nocase; content:"ecomdata1="; nocase; 
reference:url,www.spywarestormer.com; flow:established,to_server; 
classtype:trojan-activity; sid:2001570; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spygalaxy.ws Activity"; 
uricontent:"/install.php?id="; nocase; content:"Host\: spygalaxy.ws"; nocase; 
flow:to_server,established; sid:2001489; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spygalaxy.ws Activity"; 
uricontent:"/install.php?id="; nocase; content:"Host\: spygalaxy.ws"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001489; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Reporting"; 
uricontent:"/dw/cgi/register.cgi?v="; nocase; 
content:"Host\:config.medialoads.com"; nocase; flow:to_server,established; 
sid:2001509; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Reporting"; 
uricontent:"/dw/cgi/register.cgi?v="; nocase; 
content:"Host\:config.medialoads.com"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001509; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware E2give Related Reporting Install"; 
uricontent:"/count/count.php?&mm"; nocase; flow:to_server,established; 
sid:2001416; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware E2give Related Reporting Install"; 
uricontent:"/count/count.php?&mm"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001416; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware ak-networks.com Spyware Code Download"; 
uricontent:"/SyncAkSoft.da_"; nocase; flow:to_server,established; sid:2001530; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware ak-networks.com Spyware Code Download"; 
uricontent:"/SyncAkSoft.da_"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001530; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; 
uricontent:"/dl/adv121/x.chm"; nocase; flow:to_server,established; sid:2001467; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; 
uricontent:"/dl/adv121/x.chm"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001467; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; 
uricontent:"/protector.exe"; content:"Host\: install.searchmiracle.com"; 
nocase; reference:url,www.searchmiracle.com; nocase; 
flow:to_server,established; sid:2001535; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; 
uricontent:"/protector.exe"; content:"Host\: install.searchmiracle.com"; 
nocase; reference:url,www.searchmiracle.com; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001535; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spywaremover Activity"; 
uricontent:"/spywareremovers.php?"; content:"Host\: topantispyware.com"; 
nocase; flow:to_server,established; sid:2001520; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spywaremover Activity"; 
uricontent:"/spywareremovers.php?"; content:"Host\: topantispyware.com"; 
nocase; flow:to_server,established; classtype:trojan-activity; sid:2001520; 
rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Avres.net Downloading cpr_mm2.exe"; 
uricontent:"/tt/cpr_mm2.exe"; nocase; flow:to_server,established; sid:2001419; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Avres.net Downloading cpr_mm2.exe"; 
uricontent:"/tt/cpr_mm2.exe"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001419; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs CHM Exploit"; 
uricontent:"/fa/ied_s7m.chm"; nocase; flow:to_server,established; sid:2001468; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs CHM Exploit"; 
uricontent:"/fa/ied_s7m.chm"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001468; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Overpro Spyware Games"; 
uricontent:"/blocks/blasterblocks"; nocase; flow:to_server,established; 
sid:2001459; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Overpro Spyware Games"; 
uricontent:"/blocks/blasterblocks"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001459; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Install Code Download"; 
uricontent:"/install.gz"; nocase; content:"Host\: xpire.info"; nocase; 
flow:to_server,established; sid:2001491; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Install Code Download"; 
uricontent:"/install.gz"; nocase; content:"Host\: xpire.info"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001491; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; 
content:"src=http\://xpire.info/i.exe"; nocase; flow:to_server,established; 
sid:2001463; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; 
content:"src=http\://xpire.info/i.exe"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001463; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; 
uricontent:"/dl/adv121.php"; nocase; flow:to_server,established; sid:2001466; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; 
uricontent:"/dl/adv121.php"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001466; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Tibsystems Spyware Activity"; content:"User-Agent\: 
TIBS Loader"; nocase; flow:to_server,established; sid:2001487; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Tibsystems Spyware Activity"; content:"User-Agent\: 
TIBS Loader"; nocase; flow:to_server,established; classtype:trojan-activity; 
sid:2001487; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spywaremover Activity"; 
uricontent:"/download/cabs/THNALL1L/thnall1l.exe"; content:"Host\: 
static.callinghome.biz"; nocase; flow:to_server,established; sid:2001521; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spywaremover Activity"; 
uricontent:"/download/cabs/THNALL1L/thnall1l.exe"; content:"Host\: 
static.callinghome.biz"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001521; rev:3;)
        old: alert tcp any !20 -> $HOME_NET !25 (msg:"BLEEDING-EDGE Malware 
Possible Windows executable sent when remote host claims to send an image"; 
content: "Content-Type\: image"; content: "MZ"; within:12; flow: established; 
sid:2001685; rev:1;)
        new: alert tcp any !20 -> $HOME_NET !25 (msg:"BLEEDING-EDGE Malware 
Possible Windows executable sent when remote host claims to send an image"; 
content: "Content-Type\: image"; content: "MZ"; within:12; flow: established; 
classtype:trojan-activity; sid:2001685; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; 
uricontent:"/dkprogs/systime.txt"; nocase; flow:to_server,established; 
sid:2001480; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; 
uricontent:"/dkprogs/systime.txt"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001480; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Mastermind Related Downloading mm20.ocx"; 
uricontent:"/soft/mm20.ocx"; nocase; flow:to_server,established; sid:2001411; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Mastermind Related Downloading mm20.ocx"; 
uricontent:"/soft/mm20.ocx"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001411; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware ICQ-Update.biz Reporting Install"; 
uricontent:"/update.exe"; nocase; content:"Host\: update.icq-update.biz"; 
nocase; flow:to_server,established; sid:2001519; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware ICQ-Update.biz Reporting Install"; 
uricontent:"/update.exe"; nocase; content:"Host\: update.icq-update.biz"; 
nocase; flow:to_server,established; classtype:trojan-activity; sid:2001519; 
rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Avres.net Downloading ab1.exe"; 
uricontent:"/tt/ab1.exe"; nocase; flow:to_server,established; sid:2001420; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Avres.net Downloading ab1.exe"; 
uricontent:"/tt/ab1.exe"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001420; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Spyware Exploit"; 
uricontent:"/2DimensionOfExploitsEnc.php"; nocase; flow:to_server,established; 
sid:2001471; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Spyware Exploit"; 
uricontent:"/2DimensionOfExploitsEnc.php"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001471; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware E2give Related Downloading Code"; 
uricontent:"/soft/unstall.exe"; nocase; flow:to_server,established; 
sid:2001418; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware E2give Related Downloading Code"; 
uricontent:"/soft/unstall.exe"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001418; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Look2me Spyware Activity"; 
uricontent:"/cgi-bin/BW.exe"; content:"Host\: www.look2me.com"; nocase; 
flow:to_server,established; sid:2001502; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Look2me Spyware Activity"; 
uricontent:"/cgi-bin/BW.exe"; content:"Host\: www.look2me.com"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001502; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs Occuring"; 
uricontent:"/fa/?d=get"; nocase; flow:to_server,established; sid:2001462; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs Occuring"; 
uricontent:"/fa/?d=get"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001462; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  
(msg:"BLEEDING-EDGE Malware Medis-Motor Related Downloading ast_4_mm.exe"; 
uricontent:"/dist/ast_4_mm.exe"; nocase; flow:to_server,established; 
sid:2001413; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  
(msg:"BLEEDING-EDGE Malware Medis-Motor Related Downloading ast_4_mm.exe"; 
uricontent:"/dist/ast_4_mm.exe"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001413; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Casino on Net Data Download"; 
reference:url,www.888casino.net; uricontent:"/sdl/casinov"; nocase; 
flow:to_server,established; sid:2001033; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Casino on Net Data Download"; 
reference:url,www.888casino.net; uricontent:"/sdl/casinov"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001033; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware SurfAssistant.com Spyware Reporting"; 
uricontent:"/sa/?a="; nocase; content:"Host\: sa-001.com"; nocase; 
flow:to_server,established; sid:2001514; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware SurfAssistant.com Spyware Reporting"; 
uricontent:"/sa/?a="; nocase; content:"Host\: sa-001.com"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001514; rev:3;)
        old: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Malware Windows executable sent when remote host claims to send image, Win32"; 
content: "Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: 
"This program must be run under Win32"; flow: established; sid:2001684; rev:3;)
        new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Malware Windows executable sent when remote host claims to send image, Win32"; 
content: "Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: 
"This program must be run under Win32"; flow: established; 
classtype:trojan-activity; sid:2001684; rev:4;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Installer silent.exe 
Download"; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 
69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; 
nocase; flow:from_server,established; sid:2001533; rev:3;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Installer silent.exe 
Download"; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 
69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; 
nocase; flow:from_server,established; classtype:trojan-activity; sid:2001533; 
rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Smartpops.com Spyware Install"; 
uricontent:"/install/RH/rh.exe"; nocase; flow:to_server,established; 
sid:2001505; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Smartpops.com Spyware Install"; 
uricontent:"/install/RH/rh.exe"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001505; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Avres.net Downloading tvm_bundle.exe"; 
uricontent:"/tt/tvm_bundle.exe"; nocase; flow:to_server,established; 
sid:2001421; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Avres.net Downloading tvm_bundle.exe"; 
uricontent:"/tt/tvm_bundle.exe"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001421; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware"; 
pcre:"/Host\: \w*\.oemji.com/im"; flow:to_server,established; sid:2001539; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware"; 
pcre:"/Host\: \w*\.oemji.com/im"; flow:to_server,established; 
classtype:trojan-activity; sid:2001539; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Sexmaniack Install Tracking"; 
uricontent:"/counted.php?ref="; nocase; content:"Host\: 
counter.sexmaniack.com"; nocase; flow:to_server,established; sid:2001460; 
rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Sexmaniack Install Tracking"; 
uricontent:"/counted.php?ref="; nocase; content:"Host\: 
counter.sexmaniack.com"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001460; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware C4tdoanload.com Access, Likely Spyware"; 
pcre:"/Host\: \w*\.c4tdownload.com/im"; flow:to_server,established; 
sid:2001531; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware C4tdoanload.com Access, Likely Spyware"; 
pcre:"/Host\: \w*\.c4tdownload.com/im"; flow:to_server,established; 
classtype:trojan-activity; sid:2001531; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Smartpops.com Spyware Activity"; 
uricontent:"User-Agent\: NSISDL"; nocase; 
content:"Host\:download.smartpops.com"; nocase; flow:to_server,established; 
sid:2001506; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Smartpops.com Spyware Activity"; 
uricontent:"User-Agent\: NSISDL"; nocase; 
content:"Host\:download.smartpops.com"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001506; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; 
uricontent:"/fa/x.chm"; nocase; flow:to_server,established; sid:2001469; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; 
uricontent:"/fa/x.chm"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001469; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Overpro Spyware Bundle Install"; content:"GET 
/WildApp.cab"; offset:0; depth:16; nocase; content:"Host\: 
download.overpro.com"; nocase; reference:url,www.wildarcade.com; 
classtype:trojan-activity; flow:to_server,established; sid:2001444; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Overpro Spyware Bundle Install"; content:"GET 
/WildApp.cab"; offset:0; depth:16; nocase; content:"Host\: 
download.overpro.com"; nocase; reference:url,www.wildarcade.com; 
flow:to_server,established; classtype:trojan-activity; sid:2001444; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; 
uricontent:"/i.exe"; nocase; content:"xpire.info"; nocase; 
flow:to_server,established; sid:2001464; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; 
uricontent:"/i.exe"; nocase; content:"xpire.info"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001464; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spyware Stormer/Error Guard Activity"; 
uricontent:"/sell.cgi?errorguard/1/errorguard"; nocase; 
reference:url,www.spywarestormer.com; flow:established,to_server; sid:2001571; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Spyware Stormer/Error Guard Activity"; 
uricontent:"/sell.cgi?errorguard/1/errorguard"; nocase; 
reference:url,www.spywarestormer.com; flow:established,to_server; 
classtype:trojan-activity; sid:2001571; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware E2give Related Receiving Config"; 
uricontent:"/config/?v=5&n=mm2&i="; nocase; flow:to_server,established; 
sid:2001417; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware E2give Related Receiving Config"; 
uricontent:"/config/?v=5&n=mm2&i="; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001417; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install"; 
uricontent:"http\://newiframe.biz/ysb.exe.eeexe.exe"; nocase; 
flow:to_server,established; sid:2001478; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install"; 
uricontent:"http\://newiframe.biz/ysb.exe.eeexe.exe"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001478; rev:3;)
        old: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Malware Windows executable sent when remote host claims to send an image"; 
content: "Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: 
"This program cannot be run in DOS mode"; flow: established; sid:2001683; 
rev:3;)
        new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Malware Windows executable sent when remote host claims to send an image"; 
content: "Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: 
"This program cannot be run in DOS mode"; flow: established; 
classtype:trojan-activity; sid:2001683; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; 
uricontent:"/fa/evil.html"; nocase; sid:2001461; flow:to_server,established; 
rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; 
uricontent:"/fa/evil.html"; nocase; classtype:trojan-activity; sid:2001461; 
flow:to_server,established; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Identifying Country of 
Origin"; uricontent:"/dw/cgi/country.cgi"; nocase; content:"User-Agent\: 
NSISDL"; nocase; flow:to_server,established; sid:2001507; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Identifying Country of 
Origin"; uricontent:"/dw/cgi/country.cgi"; nocase; content:"User-Agent\: 
NSISDL"; nocase; flow:to_server,established; classtype:trojan-activity; 
sid:2001507; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Malware Mastermind Related Reporting"; 
uricontent:"/bundle.php?aff="; nocase; flow:to_server,established; sid:2001409; 
rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE Malware Mastermind Related Reporting"; 
uricontent:"/bundle.php?aff="; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001409; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install"; 
uricontent:"http\://www.coolsearch.biz/c.htm"; nocase; 
flow:to_server,established; sid:2001477; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install"; 
uricontent:"http\://www.coolsearch.biz/c.htm"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001477; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Smartpops.com Spyware Install"; 
uricontent:"/install/SE/sed.exe"; nocase; flow:to_server,established; 
sid:2001516; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Smartpops.com Spyware Install"; 
uricontent:"/install/SE/sed.exe"; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001516; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Avres.net Reporting Data"; 
uricontent:"/log3.php?c={"; nocase; uricontent:"what="; nocase; 
uricontent:"avatar="; nocase; flow:to_server,established; sid:2001422; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Avres.net Reporting Data"; 
uricontent:"/log3.php?c={"; nocase; uricontent:"what="; nocase; 
uricontent:"avatar="; nocase; flow:to_server,established; 
classtype:trojan-activity; sid:2001422; rev:3;)

     -> Modified active in bleeding-p2p.rules (6):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE P2P Morpheus Install"; reference:url,www.morpheus.com; 
uricontent:"/morpheus/morpheus.exe"; nocase; flow:to_server,established; 
sid:2001035; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE P2P Morpheus Install"; reference:url,www.morpheus.com; 
uricontent:"/morpheus/morpheus.exe"; nocase; flow:to_server,established; 
classtype:policy-violation; sid:2001035; rev:3;)
        old: alert tcp $HOME_NET any -> 38.115.131.0/24 5534 
(msg:"BLEEDING-EDGE P2P Soulseek traffic"; classtype:policy-violation; 
sid:2001186; rev:2;)
        new: alert tcp $HOME_NET any -> 38.115.131.0/24 5534 
(msg:"BLEEDING-EDGE P2P Soulseek traffic"; flow:established; 
classtype:policy-violation; sid:2001186; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE P2P Morpheus Update Request"; 
reference:url,www.morpheus.com; uricontent:"/gwebcache/gcache.asg?hostfile="; 
nocase; flow:to_server,established; sid:2001037; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE P2P Morpheus Update Request"; 
reference:url,www.morpheus.com; uricontent:"/gwebcache/gcache.asg?hostfile="; 
nocase; flow:to_server,established; classtype:policy-violation; sid:2001037; 
rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE P2P Soulseek"; content:"slsknet"; 
classtype:policy-violation; sid:2001188; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE P2P Soulseek"; content:"slsknet"; flow:established; 
classtype:policy-violation; sid:2001188; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE P2P Morpheus Install ini Download"; 
reference:url,www.morpheus.com; uricontent:"/morpheus/morpheus_sm.ini"; nocase; 
flow:to_server,established; sid:2001036; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE P2P Morpheus Install ini Download"; 
reference:url,www.morpheus.com; uricontent:"/morpheus/morpheus_sm.ini"; nocase; 
flow:to_server,established; classtype:policy-violation; sid:2001036; rev:3;)
        old: alert tcp $HOME_NET any -> 38.115.131.0/24 2234 
(msg:"BLEEDING-EDGE P2P Soulseek traffic"; classtype:policy-violation; 
sid:2001185; rev:2;)
        new: alert tcp $HOME_NET any -> 38.115.131.0/24 2234 
(msg:"BLEEDING-EDGE P2P Soulseek traffic"; flow:established; 
classtype:policy-violation; sid:2001185; rev:3;)

     -> Modified active in bleeding-policy.rules (1):
        old: alert tcp $HOME_NET any -> 66.151.158.177 any (msg:"BLEEDING-EDGE 
GotoMyPC Polling Client"; threshold: type limit, track by_src, count 1, seconds 
360; sid:2000309; rev:4;)
        new: alert tcp $HOME_NET any -> 66.151.158.177 any (msg:"BLEEDING-EDGE 
GotoMyPC Polling Client"; threshold: type limit, track by_src, count 1, seconds 
360; flow:established; classtype:policy-violation; sid:2000309; rev:5;)

     -> Modified active in bleeding-scan.rules (2):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BLEEDING-EDGE 
Potential SSH Scan"; flags:S; threshold:type threshold, track by_src, count 5, 
seconds 120; flowbits:set,ssh.brute.attempt; classtype:attempted-dos; 
sid:2001219; rev:8;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BLEEDING-EDGE 
Potential SSH Scan"; flags:S; threshold:type threshold, track by_src, count 5, 
seconds 120; flowbits:set,ssh.brute.attempt; classtype:suspicious-login; 
sid:2001219; rev:9;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 
(msg:"BLEEDING-EDGE Scan Possible SSL Brute Force attack or Site Crawl"; 
flags:S; flow:established; threshold: type threshold, track by_src, count 100, 
seconds 60; sid:2001553; rev:3;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 
(msg:"BLEEDING-EDGE Scan Possible SSL Brute Force attack or Site Crawl"; 
flags:S; flow:established; threshold: type threshold, track by_src, count 100, 
seconds 60; classtype:attempted-dos; sid:2001553; rev:4;)

     -> Modified active in bleeding-virus.rules (5):
        old: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
Bagle.AY worm [.cpl extension] - OUTBOUND"; 
content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5";
 nocase; flow:established; reference:url,secunia.com/virus_information/14902/; 
classtype:misc-activity; sid:2001693; rev:1;)
        new: alert TCP $HOME_NET any -> any 25 (msg:"Bagle.BJ [alias .AY, .BC] 
worm [.cpl extension] - outbound"; 
content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5";
 nocase; flow:established; reference:url,secunia.com/virus_information/14902/; 
classtype:trojan-activity; sid:2001693; rev:2;)
        old: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus 
Bagle.AY worm [.com extension] - OUTBOUND"; 
content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn";
 nocase; flow:established; reference:url,secunia.com/virus_information/14902/; 
classtype:misc-activity; sid:2001691; rev:1;)
        new: alert TCP $HOME_NET any -> any 25 (msg:"Bagle.BJ [alias .AY, .BC] 
worm [.com, exe extensions] - outbound"; 
content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn";
 nocase; flow:established; reference:url,secunia.com/virus_information/14902/; 
classtype:trojan-activity; sid:2001691; rev:3;)
        old: alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE 
Virus Bagle.AY worm [.cpl extension] - inbound"; 
content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5";
 nocase; flow:established; reference:url,secunia.com/virus_information/14902/; 
classtype:misc-activity; sid:2001694; rev:1;)
        new: alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Bagle.BJ [alias 
.AY, .BC] worm [.cpl extension] - incoming"; 
content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5";
 nocase; flow:established; reference:url,secunia.com/virus_information/14902/; 
classtype:trojan-activity; sid:2001694; rev:2;)
        old: alert tcp $HOME_NET any -> any 25 
(content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE 
VIRUS Netsky base64 port 25"; classtype:trojan-activity; sid:2001283; rev:3;)
        new: alert tcp $HOME_NET any -> any 25 
(content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE 
VIRUS Netsky base64 port 25"; classtype:trojan-activity; 
flow:established,to_server; sid:2001283; rev:4;)
        old: alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE 
Virus Bagle.AY worm [.com extension] - inbound"; 
content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn";
 nocase; flow:established; reference:url,secunia.com/virus_information/14902/; 
classtype:misc-activity; sid:2001692; rev:1;)
        new: alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Bagle.BJ [alias 
.AY, .BC] worm [.com, .exe extensions] - incoming"; 
content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn";
 nocase; flow:established; reference:url,secunia.com/virus_information/14902/; 
classtype:trojan-activity; sid:2001692; rev:3;)

     -> Modified active in bleeding-web.rules (8):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Exploit phpBB Highlighting SQL Injection"; 
flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; 
uricontent:"&highlight='.mysql_query("; nocase; 
reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; sid:2001557; rev:3;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Exploit phpBB Highlighting SQL Injection"; 
flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; 
uricontent:"&highlight='.mysql_query("; nocase; 
reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; 
classtype:web-application-attack; sid:2001557; rev:4;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 
(msg:"BLEEDING-EDGE WEB-MISC LINK Method"; content:"LINK "; offset:0; depth:5; 
flow:to_server,established; tag:host,10,packets; sid:2001546; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 
(msg:"BLEEDING-EDGE WEB-MISC LINK Method"; content:"LINK "; offset:0; depth:5; 
flow:to_server,established; tag:host,10,packets; 
classtype:web-application-activity; sid:2001546; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: 
"BLEEDING-EDGE Exploit phpBB Highlight Exploit Attempt"; 
content:"&highlight=%2527%252Esystem("; nocase; flow:to_server,established; 
reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001605; 
rev:2;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: 
"BLEEDING-EDGE Exploit phpBB Highlight Exploit Attempt"; 
content:"&highlight=%2527%252Esystem("; nocase; flow:to_server,established; 
reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; 
classtype:web-application-attack; sid:2001605; rev:3;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"BLEEDING-EDGE WEB-MISC Alternate Data Stream source view attempt"; 
uricontent:"|3A 3A 24|$DATA"; flow:to_server,established; 
reference:url,support.microsoft.com/kb/q188806/; reference:cve,1999-0278; 
sid:2001365; rev:2;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"BLEEDING-EDGE WEB-MISC Alternate Data Stream source view attempt"; 
uricontent:"|3A 3A 24|$DATA"; flow:to_server,established; 
reference:url,support.microsoft.com/kb/q188806/; reference:cve,1999-0278; 
classtype:web-application-activity; sid:2001365; rev:3;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization"; 
flow:to_server,established; content:"GET"; nocase; content:"|5C|"; nocase; 
depth:100; content:"aspx"; distance:100; nocase; sid:2001342; rev:11;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization"; 
flow:to_server,established; content:"GET"; nocase; content:"|5C|"; nocase; 
depth:100; content:"aspx"; distance:100; nocase; 
classtype:web-application-attack; sid:2001342; rev:12;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution - Santy.A Worm"; 
flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; 
uricontent:"&highlight='.fwrite(fopen("; nocase; 
reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001604; 
rev:4;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution - Santy.A Worm"; 
flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; 
uricontent:"&highlight='.fwrite(fopen("; nocase; 
reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; 
classtype:web-application-attack; sid:2001604; rev:5;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization % 5 C"; 
flow:to_server,established; content:"GET"; nocase; content:"%5C"; depth:100; 
content:"aspx"; distance:100; sid:2001343; rev:10;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization % 5 C"; 
flow:to_server,established; content:"GET"; nocase; content:"%5C"; depth:100; 
content:"aspx"; distance:100; classtype:web-application-attack; sid:2001343; 
rev:11;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"BLEEDING-EDGE 
THCIISLame IIS SSL Exploit Attempt"; 
reference:url,www.thc.org/exploits/THCIISSLame.c; 
reference:url,isc.sans.org/diary.php?date=2004-07-17; content:"THCOWNZIIS!"; 
flow:to_server,established; sid:2000559; rev:5;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"BLEEDING-EDGE 
THCIISLame IIS SSL Exploit Attempt"; 
reference:url,www.thc.org/exploits/THCIISSLame.c; 
reference:url,isc.sans.org/diary.php?date=2004-07-17; content:"THCOWNZIIS!"; 
flow:to_server,established; classtype:web-application-attack; sid:2000559; 
rev:6;)

[///]    Modified inactive rules:    [///]

     -> Modified inactive in bleeding-custom.rules (6):
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 139 traffic, Potential Scan or Infection"; flags:S; 
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001579; rev:2;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 139 traffic, Potential Scan or Infection"; flags:S; 
threshold: type limit, track by_src, count 50 , seconds 60; 
classtype:misc-activity; sid:2001579; rev:3;)
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 1433 traffic, Potential Scan or Infection"; flags:S; 
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001583; rev:2;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 1433 traffic, Potential Scan or Infection"; flags:S; 
threshold: type limit, track by_src, count 50 , seconds 60; 
classtype:misc-activity; sid:2001583; rev:3;)
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 137 traffic, Potential Scan or Infection"; flags:S; 
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001580; rev:2;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 137 traffic, Potential Scan or Infection"; flags:S; 
threshold: type limit, track by_src, count 50 , seconds 60; 
classtype:misc-activity; sid:2001580; rev:3;)
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; flags:S; 
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001569; rev:2;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; flags:S; 
threshold: type limit, track by_src, count 50 , seconds 60; 
classtype:misc-activity; sid:2001569; rev:3;)
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 1434 traffic, Potential Scan or Infection"; flags:S; 
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001582; rev:2;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 1434 traffic, Potential Scan or Infection"; flags:S; 
threshold: type limit, track by_src, count 50 , seconds 60; 
classtype:misc-activity; sid:2001582; rev:3;)
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 135 traffic, Potential Scan or Infection"; flags:S; 
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001581; rev:2;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 135 traffic, Potential Scan or Infection"; flags:S; 
threshold: type limit, track by_src, count 50 , seconds 60; 
classtype:misc-activity; sid:2001581; rev:3;)

     -> Modified inactive in bleeding-virus.rules (1):
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg:"BLEEDING-EDGE 
Virus Possible Sober.j Outbound"; 
reference:url,vil.mcafeesecurity.com/vil/content/v_130130.htm; 
classtype:trojan-activity; sid:2001542; rev:2;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg:"BLEEDING-EDGE 
Virus Possible Sober.j Outbound"; 
reference:url,vil.mcafeesecurity.com/vil/content/v_130130.htm; 
classtype:trojan-activity; flow:established; sid:2001542; rev:3;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-malware.rules (3):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; 
uricontent:"/cab/v3cab.cab"; reference:url,www.searchmiracle.com; nocase; 
flow:to_server,established; sid:2001540; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware pool.Westpop.com Spyware Install"; 
uricontent:"/vcgi/magh/update.cgi?magic="; nocase; flow:to_server,established; 
sid:2001512; rev:2;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Casalemedia Access, Likely Spyware"; pcre:"/Host\: 
\w*\.casalemedia.com/im"; flow:to_server,established; sid:2001527; rev:2;)

     -> Removed from bleeding-web.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution Attempt"; 
flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; 
uricontent:"&highlight='.system("; nocase; 
reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001457; 
rev:7;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-inappropriate.rules (1):
        # Info for these sigs from Gary Kalbfleisch

     -> Added to bleeding-malware.rules (4):
        #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Casalemedia Access, Likely Spyware"; pcre:"/Host\: 
\w*\.casalemedia.com/im"; flow:to_server,established; 
classtype:trojan-activity; id:2001527; rev:3;)
        #matt Jonkman
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; 
uricontent:"/cab/v3cab.cab"; reference:url,www.searchmiracle.com; nocase; 
flow:to_server,established; classtype:trojan-activity; id:2001540; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware pool.Westpop.com Spyware Install"; 
uricontent:"/vcgi/magh/update.cgi?magic="; nocase; flow:to_server,established; 
classtype:trojan-activity; id:2001512; rev:3;)

     -> Added to bleeding-sid-msg.map (21):
        2001691 || Bagle.BJ [alias .AY, .BC] worm [.com, exe extensions] - 
outbound || url,secunia.com/virus_information/14902/
        2001692 || Bagle.BJ [alias .AY, .BC] worm [.com, .exe extensions] - 
incoming || url,secunia.com/virus_information/14902/
        2001693 || Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - outbound 
|| url,secunia.com/virus_information/14902/
        2001694 || Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - incoming 
|| url,secunia.com/virus_information/14902/
        2001695 || Bagle.BJ [alias .AY, .BC] - download attempt || 
url,secunia.com/virus_information/14877/
        2001696 || BLEEDING-EDGE Malware Search Relevancy Spyware
        2001697 || BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Data 
Submission || url,www.isearchtech.com
        2001698 || BLEEDING-EDGE Malware YourSiteBar Data Submision || 
url,www.ysbweb.com
        2001699 || BLEEDING-EDGE Malware YourSiteBar Activity || 
url,www.ysbweb.com
        2001700 || BLEEDING-EDGE Malware Windupdates.com Spyware Install
        2001701 || BLEEDING-EDGE Malware Windupdates.com Spyware Loggin Data
        2001702 || BLEEDING-EDGE Malware Shop at Home Select Spyware Activity
        2001703 || BLEEDING-EDGE Malware Context Plus Spyware Activity
        2001704 || BLEEDING-EDGE Malware Context Plus Spyware Install
        2001705 || BLEEDING-EDGE Malware Flingstone Spyware Install
        2001706 || BLEEDING-EDGE Malware Context Plus Spyware Activity
        2001707 || BLEEDING-EDGE Malware Shop at Home Select Spyware Activity
        2001708 || BLEEDING-EDGE Malware Shop at Home Select Spyware Heartbeat
        2001709 || BLEEDING-EDGE Malware Shop at Home Select Spyware Config 
Download
        2001710 || BLEEDING-EDGE Malware Flingstone Spyware Install
        2001711 || BLEEDING-EDGE Malware Likely Spambot Web-based Control 
Traffic

     -> Added to bleeding-virus.rules (1):
        #added by Mark Scott 01/27/2005 - Bagle.AY, .BJ - Updated 1/31/2005

     -> Added to bleeding-web.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution Attempt"; 
flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; 
uricontent:"&highlight='.system("; nocase; 
reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; 
classtype:web-application-attack; id:2001457; rev:8;)

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-inappropriate.rules (1):
        #Info for these sigs from Gary Kalbfleisch

     -> Removed from bleeding-sid-msg.map (8):
        2001457 || BLEEDING-EDGE Exploit phpBB Highlighting Code Execution 
Attempt || url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
        2001512 || BLEEDING-EDGE Malware pool.Westpop.com Spyware Install
        2001527 || BLEEDING-EDGE Malware Casalemedia Access, Likely Spyware
        2001540 || BLEEDING-EDGE Malware Searchmiracle.com Spyware Install || 
url,www.searchmiracle.com
        2001691 || BLEEDING-EDGE Virus Bagle.AY worm [.com extension] - 
OUTBOUND || url,secunia.com/virus_information/14902/
        2001692 || BLEEDING-EDGE Virus Bagle.AY worm [.com extension] - inbound 
|| url,secunia.com/virus_information/14902/
        2001693 || BLEEDING-EDGE Virus Bagle.AY worm [.cpl extension] - 
OUTBOUND || url,secunia.com/virus_information/14902/
        2001694 || BLEEDING-EDGE Virus Bagle.AY worm [.cpl extension] - inbound 
|| url,secunia.com/virus_information/14902/

     -> Removed from bleeding-virus.rules (1):
        #added by Mark Scott 01/27/2005 - Bagle.AY

[*] Added files: [*]
    None.



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] False positive, Tim Boyer
Next by Date:  [Snort-sigs] Duplicate icmp SID 482?, xaz129
Previous by Thread:  [Snort-sigs] False positive, Tim Boyer
Next by Thread:  Why the large updates: [Snort-sigs] Bleedingsnort.com Daily Update, Matt Jonkman
Indexes:  [Date] [Thread] [Top] [All Lists]