From 0fcce96a175531ec6042cde1b11a0052aa261dd5 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:43:34 +0200 Subject: Adding upstream version 1.3.2. Signed-off-by: Daniel Baumann --- .github/CODEOWNERS | 12 + .github/CONTRIBUTING.md | 53 + .github/PULL_REQUEST_TEMPLATE.md | 16 + .github/workflows/tests.yml | 242 + .gitignore | 15 + .readthedocs.yaml | 17 + CHANGELOG.md | 263 + LICENSE | 339 + MANIFEST.in | 4 + Makefile | 50 + README.rst | 123 + bin/suricata-update | 36 + doc/Makefile | 156 + doc/_static/.gitignore | 0 doc/add-source.rst | 45 + doc/check-versions.rst | 21 + doc/common-options.rst | 51 + doc/conf.py | 247 + doc/disable-source.rst | 22 + doc/enable-source.rst | 35 + doc/index.rst | 16 + doc/list-sources.rst | 28 + doc/quickstart.rst | 209 + doc/remove-source.rst | 21 + doc/update-sources.rst | 40 + doc/update.rst | 324 + requirements.txt | 4 + setup.py | 60 + suricata/__init__.py | 0 suricata/update/__init__.py | 0 suricata/update/commands/__init__.py | 23 + suricata/update/commands/addsource.py | 72 + suricata/update/commands/checkversions.py | 83 + suricata/update/commands/disablesource.py | 40 + suricata/update/commands/enablesource.py | 162 + suricata/update/commands/listsources.py | 116 + suricata/update/commands/removesource.py | 49 + suricata/update/commands/updatesources.py | 105 + suricata/update/compat/__init__.py | 0 suricata/update/compat/argparse/LICENSE.txt | 20 + suricata/update/compat/argparse/__init__.py | 0 suricata/update/compat/argparse/argparse.py | 2378 ++++ suricata/update/compat/ordereddict.py | 127 + suricata/update/config.py | 266 + suricata/update/configs/__init__.py | 31 + suricata/update/configs/disable.conf | 19 + suricata/update/configs/drop.conf | 11 + suricata/update/configs/enable.conf | 19 + suricata/update/configs/modify.conf | 24 + suricata/update/configs/threshold.in | 22 + suricata/update/configs/update.yaml | 58 + suricata/update/data/__init__.py | 0 suricata/update/data/index.py | 476 + suricata/update/data/update.py | 53 + suricata/update/engine.py | 196 + suricata/update/exceptions.py | 21 + suricata/update/extract.py | 68 + suricata/update/loghandler.py | 115 + suricata/update/main.py | 1404 ++ suricata/update/maps.py | 215 + suricata/update/matchers.py | 331 + suricata/update/net.py | 175 + suricata/update/notes.py | 60 + suricata/update/osinfo.py | 75 + suricata/update/parsers.py | 268 + suricata/update/rule.py | 439 + suricata/update/sources.py | 207 + suricata/update/util.py | 98 + suricata/update/version.py | 7 + tests/classification1.config | 51 + tests/classification2.config | 54 + tests/docker-centos-7/Dockerfile | 25 + tests/docker-centos-7/Makefile | 6 + tests/docker-centos-7/README.md | 11 + tests/docker-centos-7/run.sh | 54 + tests/emerging-current_events.rules | 5400 ++++++++ tests/emerging.rules.tar.gz | Bin 0 -> 2094690 bytes tests/emerging.rules.tar.gz.md5 | 1 + tests/emerging.rules.zip | Bin 0 -> 2052434 bytes tests/empty | 1 + tests/gen-msg.map | 318 + tests/index.yaml | 106 + tests/integration_tests.py | 230 + tests/rule-with-unicode.rules | 4 + tests/sid-msg-v2.map | 18356 ++++++++++++++++++++++++++ tests/sid-msg.map | 122 + tests/suricata-test-rules.zip | Bin 0 -> 2391 bytes tests/test_classificationmap.py | 46 + tests/test_main.py | 279 + tests/test_matchers.py | 135 + tests/test_net.py | 31 + tests/test_rule.py | 256 + tests/test_signaturemap.py | 81 + tests/test_util.py | 33 + tests/update.yaml | 1 + tox-integration.ini | 13 + tox.ini | 13 + 97 files changed, 35909 insertions(+) create mode 100644 .github/CODEOWNERS create mode 100644 .github/CONTRIBUTING.md create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 .github/workflows/tests.yml create mode 100644 .gitignore create mode 100644 .readthedocs.yaml create mode 100644 CHANGELOG.md create mode 100644 LICENSE create mode 100644 MANIFEST.in create mode 100644 Makefile create mode 100644 README.rst create mode 100755 bin/suricata-update create mode 100644 doc/Makefile create mode 100644 doc/_static/.gitignore create mode 100644 doc/add-source.rst create mode 100644 doc/check-versions.rst create mode 100644 doc/common-options.rst create mode 100644 doc/conf.py create mode 100644 doc/disable-source.rst create mode 100644 doc/enable-source.rst create mode 100644 doc/index.rst create mode 100644 doc/list-sources.rst create mode 100644 doc/quickstart.rst create mode 100644 doc/remove-source.rst create mode 100644 doc/update-sources.rst create mode 100644 doc/update.rst create mode 100644 requirements.txt create mode 100644 setup.py create mode 100644 suricata/__init__.py create mode 100644 suricata/update/__init__.py create mode 100644 suricata/update/commands/__init__.py create mode 100644 suricata/update/commands/addsource.py create mode 100644 suricata/update/commands/checkversions.py create mode 100644 suricata/update/commands/disablesource.py create mode 100644 suricata/update/commands/enablesource.py create mode 100644 suricata/update/commands/listsources.py create mode 100644 suricata/update/commands/removesource.py create mode 100644 suricata/update/commands/updatesources.py create mode 100644 suricata/update/compat/__init__.py create mode 100644 suricata/update/compat/argparse/LICENSE.txt create mode 100644 suricata/update/compat/argparse/__init__.py create mode 100644 suricata/update/compat/argparse/argparse.py create mode 100644 suricata/update/compat/ordereddict.py create mode 100644 suricata/update/config.py create mode 100644 suricata/update/configs/__init__.py create mode 100644 suricata/update/configs/disable.conf create mode 100644 suricata/update/configs/drop.conf create mode 100644 suricata/update/configs/enable.conf create mode 100644 suricata/update/configs/modify.conf create mode 100644 suricata/update/configs/threshold.in create mode 100644 suricata/update/configs/update.yaml create mode 100644 suricata/update/data/__init__.py create mode 100644 suricata/update/data/index.py create mode 100644 suricata/update/data/update.py create mode 100644 suricata/update/engine.py create mode 100644 suricata/update/exceptions.py create mode 100644 suricata/update/extract.py create mode 100644 suricata/update/loghandler.py create mode 100644 suricata/update/main.py create mode 100644 suricata/update/maps.py create mode 100644 suricata/update/matchers.py create mode 100644 suricata/update/net.py create mode 100644 suricata/update/notes.py create mode 100644 suricata/update/osinfo.py create mode 100644 suricata/update/parsers.py create mode 100644 suricata/update/rule.py create mode 100644 suricata/update/sources.py create mode 100644 suricata/update/util.py create mode 100644 suricata/update/version.py create mode 100644 tests/classification1.config create mode 100644 tests/classification2.config create mode 100644 tests/docker-centos-7/Dockerfile create mode 100644 tests/docker-centos-7/Makefile create mode 100644 tests/docker-centos-7/README.md create mode 100755 tests/docker-centos-7/run.sh create mode 100644 tests/emerging-current_events.rules create mode 100644 tests/emerging.rules.tar.gz create mode 100644 tests/emerging.rules.tar.gz.md5 create mode 100644 tests/emerging.rules.zip create mode 100644 tests/empty create mode 100644 tests/gen-msg.map create mode 100644 tests/index.yaml create mode 100755 tests/integration_tests.py create mode 100644 tests/rule-with-unicode.rules create mode 100644 tests/sid-msg-v2.map create mode 100644 tests/sid-msg.map create mode 100644 tests/suricata-test-rules.zip create mode 100644 tests/test_classificationmap.py create mode 100644 tests/test_main.py create mode 100644 tests/test_matchers.py create mode 100644 tests/test_net.py create mode 100644 tests/test_rule.py create mode 100644 tests/test_signaturemap.py create mode 100644 tests/test_util.py create mode 100644 tests/update.yaml create mode 100644 tox-integration.ini create mode 100644 tox.ini diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..0a23353 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,12 @@ +# https://help.github.com/articles/about-codeowners/ +# +# last match wins, so put more specific matches towards the end +# +# only ppl with push rights in the repo can be owners +# https://github.com/isaacs/github/issues/989#issuecomment-320475904 +# +# additionally, it seems only the directoy syntax works. +# e.g. '/src/source-*.[ch] @regit' seems to have no effect. + +* @jasonish @OISF/core-team + diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md new file mode 100644 index 0000000..934a9d1 --- /dev/null +++ b/.github/CONTRIBUTING.md @@ -0,0 +1,53 @@ +Contributing to Suricata +======================== + +We're happily taking patches and other contributions. The process is +documented at +https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing +Please have a look at this document before submitting. + +Contribution Agreement +---------------------- + +Before accepting your pull requests we need you or your organization +to sign our contribution agreement. + +We do this to keep the ownership of Suricata in one hand: the Open +Information Security Foundation. See +https://suricata-ids.org/about/open-source/ and +https://suricata-ids.org/about/contribution-agreement/ + +Contribution Process +-------------------- + +Suricata is a complex piece of software dealing with mostly untrusted +input. Mishandling this input will have serious consequences: + +* in IPS mode a crash may knock a network offline; +* in passive mode a compromise of the IDS may lead to loss of critical + and confidential data; +* missed detection may lead to undetected compromise of the network. + +In other words, we think the stakes are pretty high, especially since +in many common cases the IDS/IPS will be directly reachable by an +attacker. + +For this reason, we have developed a QA process that is quite +extensive. A consequence is that contributing to Suricata can be a +somewhat lengthy process. + +On a high level, the steps are: + +1. Travis-CI based build & unit testing. This runs automatically when + a pull request is made. + +2. Review by devs from the team and community + +3. QA runs trigged by the team + +Questions +--------- + +If you have questions about contributing, please contact us via +https://suricata-ids.org/support/ + diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..5bf7005 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,16 @@ +Make sure these boxes are signed before submitting your Pull Request +-- thank you. + +- [ ] I have read the contributing guide lines at + https://docs.suricata.io/en/latest/devguide/codebase/contributing/contribution-process.html +- [ ] I have signed the Open Information Security Foundation + contribution agreement at https://suricata.io/about/contribution-agreement/ +- [ ] I have updated the user guide (in doc/userguide/) to reflect the + changes made (if applicable) + +Link to [redmine](https://redmine.openinfosecfoundation.org/projects/suricata/issues) ticket: + +Describe changes: +- +- +- diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 0000000..22a19f3 --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,242 @@ +name: Distribution Checks + +on: + - push + - pull_request + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: read-all + +jobs: + + alma-9: + # At the time of adding this test, tox and pytest don't install + # cleanly using system packages, so just run the integration tests + # for now. + name: AlmaLinux 9 + runs-on: ubuntu-latest + container: almalinux:9 + steps: + - run: | + dnf -y install \ + python3 \ + python3-pyyaml + - uses: actions/checkout@v1 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + alma-8: + name: AlmaLinux 8 + runs-on: ubuntu-latest + container: almalinux:8 + steps: + - run: | + yum -y install \ + python2-pytest \ + python2-pyyaml \ + python3 \ + python3-pytest \ + python3-pyyaml + - uses: actions/checkout@v1 + + - name: Python 2 unit tests + run: PYTHONPATH=. pytest-2 + - name: Python 2 integration tests + run: PYTHONPATH=. python2 ./tests/integration_tests.py + + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + centos-7: + name: CentOS 7 + runs-on: ubuntu-latest + container: centos:7 + steps: + - run: yum -y install epel-release + - run: | + yum -y install \ + python2-pytest \ + python2-pyyaml \ + python36-pytest \ + python36-yaml + - uses: actions/checkout@v1 + + - name: Python 2 unit tests + run: PYTHONPATH=. py.test-2.7 + - name: Python 2 integration tests + run: PYTHONPATH=. python2 ./tests/integration_tests.py + + - name: Python 3 unit tests + run: PYTHONPATH=. py.test-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + fedora-39: + name: Fedora 39 + runs-on: ubuntu-latest + container: fedora:39 + steps: + - run: | + dnf -y install \ + python3 \ + python3-pytest \ + python3-pyyaml + - uses: actions/checkout@v4 + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + fedora-38: + name: Fedora 38 + runs-on: ubuntu-latest + container: fedora:38 + steps: + - run: | + dnf -y install \ + python3 \ + python3-pytest \ + python3-pyyaml + - uses: actions/checkout@v2 + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + ubuntu-2204: + name: Ubuntu 22.04 + runs-on: ubuntu-latest + container: ubuntu:22.04 + steps: + - run: apt update + - run: | + apt -y install \ + python3-pytest \ + python3-yaml + - uses: actions/checkout@v1 + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + ubuntu-2004: + name: Ubuntu 20.04 + runs-on: ubuntu-latest + container: ubuntu:20.04 + steps: + - run: apt update + - run: | + apt -y install \ + python-pytest \ + python-yaml \ + python3-pytest \ + python3-yaml + - uses: actions/checkout@v1 + + - name: Python 2 unit tests + run: PYTHONPATH=. pytest + - name: Python 2 integration tests + run: PYTHONPATH=. python2 ./tests/integration_tests.py + + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + ubuntu-1804: + name: Ubuntu 18.04 + runs-on: ubuntu-latest + container: ubuntu:18.04 + steps: + - run: apt update + - run: | + apt -y install \ + python-pytest \ + python-yaml \ + python3-pytest \ + python3-yaml + - uses: actions/checkout@v1 + + - name: Python 2 unit tests + run: PYTHONPATH=. pytest + - name: Python 2 integration tests + run: PYTHONPATH=. python2 ./tests/integration_tests.py + + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + debian-12: + name: Debian 12 + runs-on: ubuntu-latest + container: debian:12 + steps: + - run: apt update + - run: | + apt -y install \ + python3-pytest \ + python3-yaml + - uses: actions/checkout@v1 + + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + debian-11: + name: Debian 11 + runs-on: ubuntu-latest + container: debian:11 + steps: + - run: apt update + - run: | + apt -y install \ + python3-pytest \ + python3-yaml + - uses: actions/checkout@v1 + + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + debian-10: + name: Debian 10 + runs-on: ubuntu-latest + container: debian:10 + steps: + - run: apt update + - run: | + apt -y install \ + python-pytest \ + python-yaml \ + python3-pytest \ + python3-yaml + - uses: actions/checkout@v1 + + - name: Python 2 unit tests + run: PYTHONPATH=. pytest + - name: Python 2 integration tests + run: PYTHONPATH=. python2 ./tests/integration_tests.py + + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + macos-latest: + name: MacOS Latest + runs-on: macos-latest + steps: + - run: brew install python + - run: pip3 install PyYAML + - run: pip3 install pytest + - uses: actions/checkout@v1 + - run: PYTHONPATH=. python3 -m pytest + - run: PYTHONPATH=. python3 ./tests/integration_tests.py diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4515679 --- /dev/null +++ b/.gitignore @@ -0,0 +1,15 @@ +*~ +*.pyc +_build +build +.DS_Store +_work + +# Development update.yaml +/update.yaml + +# The file containing the git revision. +/suricata/update/revision.py* + +# Working files for the tox testing framework. +/.tox diff --git a/.readthedocs.yaml b/.readthedocs.yaml new file mode 100644 index 0000000..635dca4 --- /dev/null +++ b/.readthedocs.yaml @@ -0,0 +1,17 @@ +version: 2 + +build: + os: ubuntu-22.04 + tools: + python: "3.11" + +python: + install: + - requirements: ./requirements.txt + +sphinx: + builder: html + configuration: doc/conf.py + fail_on_warning: false + +formats: all diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..03310ca --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,263 @@ +# Change Log + +## 1.3.2 - 2024-03-14 +- Fix copying of file hash lists which was broken in the dataset fix + as part of ticket #6833: + https://redmine.openinfosecfoundation.org/issues/6854 + +## 1.3.1 - 2024-03-11 +- Fix detecting dataset "load" when preceded by a space: + https://redmine.openinfosecfoundation.org/issues/6777 +- If no Suricata is found, Suricata-Update will assume version 6.0.0 + instead of 4.0.0. +- Handle URLs of bare files that don't end in .rules: + https://redmine.openinfosecfoundation.org/issues/3664 +- Don't base dataset filenames on the contents of the file, but + instead the filename path: + https://redmine.openinfosecfoundation.org/issues/6763 +- Give each file in a source a unique filename by prefixing the files + with a hash of the URL to prevent duplicate filenames from + cloberring each other, in particular dataset files: + https://redmine.openinfosecfoundation.org/issues/6833 + +## 1.3.0 - 2023-07-07 + +- Fix loading of configuration files specified in update.yaml: + https://redmine.openinfosecfoundation.org/issues/6172 + +## 1.3.0-rc1 - 2022-01-30 +- Be consistent about warning about old index. The index won't be + automatically updated now in some cases and not in others. Instead + opt to never auto-update: + https://redmine.openinfosecfoundation.org/issues/3249 +- Better flowbit resolution logging in verbose mode + https://redmine.openinfosecfoundation.org/issues/3205 +- Hide advanced command line options from help output: + https://redmine.openinfosecfoundation.org/issues/3974 +- Allow spaces in custom HTTP headers. Redmine issue + https://redmine.openinfosecfoundation.org/issues/4362 +- Better error message on invalid source specification: + https://redmine.openinfosecfoundation.org/issues/5141 + +## 1.2.7 - 2022-01-30 +- Embed an index that has been formatted so diffs are more readable. +- Documentation update with respect to how Suricata-Update is bundled + with all versions of Suricata now. + +## 1.2.6 - 2022-11-25 +- Allow checksum URL to be specified by the index: + https://redmine.openinfosecfoundation.org/issues/5684 +- Metadata rule matching for disable, enable and drop: + https://redmine.openinfosecfoundation.org/issues/5561 + +## 1.2.5 - 2022-09-22 +- Update entrypoint search path when not installed with distutils. This is + required for installation when bundled with Suricata 6.0.7 or newer: + https://redmine.openinfosecfoundation.org/issues/5313 + +## 1.2.4 - 2022-04-19 +- Fix multiple modifications to a rule: + https://redmine.openinfosecfoundation.org/issues/4259 +- Fix "check-versions" where the running Suricata is newer than what the index + knows about: https://redmine.openinfosecfoundation.org/issues/4373 +- Fix issue with dataset handling. Also adds file renaming to avoid conflicts: + https://redmine.openinfosecfoundation.org/issues/5010. +- New modify option to add metadata: + https://redmine.openinfosecfoundation.org/issues/5221. +- Respect Suricata's sysconfdir when loading configuration files: + https://redmine.openinfosecfoundation.org/issues/4374. +- Modify rule to add metadata: + https://redmine.openinfosecfoundation.org/issues/5221 +- Don't fail when source removed from index: + https://redmine.openinfosecfoundation.org/issues/5269 +- Option fail on download error: + https://redmine.openinfosecfoundation.org/issues/4579 + +## 1.2.3 - 2021-11-05 +- Allow more custom characters in custom http header to allow for more + of the base64 character set: + https://redmine.openinfosecfoundation.org/issues/4701 +- Send custom HTTP headers with check for remote checksum file: + https://redmine.openinfosecfoundation.org/issues/4001 + +## 1.2.2 - 2021-05-18 +- Fix "no-test" when set in configuration file: + https://redmine.openinfosecfoundation.org/issues/4493 + +## 1.2.1 - 2021-02-23 +- Fix --no-merge. Redmine issue + https://redmine.openinfosecfoundation.org/issues/4324. + +## 1.2.0 - 2020-10-05 +- Documentation updates. + +## 1.2.0rc2 - 2020-09-09 + +### Features +- Obsolete and deprecated source handling from the index: + https://redmine.openinfosecfoundation.org/issues/3918, + https://redmine.openinfosecfoundation.org/issues/3919. + +### Fixes +- Fix re-enabling a disabled source that was initially added with + "add-source": https://redmine.openinfosecfoundation.org/issues/3843 +- Handle duplicate filenames across multiple sources: + https://redmine.openinfosecfoundation.org/issues/3174 + +## 1.2.0rc1 - 2020-08-05 + +### Added +- Add summary for update-sources command: + https://redmine.openinfosecfoundation.org/issues/2472 +- Disable SMB rules if installed Suricata does not support them: + https://redmine.openinfosecfoundation.org/issues/3280 +- Better error on bad modify filter: + https://redmine.openinfosecfoundation.org/issues/3536 +- Missing documentation for list-sources, list-enabled-sources and + check-versions: + https://redmine.openinfosecfoundation.org/issues/3228 +- Optimization for modify filters: + https://redmine.openinfosecfoundation.org/issues/3620 +- Fix --http-header option. Header was not being sent: + https://redmine.openinfosecfoundation.org/issues/3696 +- Add classification.config management. Suricata-Update will now load + the Suricata installed classification.config and merge it with + classification.config's found in rule + files. https://redmine.openinfosecfoundation.org/issues/3203 +- Copy md5/sha1/sha256 file lists from rulesets into the rule output + directory: https://redmine.openinfosecfoundation.org/issues/2688 +- Copy dataset files from ruleset into the rule output directory: + https://redmine.openinfosecfoundation.org/issues/3528 + +## 1.1.0 - 2019-10-11 +- Disable ja3 rules if the Suricata build or runtime configuration + does not support + ja3. https://redmine.openinfosecfoundation.org/issues/3215 +- New command, check-versions to compare the version of Suricata on + the system to Suricata version information in the index. Can let you + know if Suricata is + outdated. https://redmine.openinfosecfoundation.org/issues/2341 + +## 1.1.0rc1 - 2019-09-09 +- Enable integration tests on + Travis-CI. https://redmine.openinfosecfoundation.org/issues/2760 +- Fix error on missing sid, or missing ';' in rule + parsing. https://redmine.openinfosecfoundation.org/issues/2867 +- Improve permission errors from tracebacks to more user friendly + error messages. https://redmine.openinfosecfoundation.org/issues/2875 +- Log warnings and errors to stderr, info and debug to stdout. + https://redmine.openinfosecfoundation.org/issues/2565 +- Cleaner exit on CTRL-C. + https://redmine.openinfosecfoundation.org/issues/2878 +- Run offline. + https://redmine.openinfosecfoundation.org/issues/2864 +- Log warning on duplicate SID. + https://redmine.openinfosecfoundation.org/issues/2879 +- Parse rule files alphabetically. + https://redmine.openinfosecfoundation.org/issues/2892 +- Set the noalert option on rules enabled for flowbit dependencies. + https://redmine.openinfosecfoundation.org/issues/2906 +- Allow sources to be specified without a checksum URL to prevent the + warning log message when this URL does not + exist. https://redmine.openinfosecfoundation.org/issues/3100 + +## 1.0.5 - 2019-04-26 +- Fix NULL pointer dereference (FORWARD_NULL) found by + Coverity. https://redmine.openinfosecfoundation.org/issues/2834 +- Add a download connection timeout of 30 + seconds. https://redmine.openinfosecfoundation.org/issues/2703 +- Fix issue with --no-merge command line + option. https://redmine.openinfosecfoundation.org/issues/2869 +- Fix handling of default ignore + files. https://redmine.openinfosecfoundation.org/issues/2851 +- Allow repeated calls to enable the same rule source without exiting + with an error. https://redmine.openinfosecfoundation.org/issues/2728 + +## 1.0.4 - 2019-03-07 +- Enable integration tests on + Travis-CI. https://redmine.openinfosecfoundation.org/issues/2760 +- Reduce memory usage. https://redmine.openinfosecfoundation.org/issues/2791 + +## 1.0.3 - 2018-12-21 +- Fix enable-source command. + https://redmine.openinfosecfoundation.org/issues/2753 + +## 1.0.2 - 2018-12-18 +- Fix installs on older versions of Python 2.7. + https://redmine.openinfosecfoundation.org/issues/2747 + +## 1.0.1 - 2018-12-16 +- Add --free argument to list-sources command to show only those + that are freely + available. https://redmine.openinfosecfoundation.org/issues/2641 +- If user-agent is configured to be empty, don't send the header at + all. This also fixes an issue where trying to set the user agent to + an empty string reset it back to the + default. https://redmine.openinfosecfoundation.org/issues/2665 +- Fix --dump-sample-configs. The data files were being + installed. https://redmine.openinfosecfoundation.org/issues/2683 +- When installing with pip, make pyyaml and a required dependency so + it will be installed automatically if needed. This does not apply + when installed bundled with + Suricata. https://redmine.openinfosecfoundation.org/issues/2667 +- Fix missing check for None, from + Coverity. https://redmine.openinfosecfoundation.org/issues/2676 +- Suppress download progress meter when not on a + tty. https://redmine.openinfosecfoundation.org/issues/2743 +- Hide git revision if not available in --version. +- Update list of engine provided rules to include. +- Allow a custom HTTP header to be set on a source when added with + add-source. https://redmine.openinfosecfoundation.org/issues/2577 + +## 1.0.0 - 2018-11-05 +- Fix failure to run custom test + command. https://redmine.openinfosecfoundation.org/issues/2652 + +## 1.0.0rc2 - 2018-10-12 +- Python 3 fix for enable-source. + https://redmine.openinfosecfoundation.org/issues/2549 +- Fix interactive input for add-source command. + https://redmine.openinfosecfoundation.org/issues/2550 +- Python fix for loading disable.conf (and other files). + https://redmine.openinfosecfoundation.org/issues/2551 + +## 1.0.0rc1 - 2018-07-17 +- Python 3 fixes. +- Bundle a copy of the index which can be used if download source for + the index is not available, and no index was previously + downloaded. Warnings will be issued. +- Fix for Python versions prior to 2.7.9 that don't have + ssl.create_default_context. For example, Ubuntu Trusty. +- Fix exception while referencing configuration + filename. https://redmine.openinfosecfoundation.org/issues/2526 + +## 1.0.0b1 - 2018-01-19 +- Various fixes for Python 3. +- Allow the default state directory of /var/lib/suricata to be changed + with the command line parameter -D (--data-dir). Fixes issue + https://redmine.openinfosecfoundation.org/issues/2334. +- Cache directory is now /var/lib/suricata/update/cache (or + update/cache under configured data directory). +- list-sources: If no index is found, automatically run + update-sources. Fixes issue + https://redmine.openinfosecfoundation.org/issues/2336. +- New testing framework, integration tests and a docker test with the + focus of testing on more versions of Python. +- Allow a custom HTTP User-Agent to be set + (https://redmine.openinfosecfoundation.org/issues/2344). +- Command line option and configuration parameter to set the + suricata.yaml configuration file used + (https://redmine.openinfosecfoundation.org/issues/2350). +- Allow the Suricata application to be set in the configuration file. +- Allow disabling of TLS certificate validation + (--no-check-certificate). +- Safe loading of YAML files + (https://redmine.openinfosecfoundation.org/issues/2359) + +## 1.0.0a1 - 2017-12-05 +- Initial alpha release of Suricata-Update. A Suricata rule update tool + based on idstools-rulecat, relicensed under the GPLv2 with copyright + assigned to the OISF. +- Features are derived from idstools-rulecat, but with more + opinionated defaults. +- Supports an index of rule sources to aid in discovery of rulesets. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..d159169 --- /dev/null +++ b/LICENSE @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/MANIFEST.in b/MANIFEST.in new file mode 100644 index 0000000..5d8c23a --- /dev/null +++ b/MANIFEST.in @@ -0,0 +1,4 @@ +include LICENSE +include suricata/update/configs/*.conf +include suricata/update/configs/*.in +include suricata/update/configs/*.yaml diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..577b562 --- /dev/null +++ b/Makefile @@ -0,0 +1,50 @@ +.PHONY: doc + +all: build + +build: + python setup.py build + +install: + python setup.py install + +tox: + @if ! which tox 2>&1 > /dev/null; then \ + echo "error: tox required to run tests"; \ + exit 1; \ + fi + +test: tox + @tox + +integration-test: tox + @tox -c tox-integration.ini + +docker-test: + @if ! which docker 2>&1 > /dev/null; then \ + echo "error: docker is required to run docker tests"; \ + exit 1; \ + fi + @for test in $(wildcard tests/docker*); do \ + (cd $$test && $(MAKE)); \ + done + +clean: + find . -name \*.pyc -print0 | xargs -0 rm -f + find . -name \*~ -print0 | xargs -0 rm -f + find . -name __pycache__ -type d -print0 | xargs -0 rm -rf + rm -rf suricata_update.egg* + rm -rf build dist MANIFEST + cd doc && $(MAKE) clean + +doc: + cd doc && $(MAKE) clean html + +sdist: + python setup.py sdist + +sdist-upload: + python setup.py sdist upload + +update-index: + python -m suricata.update.data.update diff --git a/README.rst b/README.rst new file mode 100644 index 0000000..36503a6 --- /dev/null +++ b/README.rst @@ -0,0 +1,123 @@ +Suricata-Update +=============== + +The tool for updating your Suricata rules. + +Installation +------------ + + pip install --upgrade suricata-update + +Documentation +------------- + +https://suricata-update.readthedocs.io/en/latest/ + +Issues +------ + +https://redmine.openinfosecfoundation.org/projects/suricata-update + +Example Usage +------------- + + suricata-update + +The default invocation of ``suricata-update`` will perform the following: + +- Read the configuration, /etc/suricata/update.yaml, if it exists. +- Read in the rule filter configuration files: + + - /etc/suricata/disable.conf + - /etc/suricata/enable.conf + - /etc/suricata/drop.conf + - /etc/suricata/modify.conf + +- Download the best version of the Emerging Threats Open ruleset for + the version of Suricata found. +- Read in the rule files provided with the Suricata distribution from + /etc/suricata/rules. +- Apply disable, enable, drop and modify filters. +- Resolve flowbits. +- Write the rules to /var/lib/suricata/rules/suricata.rules. + +If you are not yet ready to use /var/lib/suricata/rules then you may +be interested in the `--output +`_ and +`--no-merge +`_ +command line options. + +Suricata Configuration +---------------------- + +The default Suricata configuration needs to be updated to find the rules +in the new location. + +Example suricata.yaml + +.. code-block:: yaml + + default-rule-path: /var/lib/suricata/rules + rule-files: + - suricata.rules + +Optionally ``-S /var/lib/suricata/rules/suricata.rules`` could be +provided on the Suricata command line. + +Notes +----- + +This ``suricata-update`` tool is based around the idea +``/etc/suricata`` should not be used for active rule management, but +instead as a location for more or less static configuration. Instead +``/var/lib/suricata`` is used for rule management and +``/etc/suricata/rules`` is used as a source for rule files provided by +the Suricata distribution. + +Files and Directories +--------------------- + +``/usr/share/suricata/rules`` + Used as a source of rules provided by the Suricata engine. If this + directory does not exist, ``etc/suricata/rules`` will be used. + +``/etc/suricata/update.yaml`` + The default location for the ``suricata-update`` configuration file. + +``/etc/suricata/disable.conf`` + Default location for disable rule filters if not provided in the + configuration file or command line. + +``/etc/suricata/enable.conf`` + Default location for enable rule filters if not provided in the + configuration file or command line. + +``/etc/suricata/drop.conf`` + Default location for drop rule filters if not provided in the + configuration file or command line. + +``/etc/suricata/modify.conf`` + Default location for modify rule filters if not provided in the + configuration file or command line. + +``/var/lib/suricata/rules`` + The output directory for rules processed by the ``suricata-update`` + tool. This directory is owned and managed by ``suricata-update`` and + should not be touched by the user. + +``/var/lib/suricata/rules/suricata.rules`` + The default output filename for the rules processed by ``suricata-update``. + + This is a single file that contains all the rules from all input + files and should be used by Suricata. + +``/var/lib/suricata/update/cache`` + Directory where downloaded rule files are cached here. + +``/var/lib/suricata/rules/cache/index.yaml`` + Cached copy of the rule source index. + +``/var/lib/suricata/update/sources`` + Configuration direction for sources enabled or added with + ``enable-source`` or ``add-source``. diff --git a/bin/suricata-update b/bin/suricata-update new file mode 100755 index 0000000..94ea2ba --- /dev/null +++ b/bin/suricata-update @@ -0,0 +1,36 @@ +#! /usr/bin/env python +# +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +import sys +import os + +exec_dir = os.path.dirname(__file__) + +# Check if we were installed along with Suricata, and setup the path if so. +libpath = os.path.realpath( + os.path.join(exec_dir, os.pardir, "lib/suricata/python")) +if os.path.exists(os.path.join(libpath, "suricata", "update")): + sys.path.insert(0, libpath) + +# If running out of the source directory, make sure we pick up the +# library from the current directory. +sys.path.insert( + 0, os.path.dirname(os.path.dirname(os.path.abspath(sys.argv[0])))) + +from suricata.update import main +sys.exit(main.main()) diff --git a/doc/Makefile b/doc/Makefile new file mode 100644 index 0000000..bfa0803 --- /dev/null +++ b/doc/Makefile @@ -0,0 +1,156 @@ +# Makefile for Sphinx documentation +# + +# You can set these variables from the command line. +SPHINXOPTS = +SPHINXBUILD = sphinx-build +SPHINXAPIDOC = sphinx-apidoc +PAPER = +BUILDDIR = _build + +# Internal variables. +PAPEROPT_a4 = -D latex_paper_size=a4 +PAPEROPT_letter = -D latex_paper_size=letter +ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . +# the i18n builder cannot share the environment and doctrees with the others +I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . + +.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext + +all: html + +help: + @echo "Please use \`make ' where is one of" + @echo " html to make standalone HTML files" + @echo " dirhtml to make HTML files named index.html in directories" + @echo " singlehtml to make a single large HTML file" + @echo " pickle to make pickle files" + @echo " json to make JSON files" + @echo " htmlhelp to make HTML files and a HTML help project" + @echo " qthelp to make HTML files and a qthelp project" + @echo " devhelp to make HTML files and a Devhelp project" + @echo " epub to make an epub" + @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" + @echo " latexpdf to make LaTeX files and run them through pdflatex" + @echo " text to make text files" + @echo " man to make manual pages" + @echo " texinfo to make Texinfo files" + @echo " info to make Texinfo files and run them through makeinfo" + @echo " gettext to make PO message catalogs" + @echo " changes to make an overview of all changed/added/deprecated items" + @echo " linkcheck to check all external links for integrity" + @echo " doctest to run all doctests embedded in the documentation (if enabled)" + +clean: + -rm -rf $(BUILDDIR)/* + +html: + $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." + +dirhtml: + $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." + +singlehtml: + $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml + @echo + @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." + +pickle: + $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle + @echo + @echo "Build finished; now you can process the pickle files." + +json: + $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json + @echo + @echo "Build finished; now you can process the JSON files." + +htmlhelp: + $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp + @echo + @echo "Build finished; now you can run HTML Help Workshop with the" \ + ".hhp project file in $(BUILDDIR)/htmlhelp." + +qthelp: + $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp + @echo + @echo "Build finished; now you can run "qcollectiongenerator" with the" \ + ".qhcp project file in $(BUILDDIR)/qthelp, like this:" + @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/suricataupdate.qhcp" + @echo "To view the help file:" + @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/suricataupdate.qhc" + +devhelp: + $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp + @echo + @echo "Build finished." + @echo "To view the help file:" + @echo "# mkdir -p $$HOME/.local/share/devhelp/suricataupdate" + @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/suricataupdate" + @echo "# devhelp" + +epub: + $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub + @echo + @echo "Build finished. The epub file is in $(BUILDDIR)/epub." + +latex: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo + @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." + @echo "Run \`make' in that directory to run these through (pdf)latex" \ + "(use \`make latexpdf' here to do that automatically)." + +latexpdf: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo "Running LaTeX files through pdflatex..." + $(MAKE) -C $(BUILDDIR)/latex all-pdf + @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." + +text: + $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text + @echo + @echo "Build finished. The text files are in $(BUILDDIR)/text." + +man: + $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man + @echo + @echo "Build finished. The manual pages are in $(BUILDDIR)/man." + +texinfo: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo + @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." + @echo "Run \`make' in that directory to run these through makeinfo" \ + "(use \`make info' here to do that automatically)." + +info: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo "Running Texinfo files through makeinfo..." + make -C $(BUILDDIR)/texinfo info + @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." + +gettext: + $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale + @echo + @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." + +changes: + $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes + @echo + @echo "The overview file is in $(BUILDDIR)/changes." + +linkcheck: + $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck + @echo + @echo "Link check complete; look for any errors in the above output " \ + "or in $(BUILDDIR)/linkcheck/output.txt." + +doctest: + $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest + @echo "Testing of doctests in the sources finished, look at the " \ + "results in $(BUILDDIR)/doctest/output.txt." diff --git a/doc/_static/.gitignore b/doc/_static/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/doc/add-source.rst b/doc/add-source.rst new file mode 100644 index 0000000..c49692c --- /dev/null +++ b/doc/add-source.rst @@ -0,0 +1,45 @@ +################################ +add-source - Add a source by URL +################################ + +Synopsis +======== + +:: + + suricata-update add-source + +Description +=========== + +The ``add-source`` adds a source to the set of enabled sources by +URL. It is useful to add a source that is not provided in the index. + +Options +======= + +.. option:: --http-header "Header: Value" + + Add an additional HTTP header to requests for this rule source such + as a custom API key. Example:: + + add-source --http-header "X-API-Key: 1234" + + HTTP basic authentication can be achieved by setting the HTTP Basic + Authentication header with ``base64(user1:password1)``. Example:: + + add-source --http-header "Authorization: Basic dXNlcjE6cGFzc3dvcmQx" + + HTTP Bearer authentication can be used by setting the HTTP Bearer Authentication header + with a OAuth2 token containing printable ASCII characters. Example:: + + add-source --http-header "Auhorization: Bearer NjA2MTUOTAx?D+wOm4U/vpXQy0xhl!hSaR7#ENVpK59" + +.. option:: --no-checksum + + Skips downloading the checksum URL for the rule source. + +Common Options +============== + +.. include:: ./common-options.rst diff --git a/doc/check-versions.rst b/doc/check-versions.rst new file mode 100644 index 0000000..8be2e0a --- /dev/null +++ b/doc/check-versions.rst @@ -0,0 +1,21 @@ +########################################## +check-versions - Check version of Suricata +########################################## + +Synopsis +======== + +:: + + suricata-update check-versions + +Description +=========== + +The ``check-versions`` command checks if the installed Suricata version is up +to date. + +Options +======= + +.. include:: common-options.rst diff --git a/doc/common-options.rst b/doc/common-options.rst new file mode 100644 index 0000000..d56df99 --- /dev/null +++ b/doc/common-options.rst @@ -0,0 +1,51 @@ +.. option:: -h, --help + + Show help. + +.. option:: -D , --data-dir + + Set an alternate data directory. + + Default: */var/lib/suricata* + +.. option:: -c , --config + + Path to the suricata-update config file. + + Default: */etc/suricata/update.yaml* + +.. option:: -q, --quiet + + Run quietly. Only warning and error messages will be displayed. + +.. option:: -v, --verbose + + Provide more verbose output. + +.. option:: --suricata-conf + + Path to the suricata config file. + + Default: */etc/suricata/suricata.yaml* + +.. option:: --suricata + + The path to the Suricata program. If not provided + ``suricata-update`` will attempt to find Suricata on your path. + + The Suricata program is used to determine the version of Suricata + as well as providing information about the Suricata configuration. + +.. option:: --suricata-version + + Set the Suricata version to a specific version instead of checking + the version of Suricata on the path. + +.. option:: --user-agent + + Set a custom user agent string for HTTP requests. + +.. option:: -s, --show-advanced + + Show advanced options. + \ No newline at end of file diff --git a/doc/conf.py b/doc/conf.py new file mode 100644 index 0000000..b779bc9 --- /dev/null +++ b/doc/conf.py @@ -0,0 +1,247 @@ +# -*- coding: utf-8 -*- +# +# Suricata-Update documentation build configuration file, created by +# sphinx-quickstart on Wed Jul 17 23:14:56 2013. +# +# This file is execfile()d with the current directory set to its containing dir. +# +# Note that not all possible configuration values are present in this +# autogenerated file. +# +# All configuration values have a default; values that are commented out +# serve to show the default. + +import sys, os + +# If extensions (or modules to document with autodoc) are in another directory, +# add these directories to sys.path here. If the directory is relative to the +# documentation root, use os.path.abspath to make it absolute, like shown here. +sys.path.insert(0, os.path.abspath('..')) + +# -- General configuration ----------------------------------------------------- + +# If your documentation needs a minimal Sphinx version, state it here. +#needs_sphinx = '1.0' + +# Add any Sphinx extension module names here, as strings. They can be extensions +# coming with Sphinx (named 'sphinx.ext.*') or your custom ones. +extensions = ['sphinx.ext.autodoc', + 'sphinx.ext.ifconfig', + 'sphinx.ext.viewcode', + 'sphinxcontrib.programoutput'] + +# Add any paths that contain templates here, relative to this directory. +templates_path = ['_templates'] + +# The suffix of source filenames. +source_suffix = '.rst' + +# The encoding of source files. +#source_encoding = 'utf-8-sig' + +# The master toctree document. +master_doc = 'index' + +# General information about the project. +project = u'suricata-update' +copyright = u'2017, OISF' + +# The version info for the project you're documenting, acts as replacement for +# |version| and |release|, also used in various other places throughout the +# built documents. +# +# The short X.Y version. +import suricata.update.version + +version = suricata.update.version.version +release = version + +# The language for content autogenerated by Sphinx. Refer to documentation +# for a list of supported languages. +#language = None + +# There are two options for replacing |today|: either, you set today to some +# non-false value, then it is used: +#today = '' +# Else, today_fmt is used as the format for a strftime call. +#today_fmt = '%B %d, %Y' + +# List of patterns, relative to source directory, that match files and +# directories to ignore when looking for source files. +exclude_patterns = ['_build'] + +# The reST default role (used for this markup: `text`) to use for all documents. +#default_role = None + +# If true, '()' will be appended to :func: etc. cross-reference text. +#add_function_parentheses = True + +# If true, the current module name will be prepended to all description +# unit titles (such as .. function::). +#add_module_names = True + +# If true, sectionauthor and moduleauthor directives will be shown in the +# output. They are ignored by default. +#show_authors = False + +# The name of the Pygments (syntax highlighting) style to use. +pygments_style = 'sphinx' + +# A list of ignored prefixes for module index sorting. +#modindex_common_prefix = [] + + +# -- Options for HTML output --------------------------------------------------- + +# The theme to use for HTML and HTML Help pages. See the documentation for +# a list of builtin themes. +html_theme = 'default' + +# Theme options are theme-specific and customize the look and feel of a theme +# further. For a list of options available for each theme, see the +# documentation. +#html_theme_options = {} + +# Add any paths that contain custom themes here, relative to this directory. +#html_theme_path = [] + +# The name for this set of Sphinx documents. If None, it defaults to +# " v documentation". +#html_title = None + +# A shorter title for the navigation bar. Default is the same as html_title. +#html_short_title = None + +# The name of an image file (relative to this directory) to place at the top +# of the sidebar. +#html_logo = None + +# The name of an image file (within the static path) to use as favicon of the +# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 +# pixels large. +#html_favicon = None + +# Add any paths that contain custom static files (such as style sheets) here, +# relative to this directory. They are copied after the builtin static files, +# so a file named "default.css" will overwrite the builtin "default.css". +html_static_path = ['_static'] + +# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, +# using the given strftime format. +#html_last_updated_fmt = '%b %d, %Y' + +# If true, SmartyPants will be used to convert quotes and dashes to +# typographically correct entities. +#html_use_smartypants = True + +# Custom sidebar templates, maps document names to template names. +#html_sidebars = {} + +# Additional templates that should be rendered to pages, maps page names to +# template names. +#html_additional_pages = {} + +# If false, no module index is generated. +#html_domain_indices = True + +# If false, no index is generated. +#html_use_index = True + +# If true, the index is split into individual pages for each letter. +#html_split_index = False + +# If true, links to the reST sources are added to the pages. +#html_show_sourcelink = True + +# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. +#html_show_sphinx = True + +# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. +#html_show_copyright = True + +# If true, an OpenSearch description file will be output, and all pages will +# contain a tag referring to it. The value of this option must be the +# base URL from which the finished HTML is served. +#html_use_opensearch = '' + +# This is the file name suffix for HTML files (e.g. ".xhtml"). +#html_file_suffix = None + +# Output file base name for HTML help builder. +htmlhelp_basename = 'suricataupdatedoc' + + +# -- Options for LaTeX output -------------------------------------------------- + +latex_elements = { +# The paper size ('letterpaper' or 'a4paper'). +#'papersize': 'letterpaper', + +# The font size ('10pt', '11pt' or '12pt'). +#'pointsize': '10pt', + +# Additional stuff for the LaTeX preamble. +#'preamble': '', +} + +# Grouping the document tree into LaTeX files. List of tuples +# (source start file, target name, title, author, documentclass [howto/manual]). +latex_documents = [ + ('index', 'suricata-update.tex', u'Suricata Update Documentation', + u'OISF', 'manual'), +] + +# The name of an image file (relative to this directory) to place at the top of +# the title page. +#latex_logo = None + +# For "manual" documents, if this is true, then toplevel headings are parts, +# not chapters. +#latex_use_parts = False + +# If true, show page references after internal links. +#latex_show_pagerefs = False + +# If true, show URL addresses after external links. +#latex_show_urls = False + +# Documents to append as an appendix to all manuals. +#latex_appendices = [] + +# If false, no module index is generated. +#latex_domain_indices = True + + +# -- Options for manual page output -------------------------------------------- + +# One entry per manual page. List of tuples +# (source start file, name, description, authors, manual section). +man_pages = [ + ('index', 'suricata-update', u'Suricata Update', [], 1) +] + +# If true, show URL addresses after external links. +#man_show_urls = False + + +# -- Options for Texinfo output ------------------------------------------------ + +# Grouping the document tree into Texinfo files. List of tuples +# (source start file, target name, title, author, +# dir menu entry, description, category) +texinfo_documents = [ + ('index', 'suricata-update', u'Suricata Update Documentation', + u'OISF', 'suricata-update', 'Suricata Update Documentation.', + 'Miscellaneous'), +] + +# Documents to append as an appendix to all manuals. +#texinfo_appendices = [] + +# If false, no module index is generated. +#texinfo_domain_indices = True + +# How to display URL addresses: 'footnote', 'no', or 'inline'. +#texinfo_show_urls = 'footnote' + +highlight_language = "none" diff --git a/doc/disable-source.rst b/doc/disable-source.rst new file mode 100644 index 0000000..b2c9ef0 --- /dev/null +++ b/doc/disable-source.rst @@ -0,0 +1,22 @@ +########################################## +disable-source - Disable an enabled source +########################################## + +Synopsis +======== + +:: + + suricata-update disable-source + +Description +=========== + +The ``disable-source`` command disables a currently enabled +source. The configuration for the source is not removed, allowing it +to be re-enabled without having to re-enter any required parameters. + +Options +======= + +.. include:: ./common-options.rst diff --git a/doc/enable-source.rst b/doc/enable-source.rst new file mode 100644 index 0000000..476b87f --- /dev/null +++ b/doc/enable-source.rst @@ -0,0 +1,35 @@ +############################### +enable-source - Enable a source +############################### + +Synopsis +======== + +:: + + suricata-update enable-source [param=val ...] + +Description +=========== + +Enable a source that is listed in the index. + +If the index requires user provided parameters the user will be +prompted for them. Alternatively they can be provided on command line +to avoid the prompt. + +For example:: + + suricata-update enable-source et/pro secret-code=xxxxxxxxxxxxxxxx + +This will prevent the prompt for the et/pro secret code using the +value provided on the command line instead. + +To update parameters for enabled sources, just re-run the ``enable-source`` +command above again with changed parameters. Changed parameters will be +updated in the stored configuration. + +Options +======= + +.. include:: ./common-options.rst diff --git a/doc/index.rst b/doc/index.rst new file mode 100644 index 0000000..a9268c9 --- /dev/null +++ b/doc/index.rst @@ -0,0 +1,16 @@ +############################################# +suricata-update - A Suricata Rule Update Tool +############################################# + +.. toctree:: + :maxdepth: 2 + + quickstart + update + update-sources + list-sources + enable-source + disable-source + remove-source + add-source + check-versions diff --git a/doc/list-sources.rst b/doc/list-sources.rst new file mode 100644 index 0000000..f4b36eb --- /dev/null +++ b/doc/list-sources.rst @@ -0,0 +1,28 @@ +######################################## +list-sources - List available sources +######################################## + +Synopsis +======== + +:: + + suricata-update list-sources + +Description +=========== + +The ``list-sources`` command lists all the available sources. + +Options +======= + +.. include:: common-options.rst + +.. option:: --free + + List all freely available sources. + +.. option:: --enabled + + Lists all the enabled sources. diff --git a/doc/quickstart.rst b/doc/quickstart.rst new file mode 100644 index 0000000..bf57de5 --- /dev/null +++ b/doc/quickstart.rst @@ -0,0 +1,209 @@ +Quick Start +########### + +Install Suricata Update +======================= + +Suricata-Update is bundled with all supported versions of Suricata and +should be installed when Suricata is installed. Please check if +``suricata-update`` is already installed before proceeding with these +installation directions, for example, the following command will tell +you the version:: + + suricata-update -V + +You should only need to install Suricata-Update manually if it is +required independently of a Suricata install. + +Suricata-Update is a tool written in Python and best installed with +the ``pip`` tool for installing Python packages. + +Pip can install ``suricata-update`` globally making it available to +all users or it can install ``suricata-update`` into your home +directory. + +To install ``suricata-update`` globally:: + + pip install --upgrade suricata-update + +or to install it to your own directory:: + + pip install --user --upgrade suricata-update + +Pip can also be used to install the latest development version of +Suricata-Update:: + + pip install --user --upgrade \ + https://github.com/oisf/suricata-update/archive/master.zip + +.. note:: When installing to your home directory the + ``suricata-update`` program will be installed to + $HOME/.local/bin, so make sure this directory is in your + path:: + + export PATH=$HOME/.local/bin:$PATH + +Directories and Permissions +=========================== + +In order for ``suricata-update`` to function, the following +permissions are required: + +* Directory /etc/suricata: read/write access +* Directory /var/lib/suricata/rules: read/write access +* Directory /var/lib/suricata/update: read/write access + +One option is to simply run ``suricata-update`` as root or with +``sudo``. + +.. note:: It is recommended to create a ``suricata`` group and setup + the above directories with the correct permissions for + the ``suricata`` group then add users to the ``suricata`` + group. + +Steps to setup the above directories with the correct permissions: + +First, create a group ``suricata``:: + + sudo groupadd suricata + +Next, change the group of the directories and its files recursively:: + + sudo chgrp -R suricata /etc/suricata + sudo chgrp -R suricata /var/lib/suricata/rules + sudo chgrp -R suricata /var/lib/suricata/update + +.. note:: The paths ``/etc/suricata`` and ``/var/lib`` above are used + in the default configuration and are dependent on paths set + during compilation. By default, these paths are set to + ``/usr/local``. + Please check your configuration for appropriate paths. + +Setup the directories with the correct permissions for the ``suricata`` +group:: + + sudo chmod -R g+r /etc/suricata/ + sudo chmod -R g+rw /var/lib/suricata/rules + sudo chmod -R g+rw /var/lib/suricata/update + +Now, add user to the group:: + + sudo usermod -a -G suricata username + +Verify whether group has been changed:: + + ls -al /etc/suricata + ls -al /var/lib/suricata/rules + ls -al /var/lib/suricata/update + +Reboot your system. Run ``suricata-update`` without a sudo to check +if suricata-update functions. + +Update Your Rules +================= + +Without doing any configuration the default operation of +``suricata-update`` is to use the Emerging Threats Open ruleset. + +Example:: + + suricata-update + +This command will: + +* Look for the ``suricata`` program on your path to determine its + version. + +* Look for /etc/suricata/enable.conf, /etc/suricata/disable.conf, + /etc/suricata/drop.conf, and /etc/suricata/modify.conf to look for + filters to apply to the downloaded rules. These files are optional + and do not need to exist. + +* Download the Emerging Threats Open ruleset for your version of + Suricata, defaulting to 6.0.0 if not found. + +* Apply enable, disable, drop and modify filters as loaded above. + +* Write out the rules to ``/var/lib/suricata/rules/suricata.rules``. + +* Run Suricata in test mode on + ``/var/lib/suricata/rules/suricata.rules``. + +.. note:: Suricata-Update is also capable of triggering a rule reload, + but doing so requires some extra configuration that will be + covered later. See the documentation of + :command:`--reload-command=` for more details. + +Configure Suricata to Load Suricata-Update Managed Rules +======================================================== + +.. note:: If ``suricata-update`` was installed for you by Suricata, + then your Suricata configuration should already be setup to + work with Suricata-Update. + +If upgrading from an older version of Suricata, or running a +development version that may not be bundled with Suricata-Update, you +will have to check that your ``suricata.yaml`` is configured for +Suricata-Update. The main difference is the ``default-rule-path`` +which is ``/var/lib/suricata/rules`` when using Suricata-Update. + +You will want to update your ``suricata.yaml`` to have the following:: + + default-rule-path: /var/lib/suricata/rules + rule-files: + - suricata.rules + +If you have local rules you would like Suricata to load, these can be +listed here as well by using the full path name. + +Discover Other Available Rule Sources +===================================== + +First update the rule source index with the ``update-sources`` command, +for example:: + + suricata-update update-sources + +Then list the sources from the index. Example:: + + suricata-update list-sources + +Now enable the **ptresearch/attackdetection** ruleset:: + + suricata-update enable-source ptresearch/attackdetection + +And update your rules again:: + + suricata-update + +List Enabled Sources +==================== + +:: + + suricata-update list-sources --enabled + +Disable a Source +================ + +:: + + suricata-update disable-source et/pro + +Disabling a source keeps the source configuration but disables. This +is useful when a source requires parameters such as a code that you +don't want to lose, which would happen if you removed a source. + +Enabling a disabled source re-enables without prompting for user +inputs. + +Remove a Source +=============== + +:: + + suricata-update remove-source et/pro + +This removes the local configuration for this source. Re-enabling +**et/pro** will requiring re-entering your access code. + diff --git a/doc/remove-source.rst b/doc/remove-source.rst new file mode 100644 index 0000000..f8e3135 --- /dev/null +++ b/doc/remove-source.rst @@ -0,0 +1,21 @@ +########################################## +remove-source - Remove a configured source +########################################## + +Synopsis +======== + +:: + + suricata-update remove-source + +Description +=========== + +Remove a source configuration. This removes the source file from +``/var/lib/suricata/update/sources``, even if its disabled. + +Options +======= + +.. include:: ./common-options.rst diff --git a/doc/update-sources.rst b/doc/update-sources.rst new file mode 100644 index 0000000..ade1246 --- /dev/null +++ b/doc/update-sources.rst @@ -0,0 +1,40 @@ +######################################## +update-sources - Update the source index +######################################## + +Synopsis +======== + +:: + + suricata-update update-sources + +Description +=========== + +The ``update-sources`` command downloads the latest index of available +sources. + +Options +======= + +.. include:: common-options.rst + +Files and Directories +===================== + +``/var/lib/suricata/rules/.cache/index.yaml`` + Where the downloaded source index is cached. + +Environment Variables +===================== + +**SOURCE_INDEX_URL** + This environment variable allows the specification of an alternate + URL to download the index from. + +URLs +==== + +``https://www.openinfosecfoundation.org/rules/index.yaml`` + The default URL used to download the index from. diff --git a/doc/update.rst b/doc/update.rst new file mode 100644 index 0000000..c3db62e --- /dev/null +++ b/doc/update.rst @@ -0,0 +1,324 @@ +######################## +suricata-update - Update +######################## + +Synopsis +======== + +``suricata-update`` [OPTIONS] + +Description +=========== + +``suricata-update`` aims to be a simple to use rule download and +management tool for Suricata. + +Options +======= + +.. include:: ./common-options.rst + +.. option:: -o, --output + + The directory to output the rules to. + + Default: */var/lib/suricata/rules* + +.. option:: --force + + Force remote rule files to be downloaded if they otherwise wouldn't + be due to just recently downloaded, or the remote checksum matching + the cached copy. + +.. option:: --no-merge + + Do not merge the rules into a single rule file. + + *Warning: No attempt is made to resolve conflicts if 2 input rule files have the same name.* + +.. option:: --yaml-fragment= + + Output a fragment of YAML containing the *rule-files* section will + all downloaded rule files listed for inclusion in your + *suricata.yaml*. + +.. option:: --url= + + A URL to download rules from. This option can be used multiple + times. + +.. option:: --local= + + A path to a filename or directory of local rule files to include. + + If the path is a directory all files ending in *.rules* will be + loaded. + + Wildcards are accepted but to avoid shell expansion the argument + must be quoted, for example:: + + --local '/etc/suricata/custom-*.rules' + + This option can be specified multiple times. + +.. option:: --sid-msg-map= + + Output a v1 style sid-msg.map file. + +.. option:: --sid-msg-map-2= + + Output a v2 style sid-msg.map file. + +.. option:: --disable-conf= + + Specify the configuration file for disable filters. + + See :ref:`example-disable-conf` + +.. option:: --enable-conf= + + Specify the configuration file for enable rules. + + See :ref:`example-enable-conf` + +.. option:: --modify-conf= + + Specify the configuration file for rule modification filters. + + See :ref:`example-modify-conf` + +.. option:: --drop-conf= + + Specify the configuration file for drop filters. + + See :ref:`example-drop-conf` + +.. option:: --ignore= + + Filenames to ignore. This is a pattern that will be matched against + the basename of a rule files. + + This argument may be specified multiple times. + + Default: *\*deleted.rules* + + Example:: + + --ignore dnp3-events.rules --ignore deleted.rules --ignore "modbus*" + + .. note:: + + If specified the default value of *\*deleted.rules* will no longer + be used, so add it as an extra ignore if needed. + +.. option:: --no-ignore + + Disable the --ignore option. Most useful to disable the default + ignore pattern without adding others. + +.. option:: --etopen + + Download the ET/Open ruleset. + + This is the default action of no ``--url`` options are provided or + no sources are configured. + + Use this option to enable the ET/Open ruleset in addition to any + URLs provided on the command line or sources provided in the + configuration. + +.. option:: --dump-sample-configs + + Output sample configuration files for the ``--disable``, + ``--enable``, ``--modify`` and ``--threshold-in`` commands. + +.. option:: --threshold-in= + + Specify the threshold.conf input template. + +.. option:: --threshold-out= + + Specify the name of the processed threshold.conf to output. + +.. option:: -T , --test-command + + Specifies a custom test command to test the rules before reloading + Suricata. This overrides the default command and can also be + specified in the configuration file under ``test-command``. + +.. option:: --no-test + + Disables the test command and proceed as if it had passed. + +.. option:: --reload-command= + + A command to run after the rules have been updated; will not run if + no change to the output files was made. For example:: + + --reload-command='sudo kill -USR2 $(pidof suricata)' + + will tell Suricata to reload its rules. + + Furthermore the reload can be triggered using the Unix socket of Suricata. + + Blocking reload (with Suricata waiting for the reload to finish):: + + --reload-command='sudo suricatasc -c reload-rules' + + Non blocking reload (without restarting Suricata):: + + --reload-command='sudo suricatasc -c ruleset-reload-nonblocking' + + See the Suricata documentation on `Rule Reloads + `_ + for more information. + +.. option:: --no-reload + + Disable Suricata rule reload. + +.. option:: -V, --version + + Display the version of **suricata-update**. + +.. option:: --offline + + Run offline using most recent cached rules. + +Rule Matching +============= + +Matching rules for disabling, enabling, converting to drop or +modification can be done with the following: + +- signature ID +- regular expression +- rule group +- filename + +Signature ID Matching +--------------------- + +A signature ID can be matched by just its signature ID, for example:: + + 1034 + +The generator ID can also be used for compatibility with other tools:: + + 1:1034 + +Regular Expression Matching +--------------------------- + +Regular expression matching will match a regular expression over the +complete rule. Example:: + + re:heartbleed + re:MS(0[7-9]|10)-\d+ + +Group Matching +-------------- + +The group matcher matches against the group the rule was loaded +from. Basically this is the filename without the leading path or file +extension. Example:: + + group:emerging-icmp.rules + group:emerging-dos + +Wild card matching similar to wildcards used in a Unix shell can also +be used:: + + group:*deleted* + +Filename Matching +----------------- + +The filename matcher matches against the filename the rule was loaded +from taking into consideration the full path. Shell wildcard patterns +are allowed:: + + filename:rules/*deleted* + filename:*/emerging-dos.rules + +Metadata Matching +----------------- + +Rules can be enabled or disabled based on the metadata fields +contained in the rule, for example:: + + metadata: deployment perimeter + +Will match rules that have a metadata field of "deployment" with the +value of "perimeter" (case insensitive). This will match on a rule +with the provided metadata:: + + metadata:affected_product Any, attack_target Any, deployment Perimeter + +.. note:: Metadata matching can only be used to enable, disable or + convert rules to drop. It is not available for rule + modification. + +Modifying Rules +--------------- + +Rule modification can be done with regular expression search and +replace. The basic format for a rule modification specifier is:: + + + +where is one of the rule matchers from above, is the +text to be replaced and is the replacement text. + +Example converting all alert rules to drop:: + + re:. ^alert drop + +Example converting all drop rules with noalert back to alert:: + + re:. "^drop(.*)noalert(.*)" "alert\\1noalert\\2" + +Order of application of configuration files +=========================================== +1. disable.conf +2. enable.conf +3. drop.conf +4. modify.conf + +Example Configuration Files +=========================== + +.. _example_update_yaml: + +Example Configuration File (/etc/suricata/update.yaml) +------------------------------------------------------ + +.. literalinclude:: ../suricata/update/configs/update.yaml + +.. _example-enable-conf: + +Example Configuration to Enable Rules (--enable-conf) +----------------------------------------------------- + +.. literalinclude:: ../suricata/update/configs/enable.conf + +.. _example-disable-conf: + +Example Configuration to Disable Rules (--disable-conf) +-------------------------------------------------------- + +.. literalinclude:: ../suricata/update/configs/disable.conf + +.. _example-drop-conf: + +Example Configuration to convert Rules to Drop (--drop-conf) +------------------------------------------------------------ + +.. literalinclude:: ../suricata/update/configs/drop.conf + +.. _example-modify-conf: + +Example Configuration to modify Rules (--modify-conf) +----------------------------------------------------- + +.. literalinclude:: ../suricata/update/configs/modify.conf diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..410c758 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,4 @@ +sphinxcontrib-programoutput +Sphinx +python-dateutil +PyYAML diff --git a/setup.py b/setup.py new file mode 100644 index 0000000..a6acdf6 --- /dev/null +++ b/setup.py @@ -0,0 +1,60 @@ +import sys +import os.path +import subprocess +import distutils +from distutils.core import setup +from distutils.core import sys + +from suricata.update.version import version + + +version_major = sys.version_info[0] +version_minor = sys.version_info[1] + +if version_major < 3 and version_minor < 7: + print("Suricata-Update requires Python 2.7 or newer.") + sys.exit(0) + +def write_git_revision(): + if not os.path.exists(".git"): + return + try: + revision = subprocess.check_output( + ["git", "rev-parse", "--short", "HEAD"]) + with open("./suricata/update/revision.py", "w") as fileobj: + fileobj.write("revision = '%s'" % (revision.decode().strip())) + except Exception as err: + print("Failed to get current git revision: %s" % (err)) + +write_git_revision() + +args = { + "name": "suricata-update", + "version": version, + "description": "Suricata Update Tool", + "author": "Jason Ish", + "author_email": "ish@unx.ca", + "packages": [ + "suricata", + "suricata.update", + "suricata.update.commands", + "suricata.update.configs", + "suricata.update.compat", + "suricata.update.compat.argparse", + "suricata.update.data", + ], + "package_data": {"suricata.update.configs": ["*.conf", "*.yaml", "*.in"]}, + "url": "https://github.com/OISF/suricata-update", + "license": "GPLv2", + "classifiers": [ + 'License :: OSI Approved :: GNU General Public License v2 (GPLv2)', + ], + "scripts": [ + "bin/suricata-update", + ], +} + +if any("pip" in arg for arg in sys.argv): + args["install_requires"] = ["pyyaml", ] + +setup(**args) diff --git a/suricata/__init__.py b/suricata/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/suricata/update/__init__.py b/suricata/update/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/suricata/update/commands/__init__.py b/suricata/update/commands/__init__.py new file mode 100644 index 0000000..e75c80a --- /dev/null +++ b/suricata/update/commands/__init__.py @@ -0,0 +1,23 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from suricata.update.commands import addsource +from suricata.update.commands import listsources +from suricata.update.commands import updatesources +from suricata.update.commands import enablesource +from suricata.update.commands import disablesource +from suricata.update.commands import removesource +from suricata.update.commands import checkversions diff --git a/suricata/update/commands/addsource.py b/suricata/update/commands/addsource.py new file mode 100644 index 0000000..a87095c --- /dev/null +++ b/suricata/update/commands/addsource.py @@ -0,0 +1,72 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import logging + +from suricata.update import config +from suricata.update import sources + +try: + input = raw_input +except: + pass + +logger = logging.getLogger() + + +def register(parser): + parser.add_argument("name", metavar="", nargs="?", + help="Name of source") + parser.add_argument("url", metavar="", nargs="?", help="Source URL") + parser.add_argument("--http-header", metavar="", + help="Additional HTTP header to add to requests") + parser.add_argument("--no-checksum", action="store_false", + help="Skips downloading the checksum URL") + parser.set_defaults(func=add_source) + + +def add_source(): + args = config.args() + + if args.name: + name = args.name + else: + while True: + name = input("Name of source: ").strip() + if name: + break + + if sources.source_name_exists(name): + logger.error("A source with name %s already exists.", name) + return 1 + + if args.url: + url = args.url + else: + while True: + url = input("URL: ").strip() + if url: + break + + checksum = args.no_checksum + + header = args.http_header if args.http_header else None + + source_config = sources.SourceConfiguration( + name, header=header, url=url, checksum=checksum) + sources.save_source_config(source_config) diff --git a/suricata/update/commands/checkversions.py b/suricata/update/commands/checkversions.py new file mode 100644 index 0000000..3492317 --- /dev/null +++ b/suricata/update/commands/checkversions.py @@ -0,0 +1,83 @@ +# Copyright (C) 2019 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +import os.path +import logging +from suricata.update import sources, engine + +logger = logging.getLogger() + + +def is_gt(v1, v2): + if v1.full == v2.full: + return False + + if v1.major < v2.major: + return False + elif v1.major > v2.major: + return True + + if v1.minor < v2.minor: + return False + elif v1.minor > v2.minor: + return True + + if v1.patch < v2.patch: + return False + + return True + + +def register(parser): + parser.set_defaults(func=check_version) + + +def check_version(suricata_version): + if "dev" in suricata_version.full: + logger.warning("Development version of Suricata found: %s. " + "Skipping version check.", suricata_version.full) + return + + index_filename = sources.get_index_filename() + if not os.path.exists(index_filename): + logger.warning("No index exists, will use bundled index.") + logger.warning("Please run suricata-update update-sources.") + index = sources.Index(index_filename) + version = index.get_versions() + recommended = engine.parse_version(version["suricata"]["recommended"]) + if not recommended: + logger.error("Recommended version was not parsed properly") + sys.exit(1) + # In case index is out of date + if is_gt(suricata_version, recommended): + return + # Evaluate if the installed version is present in index + upgrade_version = version["suricata"].get(suricata_version.short) + if not upgrade_version: + logger.warning("Suricata version %s has reached EOL. Please upgrade to %s.", + suricata_version.full, recommended.full) + return + if suricata_version.full == upgrade_version: + logger.info("Suricata version %s is up to date", suricata_version.full) + elif upgrade_version == recommended.full: + logger.warning( + "Suricata version %s is outdated. Please upgrade to %s.", + suricata_version.full, recommended.full) + else: + logger.warning( + "Suricata version %s is outdated. Please upgrade to %s or %s.", + suricata_version.full, upgrade_version, recommended.full) + diff --git a/suricata/update/commands/disablesource.py b/suricata/update/commands/disablesource.py new file mode 100644 index 0000000..6a64a7b --- /dev/null +++ b/suricata/update/commands/disablesource.py @@ -0,0 +1,40 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import os +import logging + +from suricata.update import config +from suricata.update import sources + +logger = logging.getLogger() + +def register(parser): + parser.add_argument("name") + parser.set_defaults(func=disable_source) + +def disable_source(): + name = config.args().name + filename = sources.get_enabled_source_filename(name) + if not os.path.exists(filename): + logger.debug("Filename %s does not exist.", filename) + logger.warning("Source %s is not enabled.", name) + return 0 + logger.debug("Renaming %s to %s.disabled.", filename, filename) + os.rename(filename, "%s.disabled" % (filename)) + logger.info("Source %s has been disabled", name) diff --git a/suricata/update/commands/enablesource.py b/suricata/update/commands/enablesource.py new file mode 100644 index 0000000..53bb68a --- /dev/null +++ b/suricata/update/commands/enablesource.py @@ -0,0 +1,162 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import os +import logging + +import yaml + +from suricata.update import config +from suricata.update import sources + +try: + input = raw_input +except: + pass + +logger = logging.getLogger() + +default_source = "et/open" + +def register(parser): + parser.add_argument("name") + parser.add_argument("params", nargs="*", metavar="param=val") + parser.set_defaults(func=enable_source) + +def enable_source(): + name = config.args().name + update_params = False + + # Check if source is already enabled. + enabled_source_filename = sources.get_enabled_source_filename(name) + if os.path.exists(enabled_source_filename): + logger.warning("The source %s is already enabled.", name) + update_params = True + + # First check if this source was previous disabled and then just + # re-enable it. + disabled_source_filename = sources.get_disabled_source_filename(name) + if os.path.exists(disabled_source_filename): + logger.info("Re-enabling previously disabled source for %s.", name) + os.rename(disabled_source_filename, enabled_source_filename) + update_params = True + + if not os.path.exists(sources.get_index_filename()): + logger.warning("Source index does not exist, will use bundled one.") + logger.warning("Please run suricata-update update-sources.") + + source_index = sources.load_source_index(config) + + if not name in source_index.get_sources() and not name in sources.get_sources_from_dir(): + logger.error("Unknown source: %s", name) + return 1 + + # Parse key=val options. + opts = {} + for param in config.args().params: + key, val = param.split("=", 1) + opts[key] = val + + params = {} + if update_params: + source = yaml.safe_load(open(sources.get_enabled_source_filename(name), "rb")) + else: + source = source_index.get_sources()[name] + + if "params" in source: + params = source["params"] + for old_param in source["params"]: + if old_param in opts and source["params"][old_param] != opts[old_param]: + logger.info("Updating source parameter '%s': '%s' -> '%s'." % ( + old_param, source["params"][old_param], opts[old_param])) + params[old_param] = opts[old_param] + + if "subscribe-url" in source: + print("The source %s requires a subscription. Subscribe here:" % (name)) + print(" %s" % source["subscribe-url"]) + + if "parameters" in source: + for param in source["parameters"]: + if param in opts: + params[param] = opts[param] + else: + prompt = source["parameters"][param]["prompt"] + while True: + r = input("%s (%s): " % (prompt, param)) + r = r.strip() + if r: + break + params[param] = r.strip() + + if "checksum" in source: + checksum = source["checksum"] + else: + checksum = source.get("checksum", True) + + new_source = sources.SourceConfiguration( + name, params=params, checksum=checksum) + + # If the source directory does not exist, create it. Also create + # the default rule-source of et/open, unless the source being + # enabled replaces it. + source_directory = sources.get_source_directory() + if not os.path.exists(source_directory): + try: + logger.info("Creating directory %s", source_directory) + os.makedirs(source_directory) + except Exception as err: + logger.error( + "Failed to create directory %s: %s", source_directory, err) + return 1 + + if "replaces" in source and default_source in source["replaces"]: + logger.debug( + "Not enabling default source as selected source replaces it") + elif new_source.name == default_source: + logger.debug( + "Not enabling default source as selected source is the default") + else: + logger.info("Enabling default source %s", default_source) + if not source_index.get_source_by_name(default_source): + logger.error("Default source %s not in index", default_source) + else: + default_source_config = sources.SourceConfiguration( + default_source) + write_source_config(default_source_config, True) + + write_source_config(new_source, True) + logger.info("Source %s enabled", new_source.name) + + if "replaces" in source: + for replaces in source["replaces"]: + filename = sources.get_enabled_source_filename(replaces) + if os.path.exists(filename): + logger.info( + "Removing source %s as its replaced by %s", replaces, + new_source.name) + logger.debug("Deleting %s", filename) + os.unlink(filename) + +def write_source_config(config, enabled): + if enabled: + filename = sources.get_enabled_source_filename(config.name) + else: + filename = sources.get_disabled_source_filename(config.name) + with open(filename, "w") as fileobj: + logger.debug("Writing %s", filename) + fileobj.write(yaml.safe_dump(config.dict(), default_flow_style=False)) diff --git a/suricata/update/commands/listsources.py b/suricata/update/commands/listsources.py new file mode 100644 index 0000000..d35c3cd --- /dev/null +++ b/suricata/update/commands/listsources.py @@ -0,0 +1,116 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import logging + +from suricata.update import config +from suricata.update import sources +from suricata.update import util +from suricata.update import exceptions + +logger = logging.getLogger() + +def register(parser): + parser.add_argument("--free", action="store_true", + default=False, help="List all freely available sources") + parser.add_argument("--enabled", action="store_true", + help="List all enabled sources") + parser.add_argument("--all", action="store_true", + help="List all sources (including deprecated and obsolete)") + parser.set_defaults(func=list_sources) + +def list_sources(): + enabled = config.args().enabled or \ + config.args().subcommand == "list-enabled-sources" + + if enabled: + found = False + + # First list sources from the main config. + config_sources = config.get("sources") + if config_sources: + found = True + print("From %s:" % (config.filename)) + for source in config_sources: + print(" - %s" % (source)) + + # And local files. + local = config.get("local") + if local: + found = True + print("Local files/directories:") + for filename in local: + print(" - %s" % (filename)) + + enabled_sources = sources.get_enabled_sources() + if enabled_sources: + found = True + print("Enabled sources:") + for source in enabled_sources.values(): + print(" - %s" % (source["source"])) + + # If no enabled sources were found, log it. + if not found: + logger.warning("No enabled sources.") + return 0 + + free_only = config.args().free + if not sources.source_index_exists(config): + logger.warning("Source index does not exist, will use bundled one.") + logger.warning("Please run suricata-update update-sources.") + + index = sources.load_source_index(config) + for name, source in index.get_sources().items(): + is_not_free = source.get("subscribe-url") + if free_only and is_not_free: + continue + if not config.args().all: + if source.get("deprecated") is not None or \ + source.get("obsolete") is not None: + continue + print("%s: %s" % (util.bright_cyan("Name"), util.bright_magenta(name))) + print(" %s: %s" % ( + util.bright_cyan("Vendor"), util.bright_magenta(source["vendor"]))) + print(" %s: %s" % ( + util.bright_cyan("Summary"), util.bright_magenta(source["summary"]))) + print(" %s: %s" % ( + util.bright_cyan("License"), util.bright_magenta(source["license"]))) + if "tags" in source: + print(" %s: %s" % ( + util.bright_cyan("Tags"), + util.bright_magenta(", ".join(source["tags"])))) + if "replaces" in source: + print(" %s: %s" % ( + util.bright_cyan("Replaces"), + util.bright_magenta(", ".join(source["replaces"])))) + if "parameters" in source: + print(" %s: %s" % ( + util.bright_cyan("Parameters"), + util.bright_magenta(", ".join(source["parameters"])))) + if "subscribe-url" in source: + print(" %s: %s" % ( + util.bright_cyan("Subscription"), + util.bright_magenta(source["subscribe-url"]))) + if "deprecated" in source: + print(" %s: %s" % ( + util.orange("Deprecated"), + util.bright_magenta(source["deprecated"]))) + if "obsolete" in source: + print(" %s: %s" % ( + util.orange("Obsolete"), + util.bright_magenta(source["obsolete"]))) diff --git a/suricata/update/commands/removesource.py b/suricata/update/commands/removesource.py new file mode 100644 index 0000000..f75d5ca --- /dev/null +++ b/suricata/update/commands/removesource.py @@ -0,0 +1,49 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import os +import logging + +from suricata.update import config +from suricata.update import sources + +logger = logging.getLogger() + +def register(parser): + parser.add_argument("name") + parser.set_defaults(func=remove_source) + +def remove_source(): + name = config.args().name + + enabled_source_filename = sources.get_enabled_source_filename(name) + if os.path.exists(enabled_source_filename): + logger.debug("Deleting file %s.", enabled_source_filename) + os.remove(enabled_source_filename) + logger.info("Source %s removed, previously enabled.", name) + return 0 + + disabled_source_filename = sources.get_disabled_source_filename(name) + if os.path.exists(disabled_source_filename): + logger.debug("Deleting file %s.", disabled_source_filename) + os.remove(disabled_source_filename) + logger.info("Source %s removed, previously disabled.", name) + return 0 + + logger.warning("Source %s does not exist.", name) + return 1 diff --git a/suricata/update/commands/updatesources.py b/suricata/update/commands/updatesources.py new file mode 100644 index 0000000..06a0d11 --- /dev/null +++ b/suricata/update/commands/updatesources.py @@ -0,0 +1,105 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import io +import logging +import os + +import yaml +from suricata.update import config, exceptions, net, sources + +logger = logging.getLogger() + + +def register(parser): + parser.set_defaults(func=update_sources) + + +def get_initial_content(): + initial_content = None + if os.path.exists(local_index_filename): + with open(local_index_filename, "r") as stream: + initial_content = yaml.safe_load(stream) + return initial_content + + +def get_sources(before, after): + all_sources = {source: after[source] + for source in after if source not in before} + return all_sources + + +def log_sources(sources_map): + for name, all_sources in sources_map.items(): + if not all_sources: + continue + for source in all_sources: + logger.info("Source %s was %s", source, name) + + +def compare_sources(initial_content, final_content): + if not initial_content: + logger.info("Adding all sources") + return + if initial_content == final_content: + logger.info("No change in sources") + return + initial_sources = initial_content.get("sources") + final_sources = final_content.get("sources") + added_sources = get_sources(before=initial_sources, after=final_sources) + removed_sources = get_sources(before=final_sources, after=initial_sources) + log_sources(sources_map={"added": added_sources, + "removed": removed_sources}) + for source in set(initial_sources) & set(final_sources): + if initial_sources[source] != final_sources[source]: + logger.info("Source %s was changed", source) + + +def write_and_compare(initial_content, fileobj): + try: + with open(local_index_filename, "wb") as outobj: + outobj.write(fileobj.getvalue()) + except IOError as ioe: + logger.error("Failed to open directory: %s", ioe) + return 1 + with open(local_index_filename, "rb") as stream: + final_content = yaml.safe_load(stream) + compare_sources(initial_content, final_content) + logger.info("Saved %s", local_index_filename) + + +def update_sources(): + global local_index_filename + local_index_filename = sources.get_index_filename() + initial_content = get_initial_content() + with io.BytesIO() as fileobj: + url = sources.get_source_index_url() + logger.info("Downloading %s", url) + try: + net.get(url, fileobj) + except Exception as err: + raise exceptions.ApplicationError( + "Failed to download index: %s: %s" % (url, err)) + if not os.path.exists(config.get_cache_dir()): + try: + os.makedirs(config.get_cache_dir()) + except Exception as err: + logger.error("Failed to create directory %s: %s", + config.get_cache_dir(), err) + return 1 + write_and_compare(initial_content=initial_content, fileobj=fileobj) diff --git a/suricata/update/compat/__init__.py b/suricata/update/compat/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/suricata/update/compat/argparse/LICENSE.txt b/suricata/update/compat/argparse/LICENSE.txt new file mode 100644 index 0000000..640bc78 --- /dev/null +++ b/suricata/update/compat/argparse/LICENSE.txt @@ -0,0 +1,20 @@ +argparse is (c) 2006-2009 Steven J. Bethard . + +The argparse module was contributed to Python as of Python 2.7 and thus +was licensed under the Python license. Same license applies to all files in +the argparse package project. + +For details about the Python License, please see doc/Python-License.txt. + +History +------- + +Before (and including) argparse 1.1, the argparse package was licensed under +Apache License v2.0. + +After argparse 1.1, all project files from the argparse project were deleted +due to license compatibility issues between Apache License 2.0 and GNU GPL v2. + +The project repository then had a clean start with some files taken from +Python 2.7.1, so definitely all files are under Python License now. + diff --git a/suricata/update/compat/argparse/__init__.py b/suricata/update/compat/argparse/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/suricata/update/compat/argparse/argparse.py b/suricata/update/compat/argparse/argparse.py new file mode 100644 index 0000000..5a68b70 --- /dev/null +++ b/suricata/update/compat/argparse/argparse.py @@ -0,0 +1,2378 @@ +# Author: Steven J. Bethard . + +"""Command-line parsing library + +This module is an optparse-inspired command-line parsing library that: + + - handles both optional and positional arguments + - produces highly informative usage messages + - supports parsers that dispatch to sub-parsers + +The following is a simple usage example that sums integers from the +command-line and writes the result to a file:: + + parser = argparse.ArgumentParser( + description='sum the integers at the command line') + parser.add_argument( + 'integers', metavar='int', nargs='+', type=int, + help='an integer to be summed') + parser.add_argument( + '--log', default=sys.stdout, type=argparse.FileType('w'), + help='the file where the sum should be written') + args = parser.parse_args() + args.log.write('%s' % sum(args.integers)) + args.log.close() + +The module contains the following public classes: + + - ArgumentParser -- The main entry point for command-line parsing. As the + example above shows, the add_argument() method is used to populate + the parser with actions for optional and positional arguments. Then + the parse_args() method is invoked to convert the args at the + command-line into an object with attributes. + + - ArgumentError -- The exception raised by ArgumentParser objects when + there are errors with the parser's actions. Errors raised while + parsing the command-line are caught by ArgumentParser and emitted + as command-line messages. + + - FileType -- A factory for defining types of files to be created. As the + example above shows, instances of FileType are typically passed as + the type= argument of add_argument() calls. + + - Action -- The base class for parser actions. Typically actions are + selected by passing strings like 'store_true' or 'append_const' to + the action= argument of add_argument(). However, for greater + customization of ArgumentParser actions, subclasses of Action may + be defined and passed as the action= argument. + + - HelpFormatter, RawDescriptionHelpFormatter, RawTextHelpFormatter, + ArgumentDefaultsHelpFormatter -- Formatter classes which + may be passed as the formatter_class= argument to the + ArgumentParser constructor. HelpFormatter is the default, + RawDescriptionHelpFormatter and RawTextHelpFormatter tell the parser + not to change the formatting for help text, and + ArgumentDefaultsHelpFormatter adds information about argument defaults + to the help. + +All other classes in this module are considered implementation details. +(Also note that HelpFormatter and RawDescriptionHelpFormatter are only +considered public as object names -- the API of the formatter objects is +still considered an implementation detail.) +""" + +__version__ = '1.3.0' # we use our own version number independant of the + # one in stdlib and we release this on pypi. + +__external_lib__ = True # to make sure the tests really test THIS lib, + # not the builtin one in Python stdlib + +__all__ = [ + 'ArgumentParser', + 'ArgumentError', + 'ArgumentTypeError', + 'FileType', + 'HelpFormatter', + 'ArgumentDefaultsHelpFormatter', + 'RawDescriptionHelpFormatter', + 'RawTextHelpFormatter', + 'Namespace', + 'Action', + 'ONE_OR_MORE', + 'OPTIONAL', + 'PARSER', + 'REMAINDER', + 'SUPPRESS', + 'ZERO_OR_MORE', +] + + +import copy as _copy +import os as _os +import re as _re +import sys as _sys +import textwrap as _textwrap + +from gettext import gettext as _ + +try: + set +except NameError: + # for python < 2.4 compatibility (sets module is there since 2.3): + from sets import Set as set + +try: + basestring +except NameError: + basestring = str + +try: + sorted +except NameError: + # for python < 2.4 compatibility: + def sorted(iterable, reverse=False): + result = list(iterable) + result.sort() + if reverse: + result.reverse() + return result + + +def _callable(obj): + return hasattr(obj, '__call__') or hasattr(obj, '__bases__') + + +SUPPRESS = '==SUPPRESS==' + +OPTIONAL = '?' +ZERO_OR_MORE = '*' +ONE_OR_MORE = '+' +PARSER = 'A...' +REMAINDER = '...' +_UNRECOGNIZED_ARGS_ATTR = '_unrecognized_args' + +# ============================= +# Utility functions and classes +# ============================= + +class _AttributeHolder(object): + """Abstract base class that provides __repr__. + + The __repr__ method returns a string in the format:: + ClassName(attr=name, attr=name, ...) + The attributes are determined either by a class-level attribute, + '_kwarg_names', or by inspecting the instance __dict__. + """ + + def __repr__(self): + type_name = type(self).__name__ + arg_strings = [] + for arg in self._get_args(): + arg_strings.append(repr(arg)) + for name, value in self._get_kwargs(): + arg_strings.append('%s=%r' % (name, value)) + return '%s(%s)' % (type_name, ', '.join(arg_strings)) + + def _get_kwargs(self): + return sorted(self.__dict__.items()) + + def _get_args(self): + return [] + + +def _ensure_value(namespace, name, value): + if getattr(namespace, name, None) is None: + setattr(namespace, name, value) + return getattr(namespace, name) + + +# =============== +# Formatting Help +# =============== + +class HelpFormatter(object): + """Formatter for generating usage messages and argument help strings. + + Only the name of this class is considered a public API. All the methods + provided by the class are considered an implementation detail. + """ + + def __init__(self, + prog, + indent_increment=2, + max_help_position=24, + width=None): + + # default setting for width + if width is None: + try: + width = int(_os.environ['COLUMNS']) + except (KeyError, ValueError): + width = 80 + width -= 2 + + self._prog = prog + self._indent_increment = indent_increment + self._max_help_position = max_help_position + self._width = width + + self._current_indent = 0 + self._level = 0 + self._action_max_length = 0 + + self._root_section = self._Section(self, None) + self._current_section = self._root_section + + self._whitespace_matcher = _re.compile(r'\s+') + self._long_break_matcher = _re.compile(r'\n\n\n+') + + # =============================== + # Section and indentation methods + # =============================== + def _indent(self): + self._current_indent += self._indent_increment + self._level += 1 + + def _dedent(self): + self._current_indent -= self._indent_increment + assert self._current_indent >= 0, 'Indent decreased below 0.' + self._level -= 1 + + class _Section(object): + + def __init__(self, formatter, parent, heading=None): + self.formatter = formatter + self.parent = parent + self.heading = heading + self.items = [] + + def format_help(self): + # format the indented section + if self.parent is not None: + self.formatter._indent() + join = self.formatter._join_parts + for func, args in self.items: + func(*args) + item_help = join([func(*args) for func, args in self.items]) + if self.parent is not None: + self.formatter._dedent() + + # return nothing if the section was empty + if not item_help: + return '' + + # add the heading if the section was non-empty + if self.heading is not SUPPRESS and self.heading is not None: + current_indent = self.formatter._current_indent + heading = '%*s%s:\n' % (current_indent, '', self.heading) + else: + heading = '' + + # join the section-initial newline, the heading and the help + return join(['\n', heading, item_help, '\n']) + + def _add_item(self, func, args): + self._current_section.items.append((func, args)) + + # ======================== + # Message building methods + # ======================== + def start_section(self, heading): + self._indent() + section = self._Section(self, self._current_section, heading) + self._add_item(section.format_help, []) + self._current_section = section + + def end_section(self): + self._current_section = self._current_section.parent + self._dedent() + + def add_text(self, text): + if text is not SUPPRESS and text is not None: + self._add_item(self._format_text, [text]) + + def add_usage(self, usage, actions, groups, prefix=None): + if usage is not SUPPRESS: + args = usage, actions, groups, prefix + self._add_item(self._format_usage, args) + + def add_argument(self, action): + if action.help is not SUPPRESS: + + # find all invocations + get_invocation = self._format_action_invocation + invocations = [get_invocation(action)] + for subaction in self._iter_indented_subactions(action): + invocations.append(get_invocation(subaction)) + + # update the maximum item length + invocation_length = max([len(s) for s in invocations]) + action_length = invocation_length + self._current_indent + self._action_max_length = max(self._action_max_length, + action_length) + + # add the item to the list + self._add_item(self._format_action, [action]) + + def add_arguments(self, actions): + for action in actions: + self.add_argument(action) + + # ======================= + # Help-formatting methods + # ======================= + def format_help(self): + help = self._root_section.format_help() + if help: + help = self._long_break_matcher.sub('\n\n', help) + help = help.strip('\n') + '\n' + return help + + def _join_parts(self, part_strings): + return ''.join([part + for part in part_strings + if part and part is not SUPPRESS]) + + def _format_usage(self, usage, actions, groups, prefix): + if prefix is None: + prefix = _('usage: ') + + # if usage is specified, use that + if usage is not None: + usage = usage % dict(prog=self._prog) + + # if no optionals or positionals are available, usage is just prog + elif usage is None and not actions: + usage = '%(prog)s' % dict(prog=self._prog) + + # if optionals and positionals are available, calculate usage + elif usage is None: + prog = '%(prog)s' % dict(prog=self._prog) + + # split optionals from positionals + optionals = [] + positionals = [] + for action in actions: + if action.option_strings: + optionals.append(action) + else: + positionals.append(action) + + # build full usage string + format = self._format_actions_usage + action_usage = format(optionals + positionals, groups) + usage = ' '.join([s for s in [prog, action_usage] if s]) + + # wrap the usage parts if it's too long + text_width = self._width - self._current_indent + if len(prefix) + len(usage) > text_width: + + # break usage into wrappable parts + part_regexp = r'\(.*?\)+|\[.*?\]+|\S+' + opt_usage = format(optionals, groups) + pos_usage = format(positionals, groups) + opt_parts = _re.findall(part_regexp, opt_usage) + pos_parts = _re.findall(part_regexp, pos_usage) + assert ' '.join(opt_parts) == opt_usage + assert ' '.join(pos_parts) == pos_usage + + # helper for wrapping lines + def get_lines(parts, indent, prefix=None): + lines = [] + line = [] + if prefix is not None: + line_len = len(prefix) - 1 + else: + line_len = len(indent) - 1 + for part in parts: + if line_len + 1 + len(part) > text_width: + lines.append(indent + ' '.join(line)) + line = [] + line_len = len(indent) - 1 + line.append(part) + line_len += len(part) + 1 + if line: + lines.append(indent + ' '.join(line)) + if prefix is not None: + lines[0] = lines[0][len(indent):] + return lines + + # if prog is short, follow it with optionals or positionals + if len(prefix) + len(prog) <= 0.75 * text_width: + indent = ' ' * (len(prefix) + len(prog) + 1) + if opt_parts: + lines = get_lines([prog] + opt_parts, indent, prefix) + lines.extend(get_lines(pos_parts, indent)) + elif pos_parts: + lines = get_lines([prog] + pos_parts, indent, prefix) + else: + lines = [prog] + + # if prog is long, put it on its own line + else: + indent = ' ' * len(prefix) + parts = opt_parts + pos_parts + lines = get_lines(parts, indent) + if len(lines) > 1: + lines = [] + lines.extend(get_lines(opt_parts, indent)) + lines.extend(get_lines(pos_parts, indent)) + lines = [prog] + lines + + # join lines into usage + usage = '\n'.join(lines) + + # prefix with 'usage:' + return '%s%s\n\n' % (prefix, usage) + + def _format_actions_usage(self, actions, groups): + # find group indices and identify actions in groups + group_actions = set() + inserts = {} + for group in groups: + try: + start = actions.index(group._group_actions[0]) + except ValueError: + continue + else: + end = start + len(group._group_actions) + if actions[start:end] == group._group_actions: + for action in group._group_actions: + group_actions.add(action) + if not group.required: + if start in inserts: + inserts[start] += ' [' + else: + inserts[start] = '[' + inserts[end] = ']' + else: + if start in inserts: + inserts[start] += ' (' + else: + inserts[start] = '(' + inserts[end] = ')' + for i in range(start + 1, end): + inserts[i] = '|' + + # collect all actions format strings + parts = [] + for i, action in enumerate(actions): + + # suppressed arguments are marked with None + # remove | separators for suppressed arguments + if action.help is SUPPRESS: + parts.append(None) + if inserts.get(i) == '|': + inserts.pop(i) + elif inserts.get(i + 1) == '|': + inserts.pop(i + 1) + + # produce all arg strings + elif not action.option_strings: + part = self._format_args(action, action.dest) + + # if it's in a group, strip the outer [] + if action in group_actions: + if part[0] == '[' and part[-1] == ']': + part = part[1:-1] + + # add the action string to the list + parts.append(part) + + # produce the first way to invoke the option in brackets + else: + option_string = action.option_strings[0] + + # if the Optional doesn't take a value, format is: + # -s or --long + if action.nargs == 0: + part = '%s' % option_string + + # if the Optional takes a value, format is: + # -s ARGS or --long ARGS + else: + default = action.dest.upper() + args_string = self._format_args(action, default) + part = '%s %s' % (option_string, args_string) + + # make it look optional if it's not required or in a group + if not action.required and action not in group_actions: + part = '[%s]' % part + + # add the action string to the list + parts.append(part) + + # insert things at the necessary indices + for i in sorted(inserts, reverse=True): + parts[i:i] = [inserts[i]] + + # join all the action items with spaces + text = ' '.join([item for item in parts if item is not None]) + + # clean up separators for mutually exclusive groups + open = r'[\[(]' + close = r'[\])]' + text = _re.sub(r'(%s) ' % open, r'\1', text) + text = _re.sub(r' (%s)' % close, r'\1', text) + text = _re.sub(r'%s *%s' % (open, close), r'', text) + text = _re.sub(r'\(([^|]*)\)', r'\1', text) + text = text.strip() + + # return the text + return text + + def _format_text(self, text): + if '%(prog)' in text: + text = text % dict(prog=self._prog) + text_width = self._width - self._current_indent + indent = ' ' * self._current_indent + return self._fill_text(text, text_width, indent) + '\n\n' + + def _format_action(self, action): + # determine the required width and the entry label + help_position = min(self._action_max_length + 2, + self._max_help_position) + help_width = self._width - help_position + action_width = help_position - self._current_indent - 2 + action_header = self._format_action_invocation(action) + + # ho nelp; start on same line and add a final newline + if not action.help: + tup = self._current_indent, '', action_header + action_header = '%*s%s\n' % tup + + # short action name; start on the same line and pad two spaces + elif len(action_header) <= action_width: + tup = self._current_indent, '', action_width, action_header + action_header = '%*s%-*s ' % tup + indent_first = 0 + + # long action name; start on the next line + else: + tup = self._current_indent, '', action_header + action_header = '%*s%s\n' % tup + indent_first = help_position + + # collect the pieces of the action help + parts = [action_header] + + # if there was help for the action, add lines of help text + if action.help: + help_text = self._expand_help(action) + help_lines = self._split_lines(help_text, help_width) + parts.append('%*s%s\n' % (indent_first, '', help_lines[0])) + for line in help_lines[1:]: + parts.append('%*s%s\n' % (help_position, '', line)) + + # or add a newline if the description doesn't end with one + elif not action_header.endswith('\n'): + parts.append('\n') + + # if there are any sub-actions, add their help as well + for subaction in self._iter_indented_subactions(action): + parts.append(self._format_action(subaction)) + + # return a single string + return self._join_parts(parts) + + def _format_action_invocation(self, action): + if not action.option_strings: + metavar, = self._metavar_formatter(action, action.dest)(1) + return metavar + + else: + parts = [] + + # if the Optional doesn't take a value, format is: + # -s, --long + if action.nargs == 0: + parts.extend(action.option_strings) + + # if the Optional takes a value, format is: + # -s ARGS, --long ARGS + else: + default = action.dest.upper() + args_string = self._format_args(action, default) + for option_string in action.option_strings: + parts.append('%s %s' % (option_string, args_string)) + + return ', '.join(parts) + + def _metavar_formatter(self, action, default_metavar): + if action.metavar is not None: + result = action.metavar + elif action.choices is not None: + choice_strs = [str(choice) for choice in action.choices] + result = '{%s}' % ','.join(choice_strs) + else: + result = default_metavar + + def format(tuple_size): + if isinstance(result, tuple): + return result + else: + return (result, ) * tuple_size + return format + + def _format_args(self, action, default_metavar): + get_metavar = self._metavar_formatter(action, default_metavar) + if action.nargs is None: + result = '%s' % get_metavar(1) + elif action.nargs == OPTIONAL: + result = '[%s]' % get_metavar(1) + elif action.nargs == ZERO_OR_MORE: + result = '[%s [%s ...]]' % get_metavar(2) + elif action.nargs == ONE_OR_MORE: + result = '%s [%s ...]' % get_metavar(2) + elif action.nargs == REMAINDER: + result = '...' + elif action.nargs == PARSER: + result = '%s ...' % get_metavar(1) + else: + formats = ['%s' for _ in range(action.nargs)] + result = ' '.join(formats) % get_metavar(action.nargs) + return result + + def _expand_help(self, action): + params = dict(vars(action), prog=self._prog) + for name in list(params): + if params[name] is SUPPRESS: + del params[name] + for name in list(params): + if hasattr(params[name], '__name__'): + params[name] = params[name].__name__ + if params.get('choices') is not None: + choices_str = ', '.join([str(c) for c in params['choices']]) + params['choices'] = choices_str + return self._get_help_string(action) % params + + def _iter_indented_subactions(self, action): + try: + get_subactions = action._get_subactions + except AttributeError: + pass + else: + self._indent() + for subaction in get_subactions(): + yield subaction + self._dedent() + + def _split_lines(self, text, width): + text = self._whitespace_matcher.sub(' ', text).strip() + return _textwrap.wrap(text, width) + + def _fill_text(self, text, width, indent): + text = self._whitespace_matcher.sub(' ', text).strip() + return _textwrap.fill(text, width, initial_indent=indent, + subsequent_indent=indent) + + def _get_help_string(self, action): + return action.help + + +class RawDescriptionHelpFormatter(HelpFormatter): + """Help message formatter which retains any formatting in descriptions. + + Only the name of this class is considered a public API. All the methods + provided by the class are considered an implementation detail. + """ + + def _fill_text(self, text, width, indent): + return ''.join([indent + line for line in text.splitlines(True)]) + + +class RawTextHelpFormatter(RawDescriptionHelpFormatter): + """Help message formatter which retains formatting of all help text. + + Only the name of this class is considered a public API. All the methods + provided by the class are considered an implementation detail. + """ + + def _split_lines(self, text, width): + return text.splitlines() + + +class ArgumentDefaultsHelpFormatter(HelpFormatter): + """Help message formatter which adds default values to argument help. + + Only the name of this class is considered a public API. All the methods + provided by the class are considered an implementation detail. + """ + + def _get_help_string(self, action): + help = action.help + if '%(default)' not in action.help: + if action.default is not SUPPRESS: + defaulting_nargs = [OPTIONAL, ZERO_OR_MORE] + if action.option_strings or action.nargs in defaulting_nargs: + help += ' (default: %(default)s)' + return help + + +# ===================== +# Options and Arguments +# ===================== + +def _get_action_name(argument): + if argument is None: + return None + elif argument.option_strings: + return '/'.join(argument.option_strings) + elif argument.metavar not in (None, SUPPRESS): + return argument.metavar + elif argument.dest not in (None, SUPPRESS): + return argument.dest + else: + return None + + +class ArgumentError(Exception): + """An error from creating or using an argument (optional or positional). + + The string value of this exception is the message, augmented with + information about the argument that caused it. + """ + + def __init__(self, argument, message): + self.argument_name = _get_action_name(argument) + self.message = message + + def __str__(self): + if self.argument_name is None: + format = '%(message)s' + else: + format = 'argument %(argument_name)s: %(message)s' + return format % dict(message=self.message, + argument_name=self.argument_name) + + +class ArgumentTypeError(Exception): + """An error from trying to convert a command line string to a type.""" + pass + + +# ============== +# Action classes +# ============== + +class Action(_AttributeHolder): + """Information about how to convert command line strings to Python objects. + + Action objects are used by an ArgumentParser to represent the information + needed to parse a single argument from one or more strings from the + command line. The keyword arguments to the Action constructor are also + all attributes of Action instances. + + Keyword Arguments: + + - option_strings -- A list of command-line option strings which + should be associated with this action. + + - dest -- The name of the attribute to hold the created object(s) + + - nargs -- The number of command-line arguments that should be + consumed. By default, one argument will be consumed and a single + value will be produced. Other values include: + - N (an integer) consumes N arguments (and produces a list) + - '?' consumes zero or one arguments + - '*' consumes zero or more arguments (and produces a list) + - '+' consumes one or more arguments (and produces a list) + Note that the difference between the default and nargs=1 is that + with the default, a single value will be produced, while with + nargs=1, a list containing a single value will be produced. + + - const -- The value to be produced if the option is specified and the + option uses an action that takes no values. + + - default -- The value to be produced if the option is not specified. + + - type -- The type which the command-line arguments should be converted + to, should be one of 'string', 'int', 'float', 'complex' or a + callable object that accepts a single string argument. If None, + 'string' is assumed. + + - choices -- A container of values that should be allowed. If not None, + after a command-line argument has been converted to the appropriate + type, an exception will be raised if it is not a member of this + collection. + + - required -- True if the action must always be specified at the + command line. This is only meaningful for optional command-line + arguments. + + - help -- The help string describing the argument. + + - metavar -- The name to be used for the option's argument with the + help string. If None, the 'dest' value will be used as the name. + """ + + def __init__(self, + option_strings, + dest, + nargs=None, + const=None, + default=None, + type=None, + choices=None, + required=False, + help=None, + metavar=None): + self.option_strings = option_strings + self.dest = dest + self.nargs = nargs + self.const = const + self.default = default + self.type = type + self.choices = choices + self.required = required + self.help = help + self.metavar = metavar + + def _get_kwargs(self): + names = [ + 'option_strings', + 'dest', + 'nargs', + 'const', + 'default', + 'type', + 'choices', + 'help', + 'metavar', + ] + return [(name, getattr(self, name)) for name in names] + + def __call__(self, parser, namespace, values, option_string=None): + raise NotImplementedError(_('.__call__() not defined')) + + +class _StoreAction(Action): + + def __init__(self, + option_strings, + dest, + nargs=None, + const=None, + default=None, + type=None, + choices=None, + required=False, + help=None, + metavar=None): + if nargs == 0: + raise ValueError('nargs for store actions must be > 0; if you ' + 'have nothing to store, actions such as store ' + 'true or store const may be more appropriate') + if const is not None and nargs != OPTIONAL: + raise ValueError('nargs must be %r to supply const' % OPTIONAL) + super(_StoreAction, self).__init__( + option_strings=option_strings, + dest=dest, + nargs=nargs, + const=const, + default=default, + type=type, + choices=choices, + required=required, + help=help, + metavar=metavar) + + def __call__(self, parser, namespace, values, option_string=None): + setattr(namespace, self.dest, values) + + +class _StoreConstAction(Action): + + def __init__(self, + option_strings, + dest, + const, + default=None, + required=False, + help=None, + metavar=None): + super(_StoreConstAction, self).__init__( + option_strings=option_strings, + dest=dest, + nargs=0, + const=const, + default=default, + required=required, + help=help) + + def __call__(self, parser, namespace, values, option_string=None): + setattr(namespace, self.dest, self.const) + + +class _StoreTrueAction(_StoreConstAction): + + def __init__(self, + option_strings, + dest, + default=False, + required=False, + help=None): + super(_StoreTrueAction, self).__init__( + option_strings=option_strings, + dest=dest, + const=True, + default=default, + required=required, + help=help) + + +class _StoreFalseAction(_StoreConstAction): + + def __init__(self, + option_strings, + dest, + default=True, + required=False, + help=None): + super(_StoreFalseAction, self).__init__( + option_strings=option_strings, + dest=dest, + const=False, + default=default, + required=required, + help=help) + + +class _AppendAction(Action): + + def __init__(self, + option_strings, + dest, + nargs=None, + const=None, + default=None, + type=None, + choices=None, + required=False, + help=None, + metavar=None): + if nargs == 0: + raise ValueError('nargs for append actions must be > 0; if arg ' + 'strings are not supplying the value to append, ' + 'the append const action may be more appropriate') + if const is not None and nargs != OPTIONAL: + raise ValueError('nargs must be %r to supply const' % OPTIONAL) + super(_AppendAction, self).__init__( + option_strings=option_strings, + dest=dest, + nargs=nargs, + const=const, + default=default, + type=type, + choices=choices, + required=required, + help=help, + metavar=metavar) + + def __call__(self, parser, namespace, values, option_string=None): + items = _copy.copy(_ensure_value(namespace, self.dest, [])) + items.append(values) + setattr(namespace, self.dest, items) + + +class _AppendConstAction(Action): + + def __init__(self, + option_strings, + dest, + const, + default=None, + required=False, + help=None, + metavar=None): + super(_AppendConstAction, self).__init__( + option_strings=option_strings, + dest=dest, + nargs=0, + const=const, + default=default, + required=required, + help=help, + metavar=metavar) + + def __call__(self, parser, namespace, values, option_string=None): + items = _copy.copy(_ensure_value(namespace, self.dest, [])) + items.append(self.const) + setattr(namespace, self.dest, items) + + +class _CountAction(Action): + + def __init__(self, + option_strings, + dest, + default=None, + required=False, + help=None): + super(_CountAction, self).__init__( + option_strings=option_strings, + dest=dest, + nargs=0, + default=default, + required=required, + help=help) + + def __call__(self, parser, namespace, values, option_string=None): + new_count = _ensure_value(namespace, self.dest, 0) + 1 + setattr(namespace, self.dest, new_count) + + +class _HelpAction(Action): + + def __init__(self, + option_strings, + dest=SUPPRESS, + default=SUPPRESS, + help=None): + super(_HelpAction, self).__init__( + option_strings=option_strings, + dest=dest, + default=default, + nargs=0, + help=help) + + def __call__(self, parser, namespace, values, option_string=None): + parser.print_help() + parser.exit() + + +class _VersionAction(Action): + + def __init__(self, + option_strings, + version=None, + dest=SUPPRESS, + default=SUPPRESS, + help="show program's version number and exit"): + super(_VersionAction, self).__init__( + option_strings=option_strings, + dest=dest, + default=default, + nargs=0, + help=help) + self.version = version + + def __call__(self, parser, namespace, values, option_string=None): + version = self.version + if version is None: + version = parser.version + formatter = parser._get_formatter() + formatter.add_text(version) + parser.exit(message=formatter.format_help()) + + +class _SubParsersAction(Action): + + class _ChoicesPseudoAction(Action): + + def __init__(self, name, aliases, help): + metavar = dest = name + if aliases: + metavar += ' (%s)' % ', '.join(aliases) + sup = super(_SubParsersAction._ChoicesPseudoAction, self) + sup.__init__(option_strings=[], dest=dest, help=help, + metavar=metavar) + + def __init__(self, + option_strings, + prog, + parser_class, + dest=SUPPRESS, + help=None, + metavar=None): + + self._prog_prefix = prog + self._parser_class = parser_class + self._name_parser_map = {} + self._choices_actions = [] + + super(_SubParsersAction, self).__init__( + option_strings=option_strings, + dest=dest, + nargs=PARSER, + choices=self._name_parser_map, + help=help, + metavar=metavar) + + def add_parser(self, name, **kwargs): + # set prog from the existing prefix + if kwargs.get('prog') is None: + kwargs['prog'] = '%s %s' % (self._prog_prefix, name) + + aliases = kwargs.pop('aliases', ()) + + # create a pseudo-action to hold the choice help + if 'help' in kwargs: + help = kwargs.pop('help') + choice_action = self._ChoicesPseudoAction(name, aliases, help) + self._choices_actions.append(choice_action) + + # create the parser and add it to the map + parser = self._parser_class(**kwargs) + self._name_parser_map[name] = parser + + # make parser available under aliases also + for alias in aliases: + self._name_parser_map[alias] = parser + + return parser + + def _get_subactions(self): + return self._choices_actions + + def __call__(self, parser, namespace, values, option_string=None): + parser_name = values[0] + arg_strings = values[1:] + + # set the parser name if requested + if self.dest is not SUPPRESS: + setattr(namespace, self.dest, parser_name) + + # select the parser + try: + parser = self._name_parser_map[parser_name] + except KeyError: + tup = parser_name, ', '.join(self._name_parser_map) + msg = _('unknown parser %r (choices: %s)' % tup) + raise ArgumentError(self, msg) + + # parse all the remaining options into the namespace + # store any unrecognized options on the object, so that the top + # level parser can decide what to do with them + namespace, arg_strings = parser.parse_known_args(arg_strings, namespace) + if arg_strings: + vars(namespace).setdefault(_UNRECOGNIZED_ARGS_ATTR, []) + getattr(namespace, _UNRECOGNIZED_ARGS_ATTR).extend(arg_strings) + + +# ============== +# Type classes +# ============== + +class FileType(object): + """Factory for creating file object types + + Instances of FileType are typically passed as type= arguments to the + ArgumentParser add_argument() method. + + Keyword Arguments: + - mode -- A string indicating how the file is to be opened. Accepts the + same values as the builtin open() function. + - bufsize -- The file's desired buffer size. Accepts the same values as + the builtin open() function. + """ + + def __init__(self, mode='r', bufsize=None): + self._mode = mode + self._bufsize = bufsize + + def __call__(self, string): + # the special argument "-" means sys.std{in,out} + if string == '-': + if 'r' in self._mode: + return _sys.stdin + elif 'w' in self._mode: + return _sys.stdout + else: + msg = _('argument "-" with mode %r' % self._mode) + raise ValueError(msg) + + # all other arguments are used as file names + if self._bufsize: + return open(string, self._mode, self._bufsize) + else: + return open(string, self._mode) + + def __repr__(self): + args = [self._mode, self._bufsize] + args_str = ', '.join([repr(arg) for arg in args if arg is not None]) + return '%s(%s)' % (type(self).__name__, args_str) + +# =========================== +# Optional and Positional Parsing +# =========================== + +class Namespace(_AttributeHolder): + """Simple object for storing attributes. + + Implements equality by attribute names and values, and provides a simple + string representation. + """ + + def __init__(self, **kwargs): + for name in kwargs: + setattr(self, name, kwargs[name]) + + __hash__ = None + + def __eq__(self, other): + return vars(self) == vars(other) + + def __ne__(self, other): + return not (self == other) + + def __contains__(self, key): + return key in self.__dict__ + + +class _ActionsContainer(object): + + def __init__(self, + description, + prefix_chars, + argument_default, + conflict_handler): + super(_ActionsContainer, self).__init__() + + self.description = description + self.argument_default = argument_default + self.prefix_chars = prefix_chars + self.conflict_handler = conflict_handler + + # set up registries + self._registries = {} + + # register actions + self.register('action', None, _StoreAction) + self.register('action', 'store', _StoreAction) + self.register('action', 'store_const', _StoreConstAction) + self.register('action', 'store_true', _StoreTrueAction) + self.register('action', 'store_false', _StoreFalseAction) + self.register('action', 'append', _AppendAction) + self.register('action', 'append_const', _AppendConstAction) + self.register('action', 'count', _CountAction) + self.register('action', 'help', _HelpAction) + self.register('action', 'version', _VersionAction) + self.register('action', 'parsers', _SubParsersAction) + + # raise an exception if the conflict handler is invalid + self._get_handler() + + # action storage + self._actions = [] + self._option_string_actions = {} + + # groups + self._action_groups = [] + self._mutually_exclusive_groups = [] + + # defaults storage + self._defaults = {} + + # determines whether an "option" looks like a negative number + self._negative_number_matcher = _re.compile(r'^-\d+$|^-\d*\.\d+$') + + # whether or not there are any optionals that look like negative + # numbers -- uses a list so it can be shared and edited + self._has_negative_number_optionals = [] + + # ==================== + # Registration methods + # ==================== + def register(self, registry_name, value, object): + registry = self._registries.setdefault(registry_name, {}) + registry[value] = object + + def _registry_get(self, registry_name, value, default=None): + return self._registries[registry_name].get(value, default) + + # ================================== + # Namespace default accessor methods + # ================================== + def set_defaults(self, **kwargs): + self._defaults.update(kwargs) + + # if these defaults match any existing arguments, replace + # the previous default on the object with the new one + for action in self._actions: + if action.dest in kwargs: + action.default = kwargs[action.dest] + + def get_default(self, dest): + for action in self._actions: + if action.dest == dest and action.default is not None: + return action.default + return self._defaults.get(dest, None) + + + # ======================= + # Adding argument actions + # ======================= + def add_argument(self, *args, **kwargs): + """ + add_argument(dest, ..., name=value, ...) + add_argument(option_string, option_string, ..., name=value, ...) + """ + + # if no positional args are supplied or only one is supplied and + # it doesn't look like an option string, parse a positional + # argument + chars = self.prefix_chars + if not args or len(args) == 1 and args[0][0] not in chars: + if args and 'dest' in kwargs: + raise ValueError('dest supplied twice for positional argument') + kwargs = self._get_positional_kwargs(*args, **kwargs) + + # otherwise, we're adding an optional argument + else: + kwargs = self._get_optional_kwargs(*args, **kwargs) + + # if no default was supplied, use the parser-level default + if 'default' not in kwargs: + dest = kwargs['dest'] + if dest in self._defaults: + kwargs['default'] = self._defaults[dest] + elif self.argument_default is not None: + kwargs['default'] = self.argument_default + + # create the action object, and add it to the parser + action_class = self._pop_action_class(kwargs) + if not _callable(action_class): + raise ValueError('unknown action "%s"' % action_class) + action = action_class(**kwargs) + + # raise an error if the action type is not callable + type_func = self._registry_get('type', action.type, action.type) + if not _callable(type_func): + raise ValueError('%r is not callable' % type_func) + + return self._add_action(action) + + def add_argument_group(self, *args, **kwargs): + group = _ArgumentGroup(self, *args, **kwargs) + self._action_groups.append(group) + return group + + def add_mutually_exclusive_group(self, **kwargs): + group = _MutuallyExclusiveGroup(self, **kwargs) + self._mutually_exclusive_groups.append(group) + return group + + def _add_action(self, action): + # resolve any conflicts + self._check_conflict(action) + + # add to actions list + self._actions.append(action) + action.container = self + + # index the action by any option strings it has + for option_string in action.option_strings: + self._option_string_actions[option_string] = action + + # set the flag if any option strings look like negative numbers + for option_string in action.option_strings: + if self._negative_number_matcher.match(option_string): + if not self._has_negative_number_optionals: + self._has_negative_number_optionals.append(True) + + # return the created action + return action + + def _remove_action(self, action): + self._actions.remove(action) + + def _add_container_actions(self, container): + # collect groups by titles + title_group_map = {} + for group in self._action_groups: + if group.title in title_group_map: + msg = _('cannot merge actions - two groups are named %r') + raise ValueError(msg % (group.title)) + title_group_map[group.title] = group + + # map each action to its group + group_map = {} + for group in container._action_groups: + + # if a group with the title exists, use that, otherwise + # create a new group matching the container's group + if group.title not in title_group_map: + title_group_map[group.title] = self.add_argument_group( + title=group.title, + description=group.description, + conflict_handler=group.conflict_handler) + + # map the actions to their new group + for action in group._group_actions: + group_map[action] = title_group_map[group.title] + + # add container's mutually exclusive groups + # NOTE: if add_mutually_exclusive_group ever gains title= and + # description= then this code will need to be expanded as above + for group in container._mutually_exclusive_groups: + mutex_group = self.add_mutually_exclusive_group( + required=group.required) + + # map the actions to their new mutex group + for action in group._group_actions: + group_map[action] = mutex_group + + # add all actions to this container or their group + for action in container._actions: + group_map.get(action, self)._add_action(action) + + def _get_positional_kwargs(self, dest, **kwargs): + # make sure required is not specified + if 'required' in kwargs: + msg = _("'required' is an invalid argument for positionals") + raise TypeError(msg) + + # mark positional arguments as required if at least one is + # always required + if kwargs.get('nargs') not in [OPTIONAL, ZERO_OR_MORE]: + kwargs['required'] = True + if kwargs.get('nargs') == ZERO_OR_MORE and 'default' not in kwargs: + kwargs['required'] = True + + # return the keyword arguments with no option strings + return dict(kwargs, dest=dest, option_strings=[]) + + def _get_optional_kwargs(self, *args, **kwargs): + # determine short and long option strings + option_strings = [] + long_option_strings = [] + for option_string in args: + # error on strings that don't start with an appropriate prefix + if not option_string[0] in self.prefix_chars: + msg = _('invalid option string %r: ' + 'must start with a character %r') + tup = option_string, self.prefix_chars + raise ValueError(msg % tup) + + # strings starting with two prefix characters are long options + option_strings.append(option_string) + if option_string[0] in self.prefix_chars: + if len(option_string) > 1: + if option_string[1] in self.prefix_chars: + long_option_strings.append(option_string) + + # infer destination, '--foo-bar' -> 'foo_bar' and '-x' -> 'x' + dest = kwargs.pop('dest', None) + if dest is None: + if long_option_strings: + dest_option_string = long_option_strings[0] + else: + dest_option_string = option_strings[0] + dest = dest_option_string.lstrip(self.prefix_chars) + if not dest: + msg = _('dest= is required for options like %r') + raise ValueError(msg % option_string) + dest = dest.replace('-', '_') + + # return the updated keyword arguments + return dict(kwargs, dest=dest, option_strings=option_strings) + + def _pop_action_class(self, kwargs, default=None): + action = kwargs.pop('action', default) + return self._registry_get('action', action, action) + + def _get_handler(self): + # determine function from conflict handler string + handler_func_name = '_handle_conflict_%s' % self.conflict_handler + try: + return getattr(self, handler_func_name) + except AttributeError: + msg = _('invalid conflict_resolution value: %r') + raise ValueError(msg % self.conflict_handler) + + def _check_conflict(self, action): + + # find all options that conflict with this option + confl_optionals = [] + for option_string in action.option_strings: + if option_string in self._option_string_actions: + confl_optional = self._option_string_actions[option_string] + confl_optionals.append((option_string, confl_optional)) + + # resolve any conflicts + if confl_optionals: + conflict_handler = self._get_handler() + conflict_handler(action, confl_optionals) + + def _handle_conflict_error(self, action, conflicting_actions): + message = _('conflicting option string(s): %s') + conflict_string = ', '.join([option_string + for option_string, action + in conflicting_actions]) + raise ArgumentError(action, message % conflict_string) + + def _handle_conflict_resolve(self, action, conflicting_actions): + + # remove all conflicting options + for option_string, action in conflicting_actions: + + # remove the conflicting option + action.option_strings.remove(option_string) + self._option_string_actions.pop(option_string, None) + + # if the option now has no option string, remove it from the + # container holding it + if not action.option_strings: + action.container._remove_action(action) + + +class _ArgumentGroup(_ActionsContainer): + + def __init__(self, container, title=None, description=None, **kwargs): + # add any missing keyword arguments by checking the container + update = kwargs.setdefault + update('conflict_handler', container.conflict_handler) + update('prefix_chars', container.prefix_chars) + update('argument_default', container.argument_default) + super_init = super(_ArgumentGroup, self).__init__ + super_init(description=description, **kwargs) + + # group attributes + self.title = title + self._group_actions = [] + + # share most attributes with the container + self._registries = container._registries + self._actions = container._actions + self._option_string_actions = container._option_string_actions + self._defaults = container._defaults + self._has_negative_number_optionals = \ + container._has_negative_number_optionals + + def _add_action(self, action): + action = super(_ArgumentGroup, self)._add_action(action) + self._group_actions.append(action) + return action + + def _remove_action(self, action): + super(_ArgumentGroup, self)._remove_action(action) + self._group_actions.remove(action) + + +class _MutuallyExclusiveGroup(_ArgumentGroup): + + def __init__(self, container, required=False): + super(_MutuallyExclusiveGroup, self).__init__(container) + self.required = required + self._container = container + + def _add_action(self, action): + if action.required: + msg = _('mutually exclusive arguments must be optional') + raise ValueError(msg) + action = self._container._add_action(action) + self._group_actions.append(action) + return action + + def _remove_action(self, action): + self._container._remove_action(action) + self._group_actions.remove(action) + + +class ArgumentParser(_AttributeHolder, _ActionsContainer): + """Object for parsing command line strings into Python objects. + + Keyword Arguments: + - prog -- The name of the program (default: sys.argv[0]) + - usage -- A usage message (default: auto-generated from arguments) + - description -- A description of what the program does + - epilog -- Text following the argument descriptions + - parents -- Parsers whose arguments should be copied into this one + - formatter_class -- HelpFormatter class for printing help messages + - prefix_chars -- Characters that prefix optional arguments + - fromfile_prefix_chars -- Characters that prefix files containing + additional arguments + - argument_default -- The default value for all arguments + - conflict_handler -- String indicating how to handle conflicts + - add_help -- Add a -h/-help option + """ + + def __init__(self, + prog=None, + usage=None, + description=None, + epilog=None, + version=None, + parents=[], + formatter_class=HelpFormatter, + prefix_chars='-', + fromfile_prefix_chars=None, + argument_default=None, + conflict_handler='error', + add_help=True): + + if version is not None: + import warnings + warnings.warn( + """The "version" argument to ArgumentParser is deprecated. """ + """Please use """ + """"add_argument(..., action='version', version="N", ...)" """ + """instead""", DeprecationWarning) + + superinit = super(ArgumentParser, self).__init__ + superinit(description=description, + prefix_chars=prefix_chars, + argument_default=argument_default, + conflict_handler=conflict_handler) + + # default setting for prog + if prog is None: + prog = _os.path.basename(_sys.argv[0]) + + self.prog = prog + self.usage = usage + self.epilog = epilog + self.version = version + self.formatter_class = formatter_class + self.fromfile_prefix_chars = fromfile_prefix_chars + self.add_help = add_help + + add_group = self.add_argument_group + self._positionals = add_group(_('positional arguments')) + self._optionals = add_group(_('optional arguments')) + self._subparsers = None + + # register types + def identity(string): + return string + self.register('type', None, identity) + + # add help and version arguments if necessary + # (using explicit default to override global argument_default) + if '-' in prefix_chars: + default_prefix = '-' + else: + default_prefix = prefix_chars[0] + if self.add_help: + self.add_argument( + default_prefix+'h', default_prefix*2+'help', + action='help', default=SUPPRESS, + help=_('show this help message and exit')) + if self.version: + self.add_argument( + default_prefix+'v', default_prefix*2+'version', + action='version', default=SUPPRESS, + version=self.version, + help=_("show program's version number and exit")) + + # add parent arguments and defaults + for parent in parents: + self._add_container_actions(parent) + try: + defaults = parent._defaults + except AttributeError: + pass + else: + self._defaults.update(defaults) + + # ======================= + # Pretty __repr__ methods + # ======================= + def _get_kwargs(self): + names = [ + 'prog', + 'usage', + 'description', + 'version', + 'formatter_class', + 'conflict_handler', + 'add_help', + ] + return [(name, getattr(self, name)) for name in names] + + # ================================== + # Optional/Positional adding methods + # ================================== + def add_subparsers(self, **kwargs): + if self._subparsers is not None: + self.error(_('cannot have multiple subparser arguments')) + + # add the parser class to the arguments if it's not present + kwargs.setdefault('parser_class', type(self)) + + if 'title' in kwargs or 'description' in kwargs: + title = _(kwargs.pop('title', 'subcommands')) + description = _(kwargs.pop('description', None)) + self._subparsers = self.add_argument_group(title, description) + else: + self._subparsers = self._positionals + + # prog defaults to the usage message of this parser, skipping + # optional arguments and with no "usage:" prefix + if kwargs.get('prog') is None: + formatter = self._get_formatter() + positionals = self._get_positional_actions() + groups = self._mutually_exclusive_groups + formatter.add_usage(self.usage, positionals, groups, '') + kwargs['prog'] = formatter.format_help().strip() + + # create the parsers action and add it to the positionals list + parsers_class = self._pop_action_class(kwargs, 'parsers') + action = parsers_class(option_strings=[], **kwargs) + self._subparsers._add_action(action) + + # return the created parsers action + return action + + def _add_action(self, action): + if action.option_strings: + self._optionals._add_action(action) + else: + self._positionals._add_action(action) + return action + + def _get_optional_actions(self): + return [action + for action in self._actions + if action.option_strings] + + def _get_positional_actions(self): + return [action + for action in self._actions + if not action.option_strings] + + # ===================================== + # Command line argument parsing methods + # ===================================== + def parse_args(self, args=None, namespace=None): + args, argv = self.parse_known_args(args, namespace) + if argv: + msg = _('unrecognized arguments: %s') + self.error(msg % ' '.join(argv)) + return args + + def parse_known_args(self, args=None, namespace=None): + # args default to the system args + if args is None: + args = _sys.argv[1:] + + # default Namespace built from parser defaults + if namespace is None: + namespace = Namespace() + + # add any action defaults that aren't present + for action in self._actions: + if action.dest is not SUPPRESS: + if not hasattr(namespace, action.dest): + if action.default is not SUPPRESS: + default = action.default + if isinstance(action.default, basestring): + default = self._get_value(action, default) + setattr(namespace, action.dest, default) + + # add any parser defaults that aren't present + for dest in self._defaults: + if not hasattr(namespace, dest): + setattr(namespace, dest, self._defaults[dest]) + + # parse the arguments and exit if there are any errors + try: + namespace, args = self._parse_known_args(args, namespace) + if hasattr(namespace, _UNRECOGNIZED_ARGS_ATTR): + args.extend(getattr(namespace, _UNRECOGNIZED_ARGS_ATTR)) + delattr(namespace, _UNRECOGNIZED_ARGS_ATTR) + return namespace, args + except ArgumentError: + err = _sys.exc_info()[1] + self.error(str(err)) + + def _parse_known_args(self, arg_strings, namespace): + # replace arg strings that are file references + if self.fromfile_prefix_chars is not None: + arg_strings = self._read_args_from_files(arg_strings) + + # map all mutually exclusive arguments to the other arguments + # they can't occur with + action_conflicts = {} + for mutex_group in self._mutually_exclusive_groups: + group_actions = mutex_group._group_actions + for i, mutex_action in enumerate(mutex_group._group_actions): + conflicts = action_conflicts.setdefault(mutex_action, []) + conflicts.extend(group_actions[:i]) + conflicts.extend(group_actions[i + 1:]) + + # find all option indices, and determine the arg_string_pattern + # which has an 'O' if there is an option at an index, + # an 'A' if there is an argument, or a '-' if there is a '--' + option_string_indices = {} + arg_string_pattern_parts = [] + arg_strings_iter = iter(arg_strings) + for i, arg_string in enumerate(arg_strings_iter): + + # all args after -- are non-options + if arg_string == '--': + arg_string_pattern_parts.append('-') + for arg_string in arg_strings_iter: + arg_string_pattern_parts.append('A') + + # otherwise, add the arg to the arg strings + # and note the index if it was an option + else: + option_tuple = self._parse_optional(arg_string) + if option_tuple is None: + pattern = 'A' + else: + option_string_indices[i] = option_tuple + pattern = 'O' + arg_string_pattern_parts.append(pattern) + + # join the pieces together to form the pattern + arg_strings_pattern = ''.join(arg_string_pattern_parts) + + # converts arg strings to the appropriate and then takes the action + seen_actions = set() + seen_non_default_actions = set() + + def take_action(action, argument_strings, option_string=None): + seen_actions.add(action) + argument_values = self._get_values(action, argument_strings) + + # error if this argument is not allowed with other previously + # seen arguments, assuming that actions that use the default + # value don't really count as "present" + if argument_values is not action.default: + seen_non_default_actions.add(action) + for conflict_action in action_conflicts.get(action, []): + if conflict_action in seen_non_default_actions: + msg = _('not allowed with argument %s') + action_name = _get_action_name(conflict_action) + raise ArgumentError(action, msg % action_name) + + # take the action if we didn't receive a SUPPRESS value + # (e.g. from a default) + if argument_values is not SUPPRESS: + action(self, namespace, argument_values, option_string) + + # function to convert arg_strings into an optional action + def consume_optional(start_index): + + # get the optional identified at this index + option_tuple = option_string_indices[start_index] + action, option_string, explicit_arg = option_tuple + + # identify additional optionals in the same arg string + # (e.g. -xyz is the same as -x -y -z if no args are required) + match_argument = self._match_argument + action_tuples = [] + while True: + + # if we found no optional action, skip it + if action is None: + extras.append(arg_strings[start_index]) + return start_index + 1 + + # if there is an explicit argument, try to match the + # optional's string arguments to only this + if explicit_arg is not None: + arg_count = match_argument(action, 'A') + + # if the action is a single-dash option and takes no + # arguments, try to parse more single-dash options out + # of the tail of the option string + chars = self.prefix_chars + if arg_count == 0 and option_string[1] not in chars: + action_tuples.append((action, [], option_string)) + char = option_string[0] + option_string = char + explicit_arg[0] + new_explicit_arg = explicit_arg[1:] or None + optionals_map = self._option_string_actions + if option_string in optionals_map: + action = optionals_map[option_string] + explicit_arg = new_explicit_arg + else: + msg = _('ignored explicit argument %r') + raise ArgumentError(action, msg % explicit_arg) + + # if the action expect exactly one argument, we've + # successfully matched the option; exit the loop + elif arg_count == 1: + stop = start_index + 1 + args = [explicit_arg] + action_tuples.append((action, args, option_string)) + break + + # error if a double-dash option did not use the + # explicit argument + else: + msg = _('ignored explicit argument %r') + raise ArgumentError(action, msg % explicit_arg) + + # if there is no explicit argument, try to match the + # optional's string arguments with the following strings + # if successful, exit the loop + else: + start = start_index + 1 + selected_patterns = arg_strings_pattern[start:] + arg_count = match_argument(action, selected_patterns) + stop = start + arg_count + args = arg_strings[start:stop] + action_tuples.append((action, args, option_string)) + break + + # add the Optional to the list and return the index at which + # the Optional's string args stopped + assert action_tuples + for action, args, option_string in action_tuples: + take_action(action, args, option_string) + return stop + + # the list of Positionals left to be parsed; this is modified + # by consume_positionals() + positionals = self._get_positional_actions() + + # function to convert arg_strings into positional actions + def consume_positionals(start_index): + # match as many Positionals as possible + match_partial = self._match_arguments_partial + selected_pattern = arg_strings_pattern[start_index:] + arg_counts = match_partial(positionals, selected_pattern) + + # slice off the appropriate arg strings for each Positional + # and add the Positional and its args to the list + for action, arg_count in zip(positionals, arg_counts): + args = arg_strings[start_index: start_index + arg_count] + start_index += arg_count + take_action(action, args) + + # slice off the Positionals that we just parsed and return the + # index at which the Positionals' string args stopped + positionals[:] = positionals[len(arg_counts):] + return start_index + + # consume Positionals and Optionals alternately, until we have + # passed the last option string + extras = [] + start_index = 0 + if option_string_indices: + max_option_string_index = max(option_string_indices) + else: + max_option_string_index = -1 + while start_index <= max_option_string_index: + + # consume any Positionals preceding the next option + next_option_string_index = min([ + index + for index in option_string_indices + if index >= start_index]) + if start_index != next_option_string_index: + positionals_end_index = consume_positionals(start_index) + + # only try to parse the next optional if we didn't consume + # the option string during the positionals parsing + if positionals_end_index > start_index: + start_index = positionals_end_index + continue + else: + start_index = positionals_end_index + + # if we consumed all the positionals we could and we're not + # at the index of an option string, there were extra arguments + if start_index not in option_string_indices: + strings = arg_strings[start_index:next_option_string_index] + extras.extend(strings) + start_index = next_option_string_index + + # consume the next optional and any arguments for it + start_index = consume_optional(start_index) + + # consume any positionals following the last Optional + stop_index = consume_positionals(start_index) + + # if we didn't consume all the argument strings, there were extras + extras.extend(arg_strings[stop_index:]) + + # if we didn't use all the Positional objects, there were too few + # arg strings supplied. + if positionals: + self.error(_('too few arguments')) + + # make sure all required actions were present + for action in self._actions: + if action.required: + if action not in seen_actions: + name = _get_action_name(action) + self.error(_('argument %s is required') % name) + + # make sure all required groups had one option present + for group in self._mutually_exclusive_groups: + if group.required: + for action in group._group_actions: + if action in seen_non_default_actions: + break + + # if no actions were used, report the error + else: + names = [_get_action_name(action) + for action in group._group_actions + if action.help is not SUPPRESS] + msg = _('one of the arguments %s is required') + self.error(msg % ' '.join(names)) + + # return the updated namespace and the extra arguments + return namespace, extras + + def _read_args_from_files(self, arg_strings): + # expand arguments referencing files + new_arg_strings = [] + for arg_string in arg_strings: + + # for regular arguments, just add them back into the list + if arg_string[0] not in self.fromfile_prefix_chars: + new_arg_strings.append(arg_string) + + # replace arguments referencing files with the file content + else: + try: + args_file = open(arg_string[1:]) + try: + arg_strings = [] + for arg_line in args_file.read().splitlines(): + for arg in self.convert_arg_line_to_args(arg_line): + arg_strings.append(arg) + arg_strings = self._read_args_from_files(arg_strings) + new_arg_strings.extend(arg_strings) + finally: + args_file.close() + except IOError: + err = _sys.exc_info()[1] + self.error(str(err)) + + # return the modified argument list + return new_arg_strings + + def convert_arg_line_to_args(self, arg_line): + return [arg_line] + + def _match_argument(self, action, arg_strings_pattern): + # match the pattern for this action to the arg strings + nargs_pattern = self._get_nargs_pattern(action) + match = _re.match(nargs_pattern, arg_strings_pattern) + + # raise an exception if we weren't able to find a match + if match is None: + nargs_errors = { + None: _('expected one argument'), + OPTIONAL: _('expected at most one argument'), + ONE_OR_MORE: _('expected at least one argument'), + } + default = _('expected %s argument(s)') % action.nargs + msg = nargs_errors.get(action.nargs, default) + raise ArgumentError(action, msg) + + # return the number of arguments matched + return len(match.group(1)) + + def _match_arguments_partial(self, actions, arg_strings_pattern): + # progressively shorten the actions list by slicing off the + # final actions until we find a match + result = [] + for i in range(len(actions), 0, -1): + actions_slice = actions[:i] + pattern = ''.join([self._get_nargs_pattern(action) + for action in actions_slice]) + match = _re.match(pattern, arg_strings_pattern) + if match is not None: + result.extend([len(string) for string in match.groups()]) + break + + # return the list of arg string counts + return result + + def _parse_optional(self, arg_string): + # if it's an empty string, it was meant to be a positional + if not arg_string: + return None + + # if it doesn't start with a prefix, it was meant to be positional + if not arg_string[0] in self.prefix_chars: + return None + + # if the option string is present in the parser, return the action + if arg_string in self._option_string_actions: + action = self._option_string_actions[arg_string] + return action, arg_string, None + + # if it's just a single character, it was meant to be positional + if len(arg_string) == 1: + return None + + # if the option string before the "=" is present, return the action + if '=' in arg_string: + option_string, explicit_arg = arg_string.split('=', 1) + if option_string in self._option_string_actions: + action = self._option_string_actions[option_string] + return action, option_string, explicit_arg + + # search through all possible prefixes of the option string + # and all actions in the parser for possible interpretations + option_tuples = self._get_option_tuples(arg_string) + + # if multiple actions match, the option string was ambiguous + if len(option_tuples) > 1: + options = ', '.join([option_string + for action, option_string, explicit_arg in option_tuples]) + tup = arg_string, options + self.error(_('ambiguous option: %s could match %s') % tup) + + # if exactly one action matched, this segmentation is good, + # so return the parsed action + elif len(option_tuples) == 1: + option_tuple, = option_tuples + return option_tuple + + # if it was not found as an option, but it looks like a negative + # number, it was meant to be positional + # unless there are negative-number-like options + if self._negative_number_matcher.match(arg_string): + if not self._has_negative_number_optionals: + return None + + # if it contains a space, it was meant to be a positional + if ' ' in arg_string: + return None + + # it was meant to be an optional but there is no such option + # in this parser (though it might be a valid option in a subparser) + return None, arg_string, None + + def _get_option_tuples(self, option_string): + result = [] + + # option strings starting with two prefix characters are only + # split at the '=' + chars = self.prefix_chars + if option_string[0] in chars and option_string[1] in chars: + if '=' in option_string: + option_prefix, explicit_arg = option_string.split('=', 1) + else: + option_prefix = option_string + explicit_arg = None + for option_string in self._option_string_actions: + if option_string.startswith(option_prefix): + action = self._option_string_actions[option_string] + tup = action, option_string, explicit_arg + result.append(tup) + + # single character options can be concatenated with their arguments + # but multiple character options always have to have their argument + # separate + elif option_string[0] in chars and option_string[1] not in chars: + option_prefix = option_string + explicit_arg = None + short_option_prefix = option_string[:2] + short_explicit_arg = option_string[2:] + + for option_string in self._option_string_actions: + if option_string == short_option_prefix: + action = self._option_string_actions[option_string] + tup = action, option_string, short_explicit_arg + result.append(tup) + elif option_string.startswith(option_prefix): + action = self._option_string_actions[option_string] + tup = action, option_string, explicit_arg + result.append(tup) + + # shouldn't ever get here + else: + self.error(_('unexpected option string: %s') % option_string) + + # return the collected option tuples + return result + + def _get_nargs_pattern(self, action): + # in all examples below, we have to allow for '--' args + # which are represented as '-' in the pattern + nargs = action.nargs + + # the default (None) is assumed to be a single argument + if nargs is None: + nargs_pattern = '(-*A-*)' + + # allow zero or one arguments + elif nargs == OPTIONAL: + nargs_pattern = '(-*A?-*)' + + # allow zero or more arguments + elif nargs == ZERO_OR_MORE: + nargs_pattern = '(-*[A-]*)' + + # allow one or more arguments + elif nargs == ONE_OR_MORE: + nargs_pattern = '(-*A[A-]*)' + + # allow any number of options or arguments + elif nargs == REMAINDER: + nargs_pattern = '([-AO]*)' + + # allow one argument followed by any number of options or arguments + elif nargs == PARSER: + nargs_pattern = '(-*A[-AO]*)' + + # all others should be integers + else: + nargs_pattern = '(-*%s-*)' % '-*'.join('A' * nargs) + + # if this is an optional action, -- is not allowed + if action.option_strings: + nargs_pattern = nargs_pattern.replace('-*', '') + nargs_pattern = nargs_pattern.replace('-', '') + + # return the pattern + return nargs_pattern + + # ======================== + # Value conversion methods + # ======================== + def _get_values(self, action, arg_strings): + # for everything but PARSER args, strip out '--' + if action.nargs not in [PARSER, REMAINDER]: + arg_strings = [s for s in arg_strings if s != '--'] + + # optional argument produces a default when not present + if not arg_strings and action.nargs == OPTIONAL: + if action.option_strings: + value = action.const + else: + value = action.default + if isinstance(value, basestring): + value = self._get_value(action, value) + self._check_value(action, value) + + # when nargs='*' on a positional, if there were no command-line + # args, use the default if it is anything other than None + elif (not arg_strings and action.nargs == ZERO_OR_MORE and + not action.option_strings): + if action.default is not None: + value = action.default + else: + value = arg_strings + self._check_value(action, value) + + # single argument or optional argument produces a single value + elif len(arg_strings) == 1 and action.nargs in [None, OPTIONAL]: + arg_string, = arg_strings + value = self._get_value(action, arg_string) + self._check_value(action, value) + + # REMAINDER arguments convert all values, checking none + elif action.nargs == REMAINDER: + value = [self._get_value(action, v) for v in arg_strings] + + # PARSER arguments convert all values, but check only the first + elif action.nargs == PARSER: + value = [self._get_value(action, v) for v in arg_strings] + self._check_value(action, value[0]) + + # all other types of nargs produce a list + else: + value = [self._get_value(action, v) for v in arg_strings] + for v in value: + self._check_value(action, v) + + # return the converted value + return value + + def _get_value(self, action, arg_string): + type_func = self._registry_get('type', action.type, action.type) + if not _callable(type_func): + msg = _('%r is not callable') + raise ArgumentError(action, msg % type_func) + + # convert the value to the appropriate type + try: + result = type_func(arg_string) + + # ArgumentTypeErrors indicate errors + except ArgumentTypeError: + name = getattr(action.type, '__name__', repr(action.type)) + msg = str(_sys.exc_info()[1]) + raise ArgumentError(action, msg) + + # TypeErrors or ValueErrors also indicate errors + except (TypeError, ValueError): + name = getattr(action.type, '__name__', repr(action.type)) + msg = _('invalid %s value: %r') + raise ArgumentError(action, msg % (name, arg_string)) + + # return the converted value + return result + + def _check_value(self, action, value): + # converted value must be one of the choices (if specified) + if action.choices is not None and value not in action.choices: + tup = value, ', '.join(map(repr, action.choices)) + msg = _('invalid choice: %r (choose from %s)') % tup + raise ArgumentError(action, msg) + + # ======================= + # Help-formatting methods + # ======================= + def format_usage(self): + formatter = self._get_formatter() + formatter.add_usage(self.usage, self._actions, + self._mutually_exclusive_groups) + return formatter.format_help() + + def format_help(self): + formatter = self._get_formatter() + + # usage + formatter.add_usage(self.usage, self._actions, + self._mutually_exclusive_groups) + + # description + formatter.add_text(self.description) + + # positionals, optionals and user-defined groups + for action_group in self._action_groups: + formatter.start_section(action_group.title) + formatter.add_text(action_group.description) + formatter.add_arguments(action_group._group_actions) + formatter.end_section() + + # epilog + formatter.add_text(self.epilog) + + # determine help from format above + return formatter.format_help() + + def format_version(self): + import warnings + warnings.warn( + 'The format_version method is deprecated -- the "version" ' + 'argument to ArgumentParser is no longer supported.', + DeprecationWarning) + formatter = self._get_formatter() + formatter.add_text(self.version) + return formatter.format_help() + + def _get_formatter(self): + return self.formatter_class(prog=self.prog) + + # ===================== + # Help-printing methods + # ===================== + def print_usage(self, file=None): + if file is None: + file = _sys.stdout + self._print_message(self.format_usage(), file) + + def print_help(self, file=None): + if file is None: + file = _sys.stdout + self._print_message(self.format_help(), file) + + def print_version(self, file=None): + import warnings + warnings.warn( + 'The print_version method is deprecated -- the "version" ' + 'argument to ArgumentParser is no longer supported.', + DeprecationWarning) + self._print_message(self.format_version(), file) + + def _print_message(self, message, file=None): + if message: + if file is None: + file = _sys.stderr + file.write(message) + + # =============== + # Exiting methods + # =============== + def exit(self, status=0, message=None): + if message: + self._print_message(message, _sys.stderr) + _sys.exit(status) + + def error(self, message): + """error(message: string) + + Prints a usage message incorporating the message to stderr and + exits. + + If you override this in a subclass, it should not return -- it + should either exit or raise an exception. + """ + self.print_usage(_sys.stderr) + self.exit(2, _('%s: error: %s\n') % (self.prog, message)) diff --git a/suricata/update/compat/ordereddict.py b/suricata/update/compat/ordereddict.py new file mode 100644 index 0000000..5b0303f --- /dev/null +++ b/suricata/update/compat/ordereddict.py @@ -0,0 +1,127 @@ +# Copyright (c) 2009 Raymond Hettinger +# +# Permission is hereby granted, free of charge, to any person +# obtaining a copy of this software and associated documentation files +# (the "Software"), to deal in the Software without restriction, +# including without limitation the rights to use, copy, modify, merge, +# publish, distribute, sublicense, and/or sell copies of the Software, +# and to permit persons to whom the Software is furnished to do so, +# subject to the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES +# OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +# OTHER DEALINGS IN THE SOFTWARE. + +from UserDict import DictMixin + +class OrderedDict(dict, DictMixin): + + def __init__(self, *args, **kwds): + if len(args) > 1: + raise TypeError('expected at most 1 arguments, got %d' % len(args)) + try: + self.__end + except AttributeError: + self.clear() + self.update(*args, **kwds) + + def clear(self): + self.__end = end = [] + end += [None, end, end] # sentinel node for doubly linked list + self.__map = {} # key --> [key, prev, next] + dict.clear(self) + + def __setitem__(self, key, value): + if key not in self: + end = self.__end + curr = end[1] + curr[2] = end[1] = self.__map[key] = [key, curr, end] + dict.__setitem__(self, key, value) + + def __delitem__(self, key): + dict.__delitem__(self, key) + key, prev, next = self.__map.pop(key) + prev[2] = next + next[1] = prev + + def __iter__(self): + end = self.__end + curr = end[2] + while curr is not end: + yield curr[0] + curr = curr[2] + + def __reversed__(self): + end = self.__end + curr = end[1] + while curr is not end: + yield curr[0] + curr = curr[1] + + def popitem(self, last=True): + if not self: + raise KeyError('dictionary is empty') + if last: + key = reversed(self).next() + else: + key = iter(self).next() + value = self.pop(key) + return key, value + + def __reduce__(self): + items = [[k, self[k]] for k in self] + tmp = self.__map, self.__end + del self.__map, self.__end + inst_dict = vars(self).copy() + self.__map, self.__end = tmp + if inst_dict: + return (self.__class__, (items,), inst_dict) + return self.__class__, (items,) + + def keys(self): + return list(self) + + setdefault = DictMixin.setdefault + update = DictMixin.update + pop = DictMixin.pop + values = DictMixin.values + items = DictMixin.items + iterkeys = DictMixin.iterkeys + itervalues = DictMixin.itervalues + iteritems = DictMixin.iteritems + + def __repr__(self): + if not self: + return '%s()' % (self.__class__.__name__,) + return '%s(%r)' % (self.__class__.__name__, self.items()) + + def copy(self): + return self.__class__(self) + + @classmethod + def fromkeys(cls, iterable, value=None): + d = cls() + for key in iterable: + d[key] = value + return d + + def __eq__(self, other): + if isinstance(other, OrderedDict): + if len(self) != len(other): + return False + for p, q in zip(self.items(), other.items()): + if p != q: + return False + return True + return dict.__eq__(self, other) + + def __ne__(self, other): + return not self == other diff --git a/suricata/update/config.py b/suricata/update/config.py new file mode 100644 index 0000000..ad95996 --- /dev/null +++ b/suricata/update/config.py @@ -0,0 +1,266 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2015-2017 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +import os.path +import logging + +import yaml + +import suricata.update.engine +from suricata.update.exceptions import ApplicationError + +try: + from suricata.config import defaults + has_defaults = True +except: + has_defaults = False + +logger = logging.getLogger() + +DEFAULT_DATA_DIRECTORY = "/var/lib/suricata" + +# Cache directory - relative to the data directory. +CACHE_DIRECTORY = os.path.join("update", "cache") + +# Source directory - relative to the data directory. +SOURCE_DIRECTORY = os.path.join("update", "sources") + +# Configuration keys. +DATA_DIRECTORY_KEY = "data-directory" +CACHE_DIRECTORY_KEY = "cache-directory" +IGNORE_KEY = "ignore" +DISABLE_CONF_KEY = "disable-conf" +ENABLE_CONF_KEY = "enable-conf" +MODIFY_CONF_KEY = "modify-conf" +DROP_CONF_KEY = "drop-conf" +LOCAL_CONF_KEY = "local" +OUTPUT_KEY = "output" +DIST_RULE_DIRECTORY_KEY = "dist-rule-directory" + +if has_defaults: + DEFAULT_UPDATE_YAML_PATH = os.path.join(defaults.sysconfdir, "update.yaml") +else: + DEFAULT_UPDATE_YAML_PATH = "/etc/suricata/update.yaml" + +DEFAULT_SURICATA_YAML_PATH = [ + "/etc/suricata/suricata.yaml", + "/usr/local/etc/suricata/suricata.yaml", + "/etc/suricata/suricata-debian.yaml" +] + +if has_defaults: + DEFAULT_DIST_RULE_PATH = [ + defaults.datarulesdir, + "/etc/suricata/rules", + ] +else: + DEFAULT_DIST_RULE_PATH = [ + "/etc/suricata/rules", + ] + +DEFAULT_CONFIG = { + "sources": [], + LOCAL_CONF_KEY: [], + + # The default file patterns to ignore. + "ignore": [ + "*deleted.rules", + ], +} + +_args = None +_config = {} + +# The filename the config was read from, if any. +filename = None + +def has(key): + """Return true if a configuration key exists.""" + return key in _config + +def set(key, value): + """Set a configuration value.""" + _config[key] = value + +def get(key): + """Get a configuration value.""" + if key in _config: + return _config[key] + return None + +def set_state_dir(directory): + _config[DATA_DIRECTORY_KEY] = directory + +def get_state_dir(): + """Get the data directory. This is more of the Suricata state + directory than a specific Suricata-Update directory, and is used + as the root directory for Suricata-Update data. + """ + if os.getenv("DATA_DIRECTORY"): + return os.getenv("DATA_DIRECTORY") + if DATA_DIRECTORY_KEY in _config: + return _config[DATA_DIRECTORY_KEY] + return DEFAULT_DATA_DIRECTORY + +def set_cache_dir(directory): + """Set an alternate cache directory.""" + _config[CACHE_DIRECTORY_KEY] = directory + +def get_cache_dir(): + """Get the cache directory.""" + if CACHE_DIRECTORY_KEY in _config: + return _config[CACHE_DIRECTORY_KEY] + return os.path.join(get_state_dir(), CACHE_DIRECTORY) + +def get_output_dir(): + """Get the rule output directory.""" + if OUTPUT_KEY in _config: + return _config[OUTPUT_KEY] + return os.path.join(get_state_dir(), "rules") + +def args(): + """Return sthe parsed argument object.""" + return _args + +def get_arg(key): + key = key.replace("-", "_") + if hasattr(_args, key): + val = getattr(_args, key) + if val not in [[], None]: + return val + return None + +def init(args): + global _args + global filename + + _args = args + _config.update(DEFAULT_CONFIG) + + if args.config: + logger.info("Loading %s", args.config) + with open(args.config, "rb") as fileobj: + config = yaml.safe_load(fileobj) + if config: + _config.update(config) + filename = args.config + elif os.path.exists(DEFAULT_UPDATE_YAML_PATH): + logger.info("Loading %s", DEFAULT_UPDATE_YAML_PATH) + with open(DEFAULT_UPDATE_YAML_PATH, "rb") as fileobj: + config = yaml.safe_load(fileobj) + if config: + _config.update(config) + filename = DEFAULT_UPDATE_YAML_PATH + + # Apply command line arguments to the config. + for arg in vars(args): + if arg == "local": + for local in args.local: + logger.debug("Adding local ruleset to config: %s", local) + _config[LOCAL_CONF_KEY].append(local) + elif arg == "data_dir" and args.data_dir: + logger.debug("Setting data directory to %s", args.data_dir) + _config[DATA_DIRECTORY_KEY] = args.data_dir + elif getattr(args, arg) is not None: + key = arg.replace("_", "-") + val = getattr(args, arg) + logger.debug("Setting configuration value %s -> %s", key, val) + _config[key] = val + + # Find and set the path to suricata if not provided. + if "suricata" in _config: + if not os.path.exists(_config["suricata"]): + raise ApplicationError( + "Configured path to suricata does not exist: %s" % ( + _config["suricata"])) + else: + suricata_path = suricata.update.engine.get_path() + if not suricata_path: + logger.warning("No suricata application binary found on path.") + else: + _config["suricata"] = suricata_path + + if "suricata" in _config: + build_info = suricata.update.engine.get_build_info(_config["suricata"]) + + # Set the first suricata.yaml to check for to the one in the + # --sysconfdir provided by build-info. + if not "suricata_conf" in _config and "sysconfdir" in build_info: + DEFAULT_SURICATA_YAML_PATH.insert( + 0, os.path.join( + build_info["sysconfdir"], "suricata/suricata.yaml")) + + # Amend the path to look for Suricata provided rules based on + # the build info. As we are inserting at the front, put the + # highest priority path last. + if "sysconfdir" in build_info: + DEFAULT_DIST_RULE_PATH.insert( + 0, os.path.join(build_info["sysconfdir"], "suricata/rules")) + if "datarootdir" in build_info: + DEFAULT_DIST_RULE_PATH.insert( + 0, os.path.join(build_info["datarootdir"], "suricata/rules")) + + # Set the data-directory prefix to that of the --localstatedir + # found in the build-info. + if not DATA_DIRECTORY_KEY in _config and "localstatedir" in build_info: + data_directory = os.path.join( + build_info["localstatedir"], "lib/suricata") + logger.info("Using data-directory %s.", data_directory) + _config[DATA_DIRECTORY_KEY] = data_directory + + # Fixup the default locations for Suricata-Update configuration files, but only if + # they exist, otherwise keep the defaults. + conf_search_path = ["/etc"] + if "sysconfdir" in build_info: + sysconfdir = build_info["sysconfdir"] + if not sysconfdir in conf_search_path: + conf_search_path.insert(0, sysconfdir) + configs = ( + ("disable-conf", "disable.conf"), + ("enable-conf", "enable.conf"), + ("drop-conf", "drop.conf"), + ("modify-conf", "modify.conf"), + ) + for key, filename in configs: + if getattr(args, key.replace("-", "_"), None) is not None: + continue + if _config.get(key) is not None: + continue + for conf_dir in conf_search_path: + config_path = os.path.join(conf_dir, "suricata", filename) + logger.debug("Looking for {}".format(config_path)) + if os.path.exists(config_path): + logger.debug("Found {}".format(config_path)) + logger.debug("Using {} for {}".format(config_path, key)) + _config[key] = config_path + break + + # If suricata-conf not provided on the command line or in the + # configuration file, look for it. + if not "suricata-conf" in _config: + for conf in DEFAULT_SURICATA_YAML_PATH: + if os.path.exists(conf): + logger.info("Using Suricata configuration %s" % (conf)) + _config["suricata-conf"] = conf + break + + if not DIST_RULE_DIRECTORY_KEY in _config: + for path in DEFAULT_DIST_RULE_PATH: + if os.path.exists(path): + logger.info("Using %s for Suricata provided rules.", path) + _config[DIST_RULE_DIRECTORY_KEY] = path + break diff --git a/suricata/update/configs/__init__.py b/suricata/update/configs/__init__.py new file mode 100644 index 0000000..e136c7a --- /dev/null +++ b/suricata/update/configs/__init__.py @@ -0,0 +1,31 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +import os.path + +# The list of sample config files provided here, for use when asked to +# dump them. +filenames = [ + "update.yaml", + "enable.conf", + "disable.conf", + "modify.conf", + "drop.conf", + "threshold.in", +] + +directory = os.path.dirname(__file__) + diff --git a/suricata/update/configs/disable.conf b/suricata/update/configs/disable.conf new file mode 100644 index 0000000..59d0e18 --- /dev/null +++ b/suricata/update/configs/disable.conf @@ -0,0 +1,19 @@ +# suricata-update - disable.conf + +# Example of disabling a rule by signature ID (gid is optional). +# 1:2019401 +# 2019401 + +# Example of disabling a rule by regular expression. +# - All regular expression matches are case insensitive. +# re:heartbleed +# re:MS(0[7-9]|10)-\d+ + +# Examples of disabling a group of rules. +# group:emerging-icmp.rules +# group:emerging-dos +# group:emerging* + +# Disable all rules with a metadata of "deployment perimeter". Note that metadata +# matches are case insensitive. +# metadata: deployment perimeter \ No newline at end of file diff --git a/suricata/update/configs/drop.conf b/suricata/update/configs/drop.conf new file mode 100644 index 0000000..a93268d --- /dev/null +++ b/suricata/update/configs/drop.conf @@ -0,0 +1,11 @@ +# suricata-update - drop.conf +# +# Rules matching specifiers in this file will be converted to drop rules. +# +# Examples: +# +# 1:2019401 +# 2019401 +# +# re:heartbleed +# re:MS(0[7-9]|10)-\d+ diff --git a/suricata/update/configs/enable.conf b/suricata/update/configs/enable.conf new file mode 100644 index 0000000..ad7b4e2 --- /dev/null +++ b/suricata/update/configs/enable.conf @@ -0,0 +1,19 @@ +# suricata-update - enable.conf + +# Example of enabling a rule by signature ID (gid is optional). +# 1:2019401 +# 2019401 + +# Example of enabling a rule by regular expression. +# - All regular expression matches are case insensitive. +# re:heartbleed +# re:MS(0[7-9]|10)-\d+ + +# Examples of enabling a group of rules. +# group:emerging-icmp.rules +# group:emerging-dos +# group:emerging* + +# Enable all rules with a metadata of "deployment perimeter". Note that metadata +# matches are case insensitive. +# metadata: deployment perimeter \ No newline at end of file diff --git a/suricata/update/configs/modify.conf b/suricata/update/configs/modify.conf new file mode 100644 index 0000000..70bfb3e --- /dev/null +++ b/suricata/update/configs/modify.conf @@ -0,0 +1,24 @@ +# suricata-update - modify.conf + +# Format: "" "" + +# Example changing the seconds for rule 2019401 to 3600. +# 2019401 "seconds \d+" "seconds 3600" +# +# Example converting all alert rules to drop: +# re:. ^alert drop +# +# Example converting all drop rules with noalert back to alert: +# re:. "^drop(.*)noalert(.*)" "alert\\1noalert\\2" + +# Change all trojan-activity rules to drop. Its better to setup a +# drop.conf for this, but this does show the use of back references. +# re:classtype:trojan-activity "(alert)(.*)" "drop\\2" + +# For compatibility, most Oinkmaster modifysid lines should work as +# well. +# modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}" + +# Add metadata. +#metadata-add re:"SURICATA STREAM" "evebox-action" "archive" +#metadata-add 2010646 "evebox-action" "archive" \ No newline at end of file diff --git a/suricata/update/configs/threshold.in b/suricata/update/configs/threshold.in new file mode 100644 index 0000000..377417d --- /dev/null +++ b/suricata/update/configs/threshold.in @@ -0,0 +1,22 @@ +# suricata-update - threshold.in + +# This file contains thresholding configurations that will be turned into +# a Suricata compatible threshold.conf file. + +# This file can contain standard threshold.conf configurations: +# +# suppress gen_id , sig_id +# suppress gen_id , sig_id , track , ip +# threshold gen_id 0, sig_id 0, type threshold, track by_src, count 10, seconds 10 +# suppress gen_id 1, sig_id 2009557, track by_src, ip 217.110.97.128/25 + +# Or ones that will be preprocessed... + +# Suppress all rules containing "java". +# +# suppress re:java +# suppress re:java, track by_src, ip 217.110.97.128/25 + +# Threshold all rules containing "java". +# +# threshold re:java, type threshold, track by_dst, count 1, seconds 10 diff --git a/suricata/update/configs/update.yaml b/suricata/update/configs/update.yaml new file mode 100644 index 0000000..358e869 --- /dev/null +++ b/suricata/update/configs/update.yaml @@ -0,0 +1,58 @@ +# Configuration with disable filters. +# - Overrided by --disable-conf +# - Default: /etc/suricata/disable.conf +disable-conf: /etc/suricata/disable.conf + +# Configuration with enable filters. +# - Overrided by --enable-conf +# - Default: /etc/suricata/enable.conf +enable-conf: /etc/suricata/enable.conf + +# Configuration with drop filters. +# - Overrided by --drop-conf +# - Default: /etc/suricata/drop.conf +drop-conf: /etc/suricata/drop.conf + +# Configuration with modify filters. +# - Overrided by --modify-conf +# - Default: /etc/suricata/modify.conf +modify-conf: /etc/suricata/modify.conf + +# List of files to ignore. Overrided by the --ignore command line option. +ignore: + - "*deleted.rules" + +# Override the user-agent string. +#user-agent: "Suricata-Update" + +# Provide an alternate command to the default test command. +# +# The following environment variables can be used. +# SURICATA_PATH - The path to the discovered suricata program. +# OUTPUT_DIR - The directory the rules are written to. +# OUTPUT_FILENAME - The name of the rule file. Will be empty if the rules +# were not merged. +#test-command: ${SURICATA_PATH} -T -S ${OUTPUT_FILENAME} -l /tmp + +# Provide a command to reload the Suricata rules. +# May be overrided by the --reload-command command line option. +# See the documentation of --reload-command for the different options +# to reload Suricata rules. +#reload-command: sudo systemctl reload suricata + +# Remote rule sources. Simply a list of URLs. +sources: + # Emerging Threats Open with the Suricata version dynamically replaced. + - https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz + # The SSL blacklist, which is just a standalone rule file. + - https://sslbl.abuse.ch/blacklist/sslblacklist.rules + +# A list of local rule sources. Each entry can be a rule file, a +# directory or a wild card specification. +local: + # A directory of rules. + - /etc/suricata/rules + # A single rule file. + - /etc/suricata/rules/app-layer-events.rules + # A wildcard. + - /etc/suricata/rules/*.rules diff --git a/suricata/update/data/__init__.py b/suricata/update/data/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/suricata/update/data/index.py b/suricata/update/data/index.py new file mode 100644 index 0000000..02a9c4f --- /dev/null +++ b/suricata/update/data/index.py @@ -0,0 +1,476 @@ +index = { 'sources': { 'et/open': { 'description': 'Proofpoint ET Open is a ' + 'timely and accurate rule set ' + 'for detecting and blocking ' + 'advanced threats\n', + 'license': 'MIT', + 'summary': 'Emerging Threats Open Ruleset', + 'url': 'https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz', + 'vendor': 'Proofpoint'}, + 'et/pro': { 'checksum': False, + 'description': 'Proofpoint ET Pro is a timely ' + 'and accurate rule set for ' + 'detecting and blocking ' + 'advanced threats\n', + 'license': 'Commercial', + 'parameters': { 'secret-code': { 'prompt': 'Emerging ' + 'Threats ' + 'Pro ' + 'access ' + 'code'}}, + 'replaces': ['et/open'], + 'subscribe-url': 'https://www.proofpoint.com/us/threat-insight/et-pro-ruleset', + 'summary': 'Emerging Threats Pro Ruleset', + 'url': 'https://rules.emergingthreatspro.com/%(secret-code)s/suricata-%(__version__)s/etpro.rules.tar.gz', + 'vendor': 'Proofpoint'}, + 'etnetera/aggressive': { 'checksum': False, + 'license': 'MIT', + 'min-version': '4.0.0', + 'summary': 'Etnetera aggressive ' + 'IP blacklist', + 'url': 'https://security.etnetera.cz/feeds/etn_aggressive.rules', + 'vendor': 'Etnetera a.s.'}, + 'malsilo/win-malware': { 'checksum': True, + 'description': 'TCP/UDP, DNS and ' + 'HTTP Windows ' + 'threats ' + 'artifacts ' + 'observed at ' + 'runtime.\n', + 'homepage': 'https://raw-data.gitlab.io/post/malsilo_2.1/', + 'license': 'MIT', + 'min-version': '4.1.0', + 'summary': 'Commodity malware ' + 'rules', + 'url': 'https://malsilo.gitlab.io/feeds/dumps/malsilo.rules.tar.gz', + 'vendor': 'malsilo'}, + 'oisf/trafficid': { 'checksum': False, + 'license': 'MIT', + 'min-version': '4.0.0', + 'summary': 'Suricata Traffic ID ' + 'ruleset', + 'support-url': 'https://redmine.openinfosecfoundation.org/', + 'url': 'https://openinfosecfoundation.org/rules/trafficid/trafficid.rules', + 'vendor': 'OISF'}, + 'pawpatrules': { 'checksum': False, + 'description': 'PAW Patrules ruleset ' + 'permit to detect many ' + 'events on\n' + 'network. Suspicious ' + 'flow, malicious tool, ' + 'unsuported and\n' + 'vulnerable system, known ' + 'threat actors with ' + 'various IOCs,\n' + 'lateral movement, bad ' + 'practice, shadow IT... ' + 'Rules are\n' + 'frequently updated.\n', + 'homepage': 'https://pawpatrules.fr/', + 'license': 'CC-BY-SA-4.0', + 'min-version': '6.0.0', + 'summary': 'PAW Patrules is a collection ' + 'of rules for IDPS / NSM ' + 'Suricata engine', + 'url': 'https://rules.pawpatrules.fr/suricata/paw-patrules.tar.gz', + 'vendor': 'pawpatrules'}, + 'ptresearch/attackdetection': { 'description': 'The ' + 'Attack ' + 'Detection ' + 'Team ' + 'searches ' + 'for new ' + 'vulnerabilities ' + 'and ' + '0-days, ' + 'reproduces ' + 'it and ' + 'creates ' + 'PoC ' + 'exploits ' + 'to ' + 'understand ' + 'how these ' + 'security ' + 'flaws ' + 'work and ' + 'how ' + 'related ' + 'attacks ' + 'can be ' + 'detected ' + 'on the ' + 'network ' + 'layer. ' + 'Additionally, ' + 'we are ' + 'interested ' + 'in ' + 'malware ' + 'and ' + "hackers' " + 'TTPs, so ' + 'we ' + 'develop ' + 'Suricata ' + 'rules for ' + 'detecting ' + 'all sorts ' + 'of such ' + 'activities.\n', + 'license': 'Custom', + 'license-url': 'https://raw.githubusercontent.com/ptresearch/AttackDetection/master/LICENSE', + 'obsolete': 'no longer ' + 'exists', + 'summary': 'Positive ' + 'Technologies ' + 'Attack ' + 'Detection ' + 'Team ruleset', + 'url': 'https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz', + 'vendor': 'Positive ' + 'Technologies'}, + 'scwx/enhanced': { 'description': 'Broad ruleset composed ' + 'of malware rules and ' + 'other security-related ' + 'countermeasures, and ' + 'curated by the ' + 'Secureworks Counter ' + 'Threat Unit research ' + 'team. This ruleset ' + 'has been enhanced with ' + 'comprehensive and ' + 'fully ' + 'standard-compliant ' + 'BETTER metadata ' + '(https://better-schema.readthedocs.io/).\n', + 'license': 'Commercial', + 'min-version': '3.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Secureworks ' + 'Threat ' + 'Intelligence ' + 'Authentication ' + 'Token'}}, + 'subscribe-url': 'https://www.secureworks.com/contact/ ' + '(Please reference ' + 'CTU Countermeasures)', + 'summary': 'Secureworks ' + 'suricata-enhanced ruleset', + 'url': 'https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-enhanced_latest.tgz', + 'vendor': 'Secureworks'}, + 'scwx/malware': { 'description': 'High-fidelity, ' + 'high-priority ruleset ' + 'composed mainly of ' + 'malware-related ' + 'countermeasures and ' + 'curated by the ' + 'Secureworks Counter ' + 'Threat Unit research ' + 'team.\n', + 'license': 'Commercial', + 'min-version': '3.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Secureworks ' + 'Threat ' + 'Intelligence ' + 'Authentication ' + 'Token'}}, + 'subscribe-url': 'https://www.secureworks.com/contact/ ' + '(Please reference CTU ' + 'Countermeasures)', + 'summary': 'Secureworks ' + 'suricata-malware ruleset', + 'url': 'https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-malware_latest.tgz', + 'vendor': 'Secureworks'}, + 'scwx/security': { 'description': 'Broad ruleset composed ' + 'of malware rules and ' + 'other security-related ' + 'countermeasures, and ' + 'curated by the ' + 'Secureworks Counter ' + 'Threat Unit research ' + 'team.\n', + 'license': 'Commercial', + 'min-version': '3.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Secureworks ' + 'Threat ' + 'Intelligence ' + 'Authentication ' + 'Token'}}, + 'subscribe-url': 'https://www.secureworks.com/contact/ ' + '(Please reference ' + 'CTU Countermeasures)', + 'summary': 'Secureworks ' + 'suricata-security ruleset', + 'url': 'https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-security_latest.tgz', + 'vendor': 'Secureworks'}, + 'sslbl/ja3-fingerprints': { 'checksum': False, + 'description': 'If you are ' + 'running ' + 'Suricata, you ' + 'can use the ' + "SSLBL's " + 'Suricata JA3 ' + 'FingerprintRuleset ' + 'to detect ' + 'and/or block ' + 'malicious SSL ' + 'connections ' + 'in your ' + 'network based ' + 'on the JA3 ' + 'fingerprint. ' + 'Please note ' + 'that your ' + 'need Suricata ' + '4.1.0 or ' + 'newer in ' + 'order to use ' + 'the JA3 ' + 'fingerprint ' + 'ruleset.\n', + 'license': 'Non-Commercial', + 'min-version': '4.1.0', + 'summary': 'Abuse.ch Suricata ' + 'JA3 Fingerprint ' + 'Ruleset', + 'url': 'https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules', + 'vendor': 'Abuse.ch'}, + 'sslbl/ssl-fp-blacklist': { 'checksum': False, + 'description': 'The SSL ' + 'Blacklist ' + '(SSLBL) is a ' + 'project of ' + 'abuse.ch with ' + 'the goal of ' + 'detecting ' + 'malicious SSL ' + 'connections, ' + 'by ' + 'identifying ' + 'and ' + 'blacklisting ' + 'SSL ' + 'certificates ' + 'used by ' + 'botnet C&C ' + 'servers. In ' + 'addition, ' + 'SSLBL ' + 'identifies ' + 'JA3 ' + 'fingerprints ' + 'that helps ' + 'you to detect ' + '& block ' + 'malware ' + 'botnet C&C ' + 'communication ' + 'on the TCP ' + 'layer.\n', + 'license': 'Non-Commercial', + 'summary': 'Abuse.ch SSL ' + 'Blacklist', + 'url': 'https://sslbl.abuse.ch/blacklist/sslblacklist.rules', + 'vendor': 'Abuse.ch'}, + 'stamus/lateral': { 'description': 'Suricata ruleset ' + 'specifically focused ' + 'on detecting lateral\n' + 'movement in Microsoft ' + 'Windows environments ' + 'by Stamus Networks\n', + 'license': 'GPL-3.0-only', + 'min-version': '6.0.6', + 'summary': 'Lateral movement rules', + 'support-url': 'https://discord.com/channels/911231224448712714/911238451842666546', + 'url': 'https://ti.stamus-networks.io/open/stamus-lateral-rules.tar.gz', + 'vendor': 'Stamus Networks'}, + 'stamus/nrd-14-open': { 'description': 'Newly Registered ' + 'Domains list ' + '(last 14 days) to ' + 'match on DNS, TLS ' + 'and HTTP ' + 'communication.\n' + 'Produced by ' + 'Stamus Labs ' + 'research team.\n', + 'license': 'Commercial', + 'min-version': '6.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Stamus ' + 'Networks ' + 'License ' + 'code'}}, + 'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed', + 'summary': 'Newly Registered ' + 'Domains Open only - ' + '14 day list, complete', + 'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-nrd-14.tar.gz', + 'vendor': 'Stamus Networks'}, + 'stamus/nrd-30-open': { 'description': 'Newly Registered ' + 'Domains list ' + '(last 30 days) to ' + 'match on DNS, TLS ' + 'and HTTP ' + 'communication.\n' + 'Produced by ' + 'Stamus Labs ' + 'research team.\n', + 'license': 'Commercial', + 'min-version': '6.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Stamus ' + 'Networks ' + 'License ' + 'code'}}, + 'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed', + 'summary': 'Newly Registered ' + 'Domains Open only - ' + '30 day list, complete', + 'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-nrd-30.tar.gz', + 'vendor': 'Stamus Networks'}, + 'stamus/nrd-entropy-14-open': { 'description': 'Suspicious ' + 'Newly ' + 'Registered ' + 'Domains ' + 'list with ' + 'high ' + 'entropy ' + '(last 14 ' + 'days) to ' + 'match on ' + 'DNS, TLS ' + 'and HTTP ' + 'communication.\n' + 'Produced ' + 'by Stamus ' + 'Labs ' + 'research ' + 'team.\n', + 'license': 'Commercial', + 'min-version': '6.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Stamus ' + 'Networks ' + 'License ' + 'code'}}, + 'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed', + 'summary': 'Newly ' + 'Registered ' + 'Domains Open ' + 'only - 14 day ' + 'list, high ' + 'entropy', + 'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-entropy-14.tar.gz', + 'vendor': 'Stamus ' + 'Networks'}, + 'stamus/nrd-entropy-30-open': { 'description': 'Suspicious ' + 'Newly ' + 'Registered ' + 'Domains ' + 'list with ' + 'high ' + 'entropy ' + '(last 30 ' + 'days) to ' + 'match on ' + 'DNS, TLS ' + 'and HTTP ' + 'communication.\n' + 'Produced ' + 'by Stamus ' + 'Labs ' + 'research ' + 'team.\n', + 'license': 'Commercial', + 'min-version': '6.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Stamus ' + 'Networks ' + 'License ' + 'code'}}, + 'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed', + 'summary': 'Newly ' + 'Registered ' + 'Domains Open ' + 'only - 30 day ' + 'list, high ' + 'entropy', + 'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-entropy-30.tar.gz', + 'vendor': 'Stamus ' + 'Networks'}, + 'stamus/nrd-phishing-14-open': { 'description': 'Suspicious ' + 'Newly ' + 'Registered ' + 'Domains ' + 'Phishing ' + 'list ' + '(last 14 ' + 'days) to ' + 'match on ' + 'DNS, TLS ' + 'and HTTP ' + 'communication.\n' + 'Produced ' + 'by ' + 'Stamus ' + 'Labs ' + 'research ' + 'team.\n', + 'license': 'Commercial', + 'min-version': '6.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Stamus ' + 'Networks ' + 'License ' + 'code'}}, + 'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed', + 'summary': 'Newly ' + 'Registered ' + 'Domains Open ' + 'only - 14 ' + 'day list, ' + 'phishing', + 'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-phishing-14.tar.gz', + 'vendor': 'Stamus ' + 'Networks'}, + 'stamus/nrd-phishing-30-open': { 'description': 'Suspicious ' + 'Newly ' + 'Registered ' + 'Domains ' + 'Phishing ' + 'list ' + '(last 30 ' + 'days) to ' + 'match on ' + 'DNS, TLS ' + 'and HTTP ' + 'communication.\n' + 'Produced ' + 'by ' + 'Stamus ' + 'Labs ' + 'research ' + 'team.\n', + 'license': 'Commercial', + 'min-version': '6.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Stamus ' + 'Networks ' + 'License ' + 'code'}}, + 'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed', + 'summary': 'Newly ' + 'Registered ' + 'Domains Open ' + 'only - 30 ' + 'day list, ' + 'phishing', + 'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-phishing-30.tar.gz', + 'vendor': 'Stamus ' + 'Networks'}, + 'tgreen/hunting': { 'checksum': False, + 'description': 'Heuristic ruleset for ' + 'hunting. Focus on ' + 'anomaly detection and ' + 'showcasing latest ' + 'engine features, not ' + 'performance.\n', + 'license': 'GPLv3', + 'min-version': '4.1.0', + 'summary': 'Threat hunting rules', + 'url': 'https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules', + 'vendor': 'tgreen'}}, + 'version': 1} \ No newline at end of file diff --git a/suricata/update/data/update.py b/suricata/update/data/update.py new file mode 100644 index 0000000..8b34c40 --- /dev/null +++ b/suricata/update/data/update.py @@ -0,0 +1,53 @@ +# Copyright (C) 2018-2022 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +import os.path +import sys +import pprint + +try: + from urllib2 import urlopen +except: + from urllib.request import urlopen + +import yaml + +DEFAULT_URL = "https://raw.githubusercontent.com/oisf/suricata-intel-index/master/index.yaml" + +def embed_index(): + """Embed a copy of the index as a Python source file. We can't use a + datafile yet as there is no easy way to do with distutils.""" + if len(sys.argv) > 1: + url = sys.argv[1] + else: + url = DEFAULT_URL + dist_filename = os.path.join(os.path.dirname(__file__), "index.py") + response = urlopen(url) + index = yaml.safe_load(response.read()) + + # Delete the version info to prevent the issue of the version info being out of + # date around a new release of Suricata where the index has not been updated + # to the latest recommended version. The user will be asked to update their + # sources to run the version check. + del(index["versions"]) + + pp = pprint.PrettyPrinter(indent=4) + + with open(dist_filename, "w") as fileobj: + fileobj.write("index = {}".format(pp.pformat(index))) + +if __name__ == "__main__": + embed_index() diff --git a/suricata/update/engine.py b/suricata/update/engine.py new file mode 100644 index 0000000..22ad9b3 --- /dev/null +++ b/suricata/update/engine.py @@ -0,0 +1,196 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2015 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +# This module contains functions for interacting with the Suricata +# application (aka the engine). + +from __future__ import print_function + +import sys +import os +import os.path +import subprocess +import re +import logging +import shutil +import yaml +import tempfile +from collections import namedtuple + +logger = logging.getLogger() + +SuricataVersion = namedtuple( + "SuricataVersion", ["major", "minor", "patch", "full", "short", "raw"]) + +def get_build_info(suricata): + build_info = { + "features": [], + } + build_info_output = subprocess.check_output([suricata, "--build-info"]) + for line in build_info_output.decode("utf-8").split("\n"): + line = line.strip() + if line.startswith("--prefix"): + build_info["prefix"] = line.split()[-1].strip() + elif line.startswith("--sysconfdir"): + build_info["sysconfdir"] = line.split()[-1].strip() + elif line.startswith("--localstatedir"): + build_info["localstatedir"] = line.split()[-1].strip() + elif line.startswith("--datarootdir"): + build_info["datarootdir"] = line.split()[-1].strip() + elif line.startswith("Features:"): + build_info["features"] = line.split()[1:] + elif line.startswith("This is Suricata version"): + build_info["version"] = parse_version(line) + + if not "prefix" in build_info: + logger.warning("--prefix not found in build-info.") + if not "sysconfdir" in build_info: + logger.warning("--sysconfdir not found in build-info.") + if not "localstatedir" in build_info: + logger.warning("--localstatedir not found in build-info.") + + return build_info + +class Configuration: + """An abstraction over the Suricata configuration file.""" + + def __init__(self, conf, build_info = {}): + self.conf = conf + self.build_info = build_info + + def keys(self): + return self.conf.keys() + + def has_key(self, key): + return key in self.conf + + def get(self, key): + return self.conf.get(key, None) + + def is_true(self, key, truthy=[]): + if not key in self.conf: + logger.warning( + "Suricata configuration key does not exist: %s" % (key)) + return False + if key in self.conf: + val = self.conf[key] + if val.lower() in ["1", "yes", "true"] + truthy: + return True + return False + + @classmethod + def load(cls, config_filename, suricata_path=None): + env = build_env() + env["SC_LOG_LEVEL"] = "Error" + if not suricata_path: + suricata_path = get_path() + if not suricata_path: + raise Exception("Suricata program could not be found.") + if not os.path.exists(suricata_path): + raise Exception("Suricata program %s does not exist.", suricata_path) + configuration_dump = subprocess.check_output( + [suricata_path, "-c", config_filename, "--dump-config"], + env=env) + conf = {} + for line in configuration_dump.splitlines(): + try: + key, val = line.decode().split(" = ") + conf[key] = val + except: + logger.warning("Failed to parse: %s", line) + build_info = get_build_info(suricata_path) + return cls(conf, build_info) + +def get_path(program="suricata"): + """Find Suricata in the shell path.""" + # First look for Suricata relative to suricata-update. + relative_path = os.path.join(os.path.dirname(sys.argv[0]), "suricata") + if os.path.exists(relative_path): + logger.debug("Found suricata at %s" % (relative_path)) + return relative_path + + # Otherwise look for it in the path. + for path in os.environ["PATH"].split(os.pathsep): + if not path: + continue + suricata_path = os.path.join(path, program) + logger.debug("Looking for %s in %s" % (program, path)) + if os.path.exists(suricata_path): + logger.debug("Found %s." % (suricata_path)) + return suricata_path + return None + +def parse_version(buf): + m = re.search(r"((\d+)\.(\d+)(\.(\d+))?([\w\-]+)?)", str(buf).strip()) + if m: + full = m.group(1) + major = int(m.group(2)) + minor = int(m.group(3)) + if not m.group(5): + patch = 0 + else: + patch = int(m.group(5)) + short = "%s.%s" % (major, minor) + return SuricataVersion( + major=major, minor=minor, patch=patch, short=short, full=full, + raw=buf) + return None + +def get_version(path): + """Get a SuricataVersion named tuple describing the version. + + If no path argument is found, the envionment PATH will be + searched. + """ + if not path: + return None + output = subprocess.check_output([path, "-V"]) + if output: + return parse_version(output) + return None + +def test_configuration(suricata_path, suricata_conf=None, rule_filename=None): + """Test the Suricata configuration with -T.""" + tempdir = tempfile.mkdtemp() + test_command = [ + suricata_path, + "-T", + "-l", tempdir, + ] + if suricata_conf: + test_command += ["-c", suricata_conf] + if rule_filename: + test_command += ["-S", rule_filename] + + env = build_env() + env["SC_LOG_LEVEL"] = "Warning" + + logger.debug("Running %s; env=%s", " ".join(test_command), str(env)) + rc = subprocess.Popen(test_command, env=env).wait() + ret = True if rc == 0 else False + + # Cleanup the temp dir + shutil.rmtree(tempdir) + + return ret + +def build_env(): + env = os.environ.copy() + env["SC_LOG_FORMAT"] = "%t - <%d> -- " + env["SC_LOG_LEVEL"] = "Error" + env["ASAN_OPTIONS"] = "detect_leaks=0" + return env diff --git a/suricata/update/exceptions.py b/suricata/update/exceptions.py new file mode 100644 index 0000000..1f2c547 --- /dev/null +++ b/suricata/update/exceptions.py @@ -0,0 +1,21 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +class ApplicationError(Exception): + pass + +class InvalidConfigurationError(ApplicationError): + pass diff --git a/suricata/update/extract.py b/suricata/update/extract.py new file mode 100644 index 0000000..20e4156 --- /dev/null +++ b/suricata/update/extract.py @@ -0,0 +1,68 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2017 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import tarfile +from zipfile import ZipFile + +def extract_tar(filename): + files = {} + + tf = tarfile.open(filename, mode="r:*") + + try: + while True: + member = tf.next() + if member is None: + break + if not member.isfile(): + continue + fileobj = tf.extractfile(member) + if fileobj: + # Remove leading /. + member_name = member.name.lstrip("/") + files[member_name] = fileobj.read() + finally: + tf.close() + + return files + +def extract_zip(filename): + files = {} + + with ZipFile(filename) as reader: + for name in reader.namelist(): + if name.endswith("/"): + continue + fixed_name = name.lstrip("/") + files[fixed_name] = reader.read(name) + + return files + +def try_extract(filename): + try: + return extract_tar(filename) + except: + pass + + try: + return extract_zip(filename) + except: + pass + + return None diff --git a/suricata/update/loghandler.py b/suricata/update/loghandler.py new file mode 100644 index 0000000..dc10504 --- /dev/null +++ b/suricata/update/loghandler.py @@ -0,0 +1,115 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2016 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +import sys +import os +import logging +import time + +# A list of secrets that will be replaced in the log output. +secrets = {} + + +def add_secret(secret, replacement): + """Register a secret to be masked. The secret will be replaced with: + + """ + secrets[str(secret)] = str(replacement) + + +class SuriColourLogHandler(logging.StreamHandler): + """An alternative stream log handler that logs with Suricata inspired + log colours.""" + + GREEN = "\x1b[32m" + BLUE = "\x1b[34m" + REDB = "\x1b[1;31m" + YELLOW = "\x1b[33m" + RED = "\x1b[31m" + YELLOWB = "\x1b[1;33m" + ORANGE = "\x1b[38;5;208m" + RESET = "\x1b[0m" + + def formatTime(self, record): + lt = time.localtime(record.created) + t = "%d/%d/%d -- %02d:%02d:%02d" % (lt.tm_mday, + lt.tm_mon, + lt.tm_year, + lt.tm_hour, + lt.tm_min, + lt.tm_sec) + return "%s" % (t) + + def emit(self, record): + + if record.levelname == "ERROR": + level_prefix = self.REDB + message_prefix = self.REDB + elif record.levelname == "WARNING": + level_prefix = self.ORANGE + message_prefix = self.ORANGE + else: + level_prefix = self.YELLOW + message_prefix = "" + + if os.isatty(self.stream.fileno()): + self.stream.write("%s%s%s - <%s%s%s> -- %s%s%s\n" % ( + self.GREEN, + self.formatTime(record), + self.RESET, + level_prefix, + record.levelname.title(), + self.RESET, + message_prefix, + self.mask_secrets(record.getMessage()), + self.RESET)) + else: + self.stream.write("%s - <%s> -- %s\n" % ( + self.formatTime(record), + record.levelname.title(), + self.mask_secrets(record.getMessage()))) + + def mask_secrets(self, msg): + for secret in secrets: + msg = msg.replace(secret, "<%s>" % secrets[secret]) + return msg + + +class LessThanFilter(logging.Filter): + def __init__(self, exclusive_maximum, name=""): + super(LessThanFilter, self).__init__(name) + self.max_level = exclusive_maximum + + def filter(self, record): + return 1 if record.levelno < self.max_level else 0 + + +def configure_logging(): + if os.fstat(sys.stdout.fileno()) == os.fstat(sys.stderr.fileno()): + filter_stdout = True + else: + filter_stdout = False + logger = logging.getLogger() + logger.setLevel(logging.NOTSET) + logging_handler_out = SuriColourLogHandler(sys.stdout) + logging_handler_out.setLevel(logging.DEBUG) + if filter_stdout: + logging_handler_out.addFilter(LessThanFilter(logging.WARNING)) + logger.addHandler(logging_handler_out) + logging_handler_err = SuriColourLogHandler(sys.stderr) + logging_handler_err.setLevel(logging.WARNING) + logger.addHandler(logging_handler_err) diff --git a/suricata/update/main.py b/suricata/update/main.py new file mode 100644 index 0000000..18af7a8 --- /dev/null +++ b/suricata/update/main.py @@ -0,0 +1,1404 @@ +# Copyright (C) 2017-2022 Open Information Security Foundation +# Copyright (c) 2015-2017 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import sys +import re +import os.path +import logging +import argparse +import time +import hashlib +import fnmatch +import subprocess +import shutil +import glob +import io +import tempfile +import signal +import errno +from collections import namedtuple + +try: + # Python 3. + from urllib.error import URLError +except ImportError: + # Python 2.7. + from urllib2 import URLError + +try: + import yaml +except: + print("error: pyyaml is required") + sys.exit(1) + +from suricata.update import ( + commands, + config, + configs, + engine, + exceptions, + extract, + loghandler, + net, + notes, + parsers, + rule as rule_mod, + sources, + util, + matchers as matchers_mod +) + +from suricata.update.version import version +try: + from suricata.update.revision import revision +except: + revision = None + +SourceFile = namedtuple("SourceFile", ["filename", "content"]) + +if sys.argv[0] == __file__: + sys.path.insert( + 0, os.path.abspath(os.path.join(__file__, "..", "..", ".."))) + +# Initialize logging, use colour if on a tty. +if len(logging.root.handlers) == 0: + logger = logging.getLogger() + loghandler.configure_logging() + logger.setLevel(level=logging.INFO) +else: + logging.basicConfig( + level=logging.INFO, + format="%(asctime)s - <%(levelname)s> - %(message)s") + logger = logging.getLogger() + +# If Suricata is not found, default to this version. +DEFAULT_SURICATA_VERSION = "6.0.0" + +# The default filename to use for the output rule file. This is a +# single file concatenating all input rule files together. +DEFAULT_OUTPUT_RULE_FILENAME = "suricata.rules" + +INDEX_EXPIRATION_TIME = 60 * 60 * 24 * 14 + +# Rule keywords that come with files +file_kw = ["filemd5", "filesha1", "filesha256", "dataset"] + +def strict_error(msg): + logger.error(msg) + if config.args().fail: + sys.exit(1) + +class Fetch: + + def __init__(self): + self.istty = os.isatty(sys.stdout.fileno()) + + def check_checksum(self, tmp_filename, url, checksum_url=None): + try: + if not isinstance(checksum_url, str): + checksum_url = url[0] + ".md5" + net_arg=(checksum_url,url[1]) + local_checksum = hashlib.md5( + open(tmp_filename, "rb").read()).hexdigest().strip() + remote_checksum_buf = io.BytesIO() + logger.info("Checking %s." % (checksum_url)) + net.get(net_arg, remote_checksum_buf) + remote_checksum = remote_checksum_buf.getvalue().decode().strip() + logger.debug("Local checksum=|%s|; remote checksum=|%s|" % ( + local_checksum, remote_checksum)) + if local_checksum == remote_checksum: + os.utime(tmp_filename, None) + return True + except Exception as err: + logger.warning("Failed to check remote checksum: %s" % err) + return False + + def progress_hook(self, content_length, bytes_read): + if config.args().quiet or not self.istty: + return + if not content_length or content_length == 0: + percent = 0 + else: + percent = int((bytes_read / float(content_length)) * 100) + buf = " %3d%% - %-30s" % ( + percent, "%d/%d" % (bytes_read, content_length)) + sys.stdout.write(buf) + sys.stdout.flush() + sys.stdout.write("\b" * 38) + + def progress_hook_finish(self): + if config.args().quiet or not self.istty: + return + sys.stdout.write("\n") + sys.stdout.flush() + + def url_basename(self, url): + """ Return the base filename of the URL. """ + filename = os.path.basename(url).split("?", 1)[0] + return filename + + def get_tmp_filename(self, url): + url_hash = hashlib.md5(url.encode("utf-8")).hexdigest() + return os.path.join( + config.get_cache_dir(), + "%s-%s" % (url_hash, self.url_basename(url))) + + def fetch(self, url): + net_arg = url + checksum = url[2] + url = url[0] + tmp_filename = self.get_tmp_filename(url) + if config.args().offline: + if config.args().force: + logger.warning("Running offline, skipping download of %s", url) + logger.info("Using latest cached version of rule file: %s", url) + if not os.path.exists(tmp_filename): + logger.error("Can't proceed offline, " + "source {} has not yet been downloaded.".format(url)) + sys.exit(1) + return self.extract_files(tmp_filename) + if not config.args().force and os.path.exists(tmp_filename): + if not config.args().now and \ + time.time() - os.stat(tmp_filename).st_mtime < (60 * 15): + logger.info( + "Last download less than 15 minutes ago. Not downloading %s.", + url) + return self.extract_files(tmp_filename) + if checksum: + if self.check_checksum(tmp_filename, net_arg, checksum): + logger.info("Remote checksum has not changed. " + "Not fetching.") + return self.extract_files(tmp_filename) + if not os.path.exists(config.get_cache_dir()): + os.makedirs(config.get_cache_dir(), mode=0o770) + logger.info("Fetching %s." % (url)) + try: + tmp_fileobj = tempfile.NamedTemporaryFile() + net.get( + net_arg, + tmp_fileobj, + progress_hook=self.progress_hook) + shutil.copyfile(tmp_fileobj.name, tmp_filename) + tmp_fileobj.close() + except URLError as err: + if os.path.exists(tmp_filename): + if config.args().fail: + strict_error("Failed to fetch {}: {}".format(url, err)) + else: + logger.error("Failed to fetch {}, will use latest cached version: {}".format(url, err)) + return self.extract_files(tmp_filename) + raise err + except IOError as err: + self.progress_hook_finish() + logger.error("Failed to copy file: {}".format(err)) + sys.exit(1) + except Exception as err: + raise err + self.progress_hook_finish() + logger.info("Done.") + return self.extract_files(tmp_filename) + + def run(self, url=None): + files = {} + if url: + try: + fetched = self.fetch(url) + files.update(fetched) + except URLError as err: + url = url[0] if isinstance(url, tuple) else url + strict_error("Failed to fetch {}: {}".format(url, err)) + else: + for url in self.args.url: + files.update(self.fetch(url)) + return files + + def extract_files(self, filename): + files = extract.try_extract(filename) + if files: + return files + + # The file is not an archive, treat it as an individual file. + basename = os.path.basename(filename).split("-", 1)[1] + if not basename.endswith(".rules"): + basename = "{}.rules".format(basename) + files = {} + files[basename] = open(filename, "rb").read() + return files + +def load_filters(filename): + + filters = [] + + with open(filename) as fileobj: + for line in fileobj: + line = line.strip() + if not line or line.startswith("#"): + continue + line = line.rsplit(" #")[0].strip() + + try: + if line.startswith("metadata-add"): + rule_filter = matchers_mod.AddMetadataFilter.parse(line) + filters.append(rule_filter) + else: + line = re.sub(r'\\\$', '$', line) # needed to escape $ in pp + rule_filter = matchers_mod.ModifyRuleFilter.parse(line) + filters.append(rule_filter) + except Exception as err: + raise exceptions.ApplicationError( + "Failed to parse modify filter: {}".format(line)) + + return filters + +def load_drop_filters(filename): + matchers = load_matchers(filename) + filters = [] + + for matcher in matchers: + filters.append(matchers_mod.DropRuleFilter(matcher)) + + return filters + +def parse_matchers(fileobj): + matchers = [] + + for line in fileobj: + line = line.strip() + if not line or line.startswith("#"): + continue + line = line.rsplit(" #")[0] + matcher = matchers_mod.parse_rule_match(line) + if not matcher: + logger.warn("Failed to parse: \"%s\"" % (line)) + else: + matchers.append(matcher) + + return matchers + +def load_matchers(filename): + with open(filename) as fileobj: + return parse_matchers(fileobj) + +def load_local(local, files): + + """Load local files into the files dict.""" + if os.path.isdir(local): + for dirpath, dirnames, filenames in os.walk(local): + for filename in filenames: + if filename.endswith(".rules"): + path = os.path.join(local, filename) + load_local(path, files) + else: + local_files = glob.glob(local) + if len(local_files) == 0: + local_files.append(local) + for filename in local_files: + filename = os.path.realpath(filename) + logger.info("Loading local file %s" % (filename)) + if filename in files: + logger.warn( + "Local file %s overrides existing file of same name." % ( + filename)) + try: + with open(filename, "rb") as fileobj: + files.append(SourceFile(filename, fileobj.read())) + except Exception as err: + logger.error("Failed to open {}: {}".format(filename, err)) + +def load_dist_rules(files): + """Load the rule files provided by the Suricata distribution.""" + + # In the future hopefully we can just pull in all files from + # /usr/share/suricata/rules, but for now pull in the set of files + # known to have been provided by the Suricata source. + filenames = [ + "app-layer-events.rules", + "decoder-events.rules", + "dhcp-events.rules", + "dnp3-events.rules", + "dns-events.rules", + "files.rules", + "http-events.rules", + "ipsec-events.rules", + "kerberos-events.rules", + "modbus-events.rules", + "nfs-events.rules", + "ntp-events.rules", + "smb-events.rules", + "smtp-events.rules", + "stream-events.rules", + "tls-events.rules", + ] + + dist_rule_path = config.get(config.DIST_RULE_DIRECTORY_KEY) + if not dist_rule_path: + logger.warning("No distribution rule directory found.") + return + + if not os.path.exists(dist_rule_path): + logger.warning("Distribution rule directory not found: %s", + dist_rule_path) + return + + if os.path.exists(dist_rule_path): + if not os.access(dist_rule_path, os.R_OK): + logger.warning("Distribution rule path not readable: %s", + dist_rule_path) + return + for filename in filenames: + path = os.path.join(dist_rule_path, filename) + if not os.path.exists(path): + continue + if not os.access(path, os.R_OK): + logger.warning("Distribution rule file not readable: %s", + path) + continue + logger.info("Loading distribution rule file %s", path) + try: + with open(path, "rb") as fileobj: + files.append(SourceFile(path, fileobj.read())) + except Exception as err: + logger.error("Failed to open {}: {}".format(path, err)) + sys.exit(1) + +def load_classification(suriconf, files): + filename = os.path.join("suricata", "classification.config") + dirs = [] + classification_dict = {} + if "sysconfdir" in suriconf.build_info: + dirs.append(os.path.join(suriconf.build_info["sysconfdir"], filename)) + if "datarootdir" in suriconf.build_info: + dirs.append(os.path.join(suriconf.build_info["datarootdir"], filename)) + + for path in dirs: + if os.path.exists(path): + logger.debug("Loading {}".format(path)) + with open(path) as fp: + for line in fp: + if line.startswith("#") or not line.strip(): + continue + config_classification = line.split(":")[1].strip() + key, desc, priority = config_classification.split(",") + if key in classification_dict: + if classification_dict[key][1] >= priority: + continue + classification_dict[key] = [desc, priority, line.strip()] + + # Handle files from the sources + for filep in files: + logger.debug("Loading {}".format(filep[0])) + lines = filep[1].decode().split('\n') + for line in lines: + if line.startswith("#") or not line.strip(): + continue + config_classification = line.split(":")[1].strip() + key, desc, priority = config_classification.split(",") + if key in classification_dict: + if classification_dict[key][1] >= priority: + if classification_dict[key][1] > priority: + logger.warning("Found classification with same shortname \"{}\"," + " keeping the one with higher priority ({})".format( + key, classification_dict[key][1])) + continue + classification_dict[key] = [desc, priority, line.strip()] + + return classification_dict + +def manage_classification(suriconf, files): + if suriconf is None: + # Can't continue without a valid Suricata configuration + # object. + return + classification_dict = load_classification(suriconf, files) + path = os.path.join(config.get_output_dir(), "classification.config") + try: + logger.info("Writing {}".format(path)) + with open(path, "w+") as fp: + fp.writelines("{}\n".format(v[2]) for k, v in classification_dict.items()) + except (OSError, IOError) as err: + logger.error(err) + +def handle_dataset_files(rule, dep_files): + if not rule.enabled: + return + dataset_load = [el for el in (el.strip() for el in rule.dataset.split(",")) if el.startswith("load")] + if not dataset_load: + # No dataset load found. + return + dataset_filename = dataset_load[0].split(maxsplit=1)[1].strip() + + # Get the directory name the rule is from. + prefix = os.path.dirname(rule.group) + + # Construct the source filename. + source_filename = os.path.join(prefix, dataset_filename) + + # If a source filename starts with a "/", look for it on the filesystem. The archive + # unpackers will take care of removing a leading / so this shouldn't happen for + # downloaded rulesets. + if source_filename.startswith("/"): + if not os.path.exists(source_filename): + logger.warn("Local dataset file '{}' was not found for rule {}, rule will be disabled".format(source_filename, rule.idstr)) + rule.enabled = False + return + dataset_contents = open(source_filename, "rb").read() + else: + if not source_filename in dep_files: + logger.warn("Dataset file '{}' was not found for rule {}, rule will be disabled".format(dataset_filename, rule.idstr)) + rule.enabled = False + return + dataset_contents = dep_files[source_filename] + + source_filename_hash = hashlib.md5(source_filename.encode()).hexdigest() + new_rule = re.sub(r"(dataset.*?load\s+){}".format(dataset_filename), r"\g<1>datasets/{}".format(source_filename_hash), rule.format()) + dest_filename = os.path.join(config.get_output_dir(), "datasets", source_filename_hash) + dest_dir = os.path.dirname(dest_filename) + logger.debug("Copying dataset file {} to {}".format(dataset_filename, dest_filename)) + try: + os.makedirs(dest_dir, exist_ok=True) + except Exception as err: + logger.error("Failed to create directory {}: {}".format(dest_dir, err)) + return + with open(dest_filename, "w") as fp: + fp.write(dataset_contents.decode("utf-8")) + return new_rule + +def handle_filehash_files(rule, dep_files, fhash): + if not rule.enabled: + return + filehash_fname = rule.get(fhash) + + # Get the directory name the rule is from. + prefix = os.path.dirname(rule.group) + + source_filename = os.path.join(prefix, filehash_fname) + dest_filename = source_filename[len(prefix) + len(os.path.sep):] + logger.debug("dest_filename={}".format(dest_filename)) + + if source_filename not in dep_files: + logger.error("{} file {} was not found".format(fhash, filehash_fname)) + else: + logger.debug("Copying %s file %s to output directory" % (fhash, filehash_fname)) + filepath = os.path.join(config.get_output_dir(), os.path.dirname(dest_filename)) + logger.debug("filepath: %s" % filepath) + try: + os.makedirs(filepath) + except OSError as oserr: + if oserr.errno != errno.EEXIST: + logger.error(oserr) + sys.exit(1) + output_filename = os.path.join(filepath, os.path.basename(filehash_fname)) + logger.debug("output fname: %s" % output_filename) + with open(output_filename, "w") as fp: + fp.write(dep_files[source_filename].decode("utf-8")) + +def write_merged(filename, rulemap, dep_files): + + if not args.quiet: + # List of rule IDs that have been added. + added = [] + # List of rule objects that have been removed. + removed = [] + # List of rule IDs that have been modified. + modified = [] + + oldset = {} + if os.path.exists(filename): + for rule in rule_mod.parse_file(filename): + oldset[rule.id] = True + if not rule.id in rulemap: + removed.append(rule) + elif rule.format() != rulemap[rule.id].format(): + modified.append(rulemap[rule.id]) + + for key in rulemap: + if not key in oldset: + added.append(key) + + enabled = len([rule for rule in rulemap.values() if rule.enabled]) + logger.info("Writing rules to %s: total: %d; enabled: %d; " + "added: %d; removed %d; modified: %d" % ( + filename, + len(rulemap), + enabled, + len(added), + len(removed), + len(modified))) + tmp_filename = ".".join([filename, "tmp"]) + with io.open(tmp_filename, encoding="utf-8", mode="w") as fileobj: + for sid in rulemap: + rule = rulemap[sid] + reformatted = None + for kw in file_kw: + if kw in rule: + if "dataset" == kw: + reformatted = handle_dataset_files(rule, dep_files) + else: + handle_filehash_files(rule, dep_files, kw) + if reformatted: + print(reformatted, file=fileobj) + else: + print(rule.format(), file=fileobj) + os.rename(tmp_filename, filename) + +def write_to_directory(directory, files, rulemap, dep_files): + # List of rule IDs that have been added. + added = [] + # List of rule objects that have been removed. + removed = [] + # List of rule IDs that have been modified. + modified = [] + + oldset = {} + if not args.quiet: + for file in files: + outpath = os.path.join( + directory, os.path.basename(file.filename)) + + if os.path.exists(outpath): + for rule in rule_mod.parse_file(outpath): + oldset[rule.id] = True + if not rule.id in rulemap: + removed.append(rule) + elif rule.format() != rulemap[rule.id].format(): + modified.append(rule.id) + for key in rulemap: + if not key in oldset: + added.append(key) + + enabled = len([rule for rule in rulemap.values() if rule.enabled]) + logger.info("Writing rule files to directory %s: total: %d; " + "enabled: %d; added: %d; removed %d; modified: %d" % ( + directory, + len(rulemap), + enabled, + len(added), + len(removed), + len(modified))) + + for file in sorted(files): + outpath = os.path.join( + directory, os.path.basename(file.filename)) + logger.debug("Writing %s." % outpath) + if not file.filename.endswith(".rules"): + open(outpath, "wb").write(file.content) + else: + content = [] + for line in io.StringIO(file.content.decode("utf-8")): + rule = rule_mod.parse(line) + if not rule or rule.id not in rulemap: + content.append(line.strip()) + else: + reformatted = None + for kw in file_kw: + if kw in rule: + if "dataset" == kw: + reformatted = handle_dataset_files(rulemap[rule.id], dep_files) + else: + handle_filehash_files(rulemap[rule.id], dep_files, kw) + if reformatted: + content.append(reformatted) + else: + content.append(rulemap[rule.id].format()) + tmp_filename = ".".join([outpath, "tmp"]) + io.open(tmp_filename, encoding="utf-8", mode="w").write( + u"\n".join(content)) + os.rename(tmp_filename, outpath) + +def write_yaml_fragment(filename, files): + logger.info( + "Writing YAML configuration fragment: %s" % (filename)) + with open(filename, "w") as fileobj: + print("%YAML 1.1", file=fileobj) + print("---", file=fileobj) + print("rule-files:", file=fileobj) + for fn in sorted(files): + if fn.endswith(".rules"): + print(" - %s" % os.path.basename(fn), file=fileobj) + +def write_sid_msg_map(filename, rulemap, version=1): + logger.info("Writing %s." % (filename)) + with io.open(filename, encoding="utf-8", mode="w") as fileobj: + for key in rulemap: + rule = rulemap[key] + if version == 2: + formatted = rule_mod.format_sidmsgmap_v2(rule) + if formatted: + print(formatted, file=fileobj) + else: + formatted = rule_mod.format_sidmsgmap(rule) + if formatted: + print(formatted, file=fileobj) + +def build_rule_map(rules): + """Turn a list of rules into a mapping of rules. + + In case of gid:sid conflict, the rule with the higher revision + number will be used. + """ + rulemap = {} + + for rule in rules: + if rule.id not in rulemap: + rulemap[rule.id] = rule + else: + if rule["rev"] == rulemap[rule.id]["rev"]: + logger.warning( + "Found duplicate rule SID {} with same revision, " + "keeping the first rule seen.".format(rule.sid)) + if rule["rev"] > rulemap[rule.id]["rev"]: + logger.warning( + "Found duplicate rule SID {}, " + "keeping the rule with greater revision.".format(rule.sid)) + rulemap[rule.id] = rule + + return rulemap + +def dump_sample_configs(): + + for filename in configs.filenames: + if os.path.exists(filename): + logger.info("File already exists, not dumping %s." % (filename)) + else: + logger.info("Creating %s." % (filename)) + shutil.copy(os.path.join(configs.directory, filename), filename) + +def resolve_flowbits(rulemap, disabled_rules): + flowbit_resolver = rule_mod.FlowbitResolver() + flowbit_enabled = set() + pass_ = 1 + while True: + logger.debug("Checking flowbits for pass %d of rules.", pass_) + flowbits = flowbit_resolver.get_required_flowbits(rulemap) + logger.debug("Found %d required flowbits.", len(flowbits)) + required_rules = flowbit_resolver.get_required_rules(rulemap, flowbits) + logger.debug( + "Found %d rules to enable for flowbit requirements (pass %d)", + len(required_rules), pass_) + if not required_rules: + logger.debug("All required rules enabled.") + break + for rule in required_rules: + if not rule.enabled and rule in disabled_rules: + logger.debug( + "Enabling previously disabled rule for flowbits: %s" % ( + rule.brief())) + rule.enabled = True + rule.noalert = True + flowbit_enabled.add(rule) + pass_ = pass_ + 1 + logger.info("Enabled %d rules for flowbit dependencies." % ( + len(flowbit_enabled))) + +class ThresholdProcessor: + + patterns = [ + re.compile(r"\s+(re:\"(.*)\")"), + re.compile(r"\s+(re:(.*?)),.*"), + re.compile(r"\s+(re:(.*))"), + ] + + def extract_regex(self, buf): + for pattern in self.patterns: + m = pattern.search(buf) + if m: + return m.group(2) + + def extract_pattern(self, buf): + regex = self.extract_regex(buf) + if regex: + return re.compile(regex, re.I) + + def replace(self, threshold, rule): + for pattern in self.patterns: + m = pattern.search(threshold) + if m: + return threshold.replace( + m.group(1), "gen_id %d, sig_id %d" % (rule.gid, rule.sid)) + return threshold + + def process(self, filein, fileout, rulemap): + count = 0 + for line in filein: + line = line.rstrip() + if not line or line.startswith("#"): + print(line, file=fileout) + continue + pattern = self.extract_pattern(line) + if not pattern: + print(line, file=fileout) + else: + for rule in rulemap.values(): + if rule.enabled: + if pattern.search(rule.format()): + count += 1 + print("# %s" % (rule.brief()), file=fileout) + print(self.replace(line, rule), file=fileout) + print("", file=fileout) + logger.info("Generated %d thresholds to %s." % (count, fileout.name)) + +class FileTracker: + """Used to check if files are modified. + + Usage: Add files with add(filename) prior to modification. Test + with any_modified() which will return True if any of the checksums + have been modified. + + """ + + def __init__(self): + self.hashes = {} + + def add(self, filename): + checksum = self.md5(filename) + if not checksum: + logger.debug("Recording new file %s" % (filename)) + else: + logger.debug("Recording existing file %s with hash '%s'.", + filename, checksum) + self.hashes[filename] = checksum + + def md5(self, filename): + if not os.path.exists(filename): + return "" + else: + return hashlib.md5(open(filename, "rb").read()).hexdigest() + + def any_modified(self): + for filename in self.hashes: + if self.md5(filename) != self.hashes[filename]: + return True + return False + +def ignore_file(ignore_files, filename): + if not ignore_files: + return False + for pattern in ignore_files: + if fnmatch.fnmatch(os.path.basename(filename), pattern): + return True + return False + +def check_vars(suriconf, rulemap): + """Check that all vars referenced by a rule exist. If a var is not + found, disable the rule. + """ + if suriconf is None: + # Can't continue without a valid Suricata configuration + # object. + return + for rule_id in rulemap: + rule = rulemap[rule_id] + disable = False + for var in rule_mod.parse_var_names(rule["source_addr"]): + if not suriconf.has_key("vars.address-groups.%s" % (var)): + logger.warning( + "Rule has unknown source address var and will be disabled: %s: %s" % ( + var, rule.brief())) + notes.address_group_vars.add(var) + disable = True + for var in rule_mod.parse_var_names(rule["dest_addr"]): + if not suriconf.has_key("vars.address-groups.%s" % (var)): + logger.warning( + "Rule has unknown dest address var and will be disabled: %s: %s" % ( + var, rule.brief())) + notes.address_group_vars.add(var) + disable = True + for var in rule_mod.parse_var_names(rule["source_port"]): + if not suriconf.has_key("vars.port-groups.%s" % (var)): + logger.warning( + "Rule has unknown source port var and will be disabled: %s: %s" % ( + var, rule.brief())) + notes.port_group_vars.add(var) + disable = True + for var in rule_mod.parse_var_names(rule["dest_port"]): + if not suriconf.has_key("vars.port-groups.%s" % (var)): + logger.warning( + "Rule has unknown dest port var and will be disabled: %s: %s" % ( + var, rule.brief())) + notes.port_group_vars.add(var) + disable = True + + if disable: + rule.enabled = False + +def test_suricata(suricata_path): + if not suricata_path: + logger.info("No suricata application binary found, skipping test.") + return True + + if config.get("no-test"): + logger.info("Skipping test, disabled by configuration.") + return True + + if config.get("test-command"): + test_command = config.get("test-command") + logger.info("Testing Suricata configuration with: %s" % ( + test_command)) + env = { + "SURICATA_PATH": suricata_path, + "OUTPUT_DIR": config.get_output_dir(), + } + if not config.get("no-merge"): + env["OUTPUT_FILENAME"] = os.path.join( + config.get_output_dir(), DEFAULT_OUTPUT_RULE_FILENAME) + rc = subprocess.Popen(test_command, shell=True, env=env).wait() + if rc != 0: + return False + else: + logger.info("Testing with suricata -T.") + suricata_conf = config.get("suricata-conf") + if not config.get("no-merge"): + if not engine.test_configuration( + suricata_path, suricata_conf, + os.path.join( + config.get_output_dir(), + DEFAULT_OUTPUT_RULE_FILENAME)): + return False + else: + if not engine.test_configuration(suricata_path, suricata_conf): + return False + + return True + +def copytree(src, dst): + """A shutil.copytree like function that will copy the files from one + tree to another even if the path exists. + + """ + + for dirpath, dirnames, filenames in os.walk(src): + for filename in filenames: + src_path = os.path.join(dirpath, filename) + dst_path = os.path.join(dst, src_path[len(src) + 1:]) + if not os.path.exists(os.path.dirname(dst_path)): + os.makedirs(os.path.dirname(dst_path), mode=0o770) + shutil.copyfile(src_path, dst_path) + + # Also attempt to copy the stat bits, but this may fail + # if the owner of the file is not the same as the user + # running the program. + try: + shutil.copystat(src_path, dst_path) + except OSError as err: + logger.debug( + "Failed to copy stat info from %s to %s", src_path, + dst_path) + +def load_sources(suricata_version): + urls = [] + + http_header = None + checksum = True + + # Add any URLs added with the --url command line parameter. + if config.args().url: + for url in config.args().url: + urls.append((url, http_header, checksum)) + + # Get the new style sources. + enabled_sources = sources.get_enabled_sources() + + # Convert the Suricata version to a version string. + version_string = "%d.%d.%d" % ( + suricata_version.major, suricata_version.minor, + suricata_version.patch) + + # Construct the URL replacement parameters that are internal to + # suricata-update. + internal_params = {"__version__": version_string} + + # If we have new sources, we also need to load the index. + if enabled_sources: + index_filename = sources.get_index_filename() + if not os.path.exists(index_filename): + logger.warning("No index exists, will use bundled index.") + logger.warning("Please run suricata-update update-sources.") + if os.path.exists(index_filename) and time.time() - \ + os.stat(index_filename).st_mtime > INDEX_EXPIRATION_TIME: + logger.warning( + "Source index is older than 2 weeks. " + "Please update with suricata-update update-sources.") + index = sources.Index(index_filename) + + for (name, source) in enabled_sources.items(): + params = source["params"] if "params" in source else {} + params.update(internal_params) + if "url" in source: + # No need to go off to the index. + http_header = source.get("http-header") + checksum = source.get("checksum") + url = (source["url"] % params, http_header, checksum) + logger.debug("Resolved source %s to URL %s.", name, url[0]) + else: + if not index: + raise exceptions.ApplicationError( + "Source index is required for source %s; " + "run suricata-update update-sources" % (source["source"])) + source_config = index.get_source_by_name(name) + if source_config is None: + logger.warn("Source no longer exists in index and will not be fetched: {}".format(name)) + continue + try: + checksum = source_config["checksum"] + except: + checksum = True + url = (index.resolve_url(name, params), http_header, + checksum) + if "deprecated" in source_config: + logger.warn("Source has been deprecated: %s: %s" % ( + name, source_config["deprecated"])) + if "obsolete" in source_config: + logger.warn("Source is obsolete and will not be fetched: %s: %s" % ( + name, source_config["obsolete"])) + continue + logger.debug("Resolved source %s to URL %s.", name, url[0]) + urls.append(url) + + if config.get("sources"): + for url in config.get("sources"): + if not isinstance(url, str): + raise exceptions.InvalidConfigurationError( + "Invalid datatype for source URL: %s" % (str(url))) + url = (url % internal_params, http_header, checksum) + logger.debug("Adding source %s.", url) + urls.append(url) + + # If --etopen is on the command line, make sure its added. Or if + # there are no URLs, default to ET/Open. + if config.get("etopen") or not urls: + if not config.args().offline and not urls: + logger.info("No sources configured, will use Emerging Threats Open") + urls.append((sources.get_etopen_url(internal_params), http_header, + checksum)) + + # Converting the URLs to a set removed dupes. + urls = set(urls) + + # Now download each URL. + files = [] + for url in urls: + + # To de-duplicate filenames, add a prefix that is a hash of the URL. + prefix = hashlib.md5(url[0].encode()).hexdigest() + source_files = Fetch().run(url) + for key in source_files: + content = source_files[key] + key = os.path.join(prefix, key) + files.append(SourceFile(key, content)) + + # Now load local rules. + if config.get("local") is not None: + for local in config.get("local"): + load_local(local, files) + + return files + +def copytree_ignore_backup(src, names): + """ Returns files to ignore when doing a backup of the rules. """ + return [".cache"] + +def check_output_directory(output_dir): + """ Check that the output directory exists, creating it if it doesn't. """ + if not os.path.exists(output_dir): + logger.info("Creating directory %s." % (output_dir)) + try: + os.makedirs(output_dir, mode=0o770) + except Exception as err: + raise exceptions.ApplicationError( + "Failed to create directory %s: %s" % ( + output_dir, err)) + +# Check and disable ja3 rules if needed. +# +# Note: This is a bit of a quick fixup job for 5.0, but we should look +# at making feature handling more generic. +def disable_ja3(suriconf, rulemap, disabled_rules): + if suriconf and suriconf.build_info: + enabled = False + reason = None + logged = False + if "HAVE_NSS" not in suriconf.build_info["features"]: + reason = "Disabling ja3 rules as Suricata is built without libnss." + else: + # Check if disabled. Must be explicitly disabled, + # otherwise we'll keep ja3 rules enabled. + val = suriconf.get("app-layer.protocols.tls.ja3-fingerprints") + + # Prior to Suricata 5, leaving ja3-fingerprints undefined + # in the configuration disabled the feature. With 5.0, + # having it undefined will enable it as needed. + if not val: + if suriconf.build_info["version"].major < 5: + val = "no" + else: + val = "auto" + + if val and val.lower() not in ["1", "yes", "true", "auto"]: + reason = "Disabling ja3 rules as ja3 fingerprints are not enabled." + else: + enabled = True + + count = 0 + if not enabled: + for key, rule in rulemap.items(): + if "ja3" in rule["features"]: + if not logged: + logger.warn(reason) + logged = True + rule.enabled = False + disabled_rules.append(rule) + count += 1 + if count: + logger.info("%d ja3_hash rules disabled." % (count)) + +def _main(): + global args + args = parsers.parse_arg() + + # Go verbose or quiet sooner than later. + if args.verbose: + logger.setLevel(logging.DEBUG) + if args.quiet: + logger.setLevel(logging.WARNING) + + logger.debug("This is suricata-update version %s (rev: %s); Python: %s" % ( + version, revision, sys.version.replace("\n", "- "))) + + config.init(args) + + # Error out if any reserved/unimplemented arguments were set. + unimplemented_args = [ + "disable", + "enable", + "modify", + "drop", + ] + for arg in unimplemented_args: + if hasattr(args, arg) and getattr(args, arg): + logger.error("--{} not implemented".format(arg)) + return 1 + + suricata_path = config.get("suricata") + + # Now parse the Suricata version. If provided on the command line, + # use that, otherwise attempt to get it from Suricata. + if args.suricata_version: + # The Suricata version was passed on the command line, parse it. + suricata_version = engine.parse_version(args.suricata_version) + if not suricata_version: + logger.error("Failed to parse provided Suricata version: {}".format( + args.suricata_version)) + return 1 + logger.info("Forcing Suricata version to %s." % (suricata_version.full)) + elif suricata_path: + suricata_version = engine.get_version(suricata_path) + if suricata_version: + logger.info("Found Suricata version %s at %s." % ( + str(suricata_version.full), suricata_path)) + else: + logger.error("Failed to get Suricata version.") + return 1 + else: + logger.info( + "Using default Suricata version of %s", DEFAULT_SURICATA_VERSION) + suricata_version = engine.parse_version(DEFAULT_SURICATA_VERSION) + + # Provide the Suricata version to the net module to add to the + # User-Agent. + net.set_user_agent_suricata_version(suricata_version.full) + + if args.subcommand: + if args.subcommand == "check-versions" and hasattr(args, "func"): + return args.func(suricata_version) + elif hasattr(args, "func"): + return args.func() + elif args.subcommand != "update": + logger.error("Unknown command: {}".format(args.subcommand)) + return 1 + + if args.dump_sample_configs: + return dump_sample_configs() + + # If --no-ignore was provided, clear any ignores provided in the + # config. + if args.no_ignore: + config.set(config.IGNORE_KEY, []) + + file_tracker = FileTracker() + + disable_matchers = [] + enable_matchers = [] + modify_filters = [] + drop_filters = [] + + # Load user provided disable filters. + disable_conf_filename = config.get("disable-conf") + if disable_conf_filename: + if os.path.exists(disable_conf_filename): + logger.info("Loading %s.", disable_conf_filename) + disable_matchers += load_matchers(disable_conf_filename) + else: + logger.warn("disable-conf file does not exist: {}".format(disable_conf_filename)) + + # Load user provided enable filters. + enable_conf_filename = config.get("enable-conf") + if enable_conf_filename: + if os.path.exists(enable_conf_filename): + logger.info("Loading %s.", enable_conf_filename) + enable_matchers += load_matchers(enable_conf_filename) + else: + logger.warn("enable-conf file does not exist: {}".format(enable_conf_filename)) + + # Load user provided modify filters. + modify_conf_filename = config.get("modify-conf") + if modify_conf_filename: + if os.path.exists(modify_conf_filename): + logger.info("Loading %s.", modify_conf_filename) + modify_filters += load_filters(modify_conf_filename) + else: + logger.warn("modify-conf file does not exist: {}".format(modify_conf_filename)) + + # Load user provided drop filters. + drop_conf_filename = config.get("drop-conf") + if drop_conf_filename: + if os.path.exists(drop_conf_filename): + logger.info("Loading %s.", drop_conf_filename) + drop_filters += load_drop_filters(drop_conf_filename) + else: + logger.warn("drop-conf file does not exist: {}".format(drop_conf_filename)) + + # Load the Suricata configuration if we can. + suriconf = None + if config.get("suricata-conf") and \ + os.path.exists(config.get("suricata-conf")) and \ + suricata_path and os.path.exists(suricata_path): + logger.info("Loading %s",config.get("suricata-conf")) + try: + suriconf = engine.Configuration.load( + config.get("suricata-conf"), suricata_path=suricata_path) + except subprocess.CalledProcessError: + return 1 + + # Disable rule that are for app-layers that are not enabled. + if suriconf: + for key in suriconf.keys(): + m = re.match(r"app-layer\.protocols\.([^\.]+)\.enabled", key) + if m: + proto = m.group(1) + if not suriconf.is_true(key, ["detection-only"]): + logger.info("Disabling rules for protocol %s", proto) + disable_matchers.append(matchers_mod.ProtoRuleMatcher(proto)) + elif proto == "smb" and suriconf.build_info: + # Special case for SMB rules. For versions less + # than 5, disable smb rules if Rust is not + # available. + if suriconf.build_info["version"].major < 5: + if not "RUST" in suriconf.build_info["features"]: + logger.info("Disabling rules for protocol {}".format(proto)) + disable_matchers.append(matchers_mod.ProtoRuleMatcher(proto)) + + # Check that the cache directory exists and is writable. + if not os.path.exists(config.get_cache_dir()): + try: + os.makedirs(config.get_cache_dir(), mode=0o770) + except Exception as err: + logger.warning( + "Cache directory does not exist and could not be created. " + "/var/tmp will be used instead.") + config.set_cache_dir("/var/tmp") + + files = load_sources(suricata_version) + + load_dist_rules(files) + + rules = [] + classification_files = [] + dep_files = {} + for entry in sorted(files, key = lambda e: e.filename): + if "classification.config" in entry.filename: + classification_files.append((entry.filename, entry.content)) + continue + if not entry.filename.endswith(".rules"): + dep_files.update({entry.filename: entry.content}) + continue + if ignore_file(config.get("ignore"), entry.filename): + logger.info("Ignoring file {}".format(entry.filename)) + continue + logger.debug("Parsing {}".format(entry.filename)) + rules += rule_mod.parse_fileobj(io.BytesIO(entry.content), entry.filename) + + rulemap = build_rule_map(rules) + logger.info("Loaded %d rules." % (len(rules))) + + # Counts of user enabled and modified rules. + enable_count = 0 + modify_count = 0 + drop_count = 0 + + # List of rules disabled by user. Used for counting, and to log + # rules that are re-enabled to meet flowbit requirements. + disabled_rules = [] + + for key, rule in rulemap.items(): + + # To avoid duplicate counts when a rule has more than one modification + # to it, we track the actions here then update the counts at the end. + enabled = False + modified = False + dropped = False + + for matcher in disable_matchers: + if rule.enabled and matcher.match(rule): + logger.debug("Disabling: %s" % (rule.brief())) + rule.enabled = False + disabled_rules.append(rule) + + for matcher in enable_matchers: + if not rule.enabled and matcher.match(rule): + logger.debug("Enabling: %s" % (rule.brief())) + rule.enabled = True + enabled = True + + for fltr in drop_filters: + if fltr.match(rule): + rule = fltr.run(rule) + dropped = True + + for fltr in modify_filters: + if fltr.match(rule): + rule = fltr.run(rule) + modified = True + + if enabled: + enable_count += 1 + if modified: + modify_count += 1 + if dropped: + drop_count += 1 + + rulemap[key] = rule + + # Check if we should disable ja3 rules. + try: + disable_ja3(suriconf, rulemap, disabled_rules) + except Exception as err: + logger.error("Failed to dynamically disable ja3 rules: {}".format(err)) + + # Check rule vars, disabling rules that use unknown vars. + check_vars(suriconf, rulemap) + + logger.info("Disabled %d rules." % (len(disabled_rules))) + logger.info("Enabled %d rules." % (enable_count)) + logger.info("Modified %d rules." % (modify_count)) + logger.info("Dropped %d rules." % (drop_count)) + + # Fixup flowbits. + resolve_flowbits(rulemap, disabled_rules) + + # Check that output directory exists, creating it if needed. + check_output_directory(config.get_output_dir()) + + # Check that output directory is writable. + if not os.access(config.get_output_dir(), os.W_OK): + logger.error( + "Output directory is not writable: {}".format(config.get_output_dir())) + return 1 + + # Backup the output directory. + logger.info("Backing up current rules.") + backup_directory = util.mktempdir() + shutil.copytree(config.get_output_dir(), os.path.join( + backup_directory, "backup"), ignore=copytree_ignore_backup) + + if not args.no_merge: + # The default, write out a merged file. + output_filename = os.path.join( + config.get_output_dir(), DEFAULT_OUTPUT_RULE_FILENAME) + file_tracker.add(output_filename) + write_merged(os.path.join(output_filename), rulemap, dep_files) + else: + for file in files: + file_tracker.add( + os.path.join( + config.get_output_dir(), os.path.basename(file.filename))) + write_to_directory(config.get_output_dir(), files, rulemap, dep_files) + + manage_classification(suriconf, classification_files) + + if args.yaml_fragment: + file_tracker.add(args.yaml_fragment) + write_yaml_fragment(args.yaml_fragment, files) + + if args.sid_msg_map: + write_sid_msg_map(args.sid_msg_map, rulemap, version=1) + if args.sid_msg_map_2: + write_sid_msg_map(args.sid_msg_map_2, rulemap, version=2) + + if args.threshold_in and args.threshold_out: + file_tracker.add(args.threshold_out) + threshold_processor = ThresholdProcessor() + threshold_processor.process( + open(args.threshold_in), open(args.threshold_out, "w"), rulemap) + + if not args.force and not file_tracker.any_modified(): + logger.info("No changes detected, exiting.") + notes.dump_notes() + return 0 + + # Set these containers to None to fee the memory before testing Suricata which + # may consume a lot of memory by itself. Ideally we should refactor this large + # function into multiple methods so these go out of scope and get removed + # automatically. + rulemap = None + rules = None + files = None + + if not test_suricata(suricata_path): + logger.error("Suricata test failed, aborting.") + logger.error("Restoring previous rules.") + copytree( + os.path.join(backup_directory, "backup"), config.get_output_dir()) + return 1 + + if not config.args().no_reload and config.get("reload-command"): + logger.info("Running %s." % (config.get("reload-command"))) + rc = subprocess.Popen(config.get("reload-command"), shell=True).wait() + if rc != 0: + logger.error("Reload command exited with error: {}".format(rc)) + + logger.info("Done.") + + notes.dump_notes() + + return 0 + +def signal_handler(signal, frame): + print('Program interrupted. Aborting...') + sys.exit(1) + +def main(): + signal.signal(signal.SIGINT, signal_handler) + try: + sys.exit(_main()) + except exceptions.ApplicationError as err: + logger.error(err) + sys.exit(1) + +if __name__ == "__main__": + main() diff --git a/suricata/update/maps.py b/suricata/update/maps.py new file mode 100644 index 0000000..8a34f27 --- /dev/null +++ b/suricata/update/maps.py @@ -0,0 +1,215 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2013 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +"""Provide mappings from ID's to descriptions. + +Includes mapping classes for event ID messages and classification +information. +""" + +from __future__ import print_function + +import re + +class SignatureMap(object): + """SignatureMap maps signature IDs to a signature info dict. + + The signature map can be build up from classification.config, + gen-msg.map, and new and old-style sid-msg.map files. + + The dict's in the map will have at a minimum the following + fields: + + * gid *(int)* + * sid *(int)* + * msg *(string)* + * refs *(list of strings)* + + Signatures loaded from a new style sid-msg.map file will also have + *rev*, *classification* and *priority* fields. + + Example:: + + >>> from idstools import maps + >>> sigmap = maps.SignatureMap() + >>> sigmap.load_generator_map(open("tests/gen-msg.map")) + >>> sigmap.load_signature_map(open("tests/sid-msg-v2.map")) + >>> print(sigmap.get(1, 2495)) + {'classification': 'misc-attack', 'rev': 8, 'priority': 0, 'gid': 1, + 'sid': 2495, + 'msg': 'GPL NETBIOS SMB DCEPRC ORPCThis request flood attempt', + 'ref': ['bugtraq,8811', 'cve,2003-0813', 'nessus,12206', + 'url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx']} + + """ + + def __init__(self): + self.map = {} + + def size(self): + return len(self.map) + + def get(self, generator_id, signature_id): + """Get signature info by generator_id and signature_id. + + :param generator_id: The generator id of the signature to lookup. + :param signature_id: The signature id of the signature to lookup. + + For convenience, if the generator_id is 3 and the signature is + not found, a second lookup will be done using a generator_id + of 1. + + """ + + key = (generator_id, signature_id) + sig = self.map.get(key) + if sig is None and generator_id == 3: + return self.get(1, signature_id) + return sig + + def load_generator_map(self, fileobj): + """Load the generator message map (gen-msg.map) from a + file-like object. + + """ + for line in fileobj: + line = line.strip() + if not line or line.startswith("#"): + continue + gid, sid, msg = [part.strip() for part in line.split("||")] + entry = { + "gid": int(gid), + "sid": int(sid), + "msg": msg, + "refs": [], + } + self.map[(entry["gid"], entry["sid"])] = entry + + def load_signature_map(self, fileobj, defaultgid=1): + """Load signature message map (sid-msg.map) from a file-like + object. + + """ + + for line in fileobj: + line = line.strip() + if not line or line.startswith("#"): + continue + parts = [p.strip() for p in line.split("||")] + + # If we have at least 6 parts, attempt to parse as a v2 + # signature map file. + try: + entry = { + "gid": int(parts[0]), + "sid": int(parts[1]), + "rev": int(parts[2]), + "classification": parts[3], + "priority": int(parts[4]), + "msg": parts[5], + "ref": parts[6:], + } + except: + entry = { + "gid": defaultgid, + "sid": int(parts[0]), + "msg": parts[1], + "ref": parts[2:], + } + self.map[(entry["gid"], entry["sid"])] = entry + +class ClassificationMap(object): + """ClassificationMap maps classification IDs and names to a dict + object describing a classification. + + :param fileobj: (Optional) A file like object to load + classifications from on initialization. + + The classification dicts stored in the map have the following + fields: + + * name *(string)* + * description *(string)* + * priority *(int)* + + Example:: + + >>> from idstools import maps + >>> classmap = maps.ClassificationMap() + >>> classmap.load_from_file(open("tests/classification.config")) + + >>> classmap.get(3) + {'priority': 2, 'name': 'bad-unknown', 'description': 'Potentially Bad Traffic'} + >>> classmap.get_by_name("bad-unknown") + {'priority': 2, 'name': 'bad-unknown', 'description': 'Potentially Bad Traffic'} + + """ + + def __init__(self, fileobj=None): + self.id_map = [] + self.name_map = {} + + if fileobj: + self.load_from_file(fileobj) + + def size(self): + return len(self.id_map) + + def add(self, classification): + """Add a classification to the map.""" + self.id_map.append(classification) + self.name_map[classification["name"]] = classification + + def get(self, class_id): + """Get a classification by ID. + + :param class_id: The classification ID to get. + + :returns: A dict describing the classification or None. + + """ + if 0 < class_id <= len(self.id_map): + return self.id_map[class_id - 1] + else: + return None + + def get_by_name(self, name): + """Get a classification by name. + + :param name: The name of the classification + + :returns: A dict describing the classification or None. + + """ + if name in self.name_map: + return self.name_map[name] + else: + return None + + def load_from_file(self, fileobj): + """Load classifications from a Snort style + classification.config file object. + + """ + pattern = "config classification: ([^,]+),([^,]+),([^,]+)" + for line in fileobj: + m = re.match(pattern, line.strip()) + if m: + self.add({ + "name": m.group(1), + "description": m.group(2), + "priority": int(m.group(3))}) diff --git a/suricata/update/matchers.py b/suricata/update/matchers.py new file mode 100644 index 0000000..56a9e29 --- /dev/null +++ b/suricata/update/matchers.py @@ -0,0 +1,331 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +# This module contains functions for matching rules for disabling, +# enabling, converting to drop or modification. + +import re +import os.path +import logging +import shlex +import fnmatch +import suricata.update.rule + + +logger = logging.getLogger() + + +class AllRuleMatcher(object): + """Matcher object to match all rules. """ + + def match(self, rule): + return True + + @classmethod + def parse(cls, buf): + if buf.strip() == "*": + return cls() + return None + + +class ProtoRuleMatcher: + """A rule matcher that matches on the protocol of a rule.""" + + def __init__(self, proto): + self.proto = proto + + def match(self, rule): + return rule.proto == self.proto + + +class IdRuleMatcher(object): + """Matcher object to match an idstools rule object by its signature + ID.""" + + def __init__(self, generatorId=None, signatureId=None): + self.signatureIds = [] + if generatorId and signatureId: + self.signatureIds.append((generatorId, signatureId)) + + def match(self, rule): + for (generatorId, signatureId) in self.signatureIds: + if generatorId == rule.gid and signatureId == rule.sid: + return True + return False + + @classmethod + def parse(cls, buf): + matcher = cls() + + for entry in buf.split(","): + entry = entry.strip() + + parts = entry.split(":", 1) + if not parts: + return None + if len(parts) == 1: + try: + signatureId = int(parts[0]) + matcher.signatureIds.append((1, signatureId)) + except: + return None + else: + try: + generatorId = int(parts[0]) + signatureId = int(parts[1]) + matcher.signatureIds.append((generatorId, signatureId)) + except: + return None + + return matcher + + +class FilenameMatcher(object): + """Matcher object to match a rule by its filename. This is similar to + a group but has no specifier prefix. + """ + + def __init__(self, pattern): + self.pattern = pattern + + def match(self, rule): + if hasattr(rule, "group") and rule.group is not None: + return fnmatch.fnmatch(rule.group, self.pattern) + return False + + @classmethod + def parse(cls, buf): + if buf.startswith("filename:"): + try: + group = buf.split(":", 1)[1] + return cls(group.strip()) + except: + pass + return None + + +class GroupMatcher(object): + """Matcher object to match an idstools rule object by its group (ie: + filename). + + The group is just the basename of the rule file with or without + extension. + + Examples: + - emerging-shellcode + - emerging-trojan.rules + + """ + + def __init__(self, pattern): + self.pattern = pattern + + def match(self, rule): + if hasattr(rule, "group") and rule.group is not None: + if fnmatch.fnmatch(os.path.basename(rule.group), self.pattern): + return True + # Try matching against the rule group without the file + # extension. + if fnmatch.fnmatch( + os.path.splitext( + os.path.basename(rule.group))[0], self.pattern): + return True + return False + + @classmethod + def parse(cls, buf): + if buf.startswith("group:"): + try: + logger.debug("Parsing group matcher: %s" % (buf)) + group = buf.split(":", 1)[1] + return cls(group.strip()) + except: + pass + if buf.endswith(".rules"): + return cls(buf.strip()) + return None + + +class ReRuleMatcher(object): + """Matcher object to match an idstools rule object by regular + expression.""" + + def __init__(self, pattern): + self.pattern = pattern + + def match(self, rule): + if self.pattern.search(rule.raw): + return True + return False + + @classmethod + def parse(cls, buf): + if buf.startswith("re:"): + try: + logger.debug("Parsing regex matcher: %s" % (buf)) + patternstr = buf.split(":", 1)[1].strip() + pattern = re.compile(patternstr, re.I) + return cls(pattern) + except: + pass + return None + + +class MetadataRuleMatch(object): + """ Matcher that matches on key/value style metadata fields. Case insensitive. """ + + def __init__(self, key, value): + self.key = key + self.value = value + + def match(self, rule): + for entry in rule.metadata: + parts = entry.strip().split(" ", 1) + if parts[0].strip().lower() == self.key and parts[1].strip().lower() == self.value: + print(rule) + return True + return False + + @classmethod + def parse(cls, buf): + print(buf) + if buf.startswith("metadata:"): + buf = buf.split(":", 1)[1].strip() + parts = buf.split(" ", 1) + if len(parts) == 2: + key = parts[0].strip().lower() + val = parts[1].strip().lower() + return cls(key, val) + return None + + +class ModifyRuleFilter(object): + """Filter to modify an idstools rule object. + + Important note: This filter does not modify the rule inplace, but + instead returns a new rule object with the modification. + """ + + def __init__(self, matcher, pattern, repl): + self.matcher = matcher + self.pattern = pattern + self.repl = repl + + def match(self, rule): + return self.matcher.match(rule) + + def run(self, rule): + modified_rule = self.pattern.sub(self.repl, rule.format()) + parsed = suricata.update.rule.parse(modified_rule, rule.group) + if parsed is None: + logger.error("Modification of rule %s results in invalid rule: %s", + rule.idstr, modified_rule) + return rule + return parsed + + @classmethod + def parse(cls, buf): + tokens = shlex.split(buf) + if len(tokens) == 3: + matchstring, a, b = tokens + elif len(tokens) > 3 and tokens[0] == "modifysid": + matchstring, a, b = tokens[1], tokens[2], tokens[4] + else: + raise Exception("Bad number of arguments.") + matcher = parse_rule_match(matchstring) + if not matcher: + raise Exception("Bad match string: %s" % (matchstring)) + pattern = re.compile(a) + + # Convert Oinkmaster backticks to Python. + b = re.sub(r"\$\{(\d+)\}", "\\\\\\1", b) + + return cls(matcher, pattern, b) + + +class DropRuleFilter(object): + """ Filter to modify an idstools rule object to a drop rule. """ + + def __init__(self, matcher): + self.matcher = matcher + + def match(self, rule): + if rule["noalert"]: + return False + return self.matcher.match(rule) + + def run(self, rule): + drop_rule = suricata.update.rule.parse(re.sub( + r"^\w+", "drop", rule.raw)) + drop_rule.enabled = rule.enabled + return drop_rule + +class AddMetadataFilter(object): + + def __init__(self, matcher, key, val): + self.matcher = matcher + self.key = key + self.val = val + + def match(self, rule): + return self.matcher.match(rule) + + def run(self, rule): + new_rule_string = re.sub(r";\s*\)$", "; metadata: {} {};)".format(self.key, self.val), rule.format()) + new_rule = suricata.update.rule.parse(new_rule_string, rule.group) + if not new_rule: + logger.error("Rule is not valid after adding metadata: [{}]: {}".format(rule.idstr, new_rule_string)) + return rule + return new_rule + + @classmethod + def parse(cls, buf): + try: + command, match_string, key, val = shlex.split(buf) + except: + raise Exception("metadata-add: invalid number of arguments") + matcher = parse_rule_match(match_string) + if not matcher: + raise Exception("Bad match string: %s" % (matchstring)) + return cls(matcher, key, val) + + +def parse_rule_match(match): + matcher = AllRuleMatcher.parse(match) + if matcher: + return matcher + + matcher = IdRuleMatcher.parse(match) + if matcher: + return matcher + + matcher = ReRuleMatcher.parse(match) + if matcher: + return matcher + + matcher = FilenameMatcher.parse(match) + if matcher: + return matcher + + matcher = GroupMatcher.parse(match) + if matcher: + return matcher + + matcher = MetadataRuleMatch.parse(match) + if matcher: + return matcher + + return None diff --git a/suricata/update/net.py b/suricata/update/net.py new file mode 100644 index 0000000..eac060e --- /dev/null +++ b/suricata/update/net.py @@ -0,0 +1,175 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2013 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +""" Module for network related operations. """ + +import platform +import logging +import ssl +import re + +try: + # Python 3.3... + from urllib.request import urlopen, build_opener + from urllib.error import HTTPError + from urllib.request import HTTPSHandler +except ImportError: + # Python 2.6, 2.7. + from urllib2 import urlopen, build_opener + from urllib2 import HTTPError + from urllib2 import HTTPSHandler + +from suricata.update.version import version +from suricata.update import config +from suricata.update import osinfo + +logger = logging.getLogger() + +# Number of bytes to read at a time in a GET request. +GET_BLOCK_SIZE = 8192 + +user_agent_suricata_verison = "Unknown" +custom_user_agent = None + +def set_custom_user_agent(ua): + global custom_user_agent + custom_user_agent = ua + +def set_user_agent_suricata_version(version): + global user_agent_suricata_verison + user_agent_suricata_verison = version + +def build_user_agent(): + params = [] + has_custom_user_agent = config.has("user-agent") + if has_custom_user_agent: + user_agent = config.get("user-agent") + if user_agent is None or len(user_agent.strip()) == 0: + logger.debug("Suppressing HTTP User-Agent header") + return None + return user_agent + + params = [] + try: + params.append("OS: {}".format(platform.system())) + except Exception as err: + logger.error("Failed to set user-agent OS: {}".format(str(err))) + try: + params.append("CPU: {}".format(osinfo.arch())) + except Exception as err: + logger.error("Failed to set user-agent architecture: {}".format(str(err))) + try: + params.append("Python: {}".format(platform.python_version())) + except Exception as err: + logger.error("Failed to set user-agent python version: {}".format(str(err))) + try: + params.append("Dist: {}".format(osinfo.dist())) + except Exception as err: + logger.error("Failed to set user-agent distribution: {}".format(str(err))) + + params.append("Suricata: %s" % (user_agent_suricata_verison)) + + return "Suricata-Update/%s (%s)" % ( + version, "; ".join(params)) + + +def is_header_clean(header): + if len(header) != 2: + return False + name, val = header[0].strip(), header[1].strip() + if re.match( r"^[\w-]+$", name) and re.match(r"^[\w\s -~]+$", val): + return True + return False + + +def get(url, fileobj, progress_hook=None): + """ Perform a GET request against a URL writing the contents into + the provided file-like object. + + :param url: The URL to fetch + :param fileobj: The fileobj to write the content to + :param progress_hook: The function to call with progress updates + + :returns: Returns a tuple containing the number of bytes read and + the result of the info() function from urllib2.urlopen(). + + :raises: Exceptions from urllib2.urlopen() and writing to the + provided fileobj may occur. + """ + + user_agent = build_user_agent() + + try: + # Wrap in a try as Python versions prior to 2.7.9 don't have + # create_default_context, but some distros have backported it. + ssl_context = ssl.create_default_context() + if config.get("no-check-certificate"): + logger.debug("Disabling SSL/TLS certificate verification.") + ssl_context.check_hostname = False + ssl_context.verify_mode = ssl.CERT_NONE + opener = build_opener(HTTPSHandler(context=ssl_context)) + except: + opener = build_opener() + + if user_agent: + logger.debug("Setting HTTP User-Agent to %s", user_agent) + http_headers = [("User-Agent", user_agent)] + else: + http_headers = [(header, value) for header, + value in opener.addheaders if header.lower() != "user-agent"] + if isinstance(url, tuple): + header = url[1].split(":") if url[1] is not None else None + if header and is_header_clean(header=header): + name, val = header[0].strip(), header[1].strip() + logger.debug("Setting HTTP header %s to %s", name, val) + http_headers.append((name, val)) + elif header: + logger.error("Header not set as it does not meet the criteria") + url = url[0] + opener.addheaders = http_headers + + try: + remote = opener.open(url, timeout=30) + except ValueError as ve: + logger.error(ve) + else: + info = remote.info() + content_length = info.get("content-length") + content_length = int(content_length) if content_length else 0 + bytes_read = 0 + while True: + buf = remote.read(GET_BLOCK_SIZE) + if not buf: + # EOF + break + bytes_read += len(buf) + fileobj.write(buf) + if progress_hook: + progress_hook(content_length, bytes_read) + remote.close() + fileobj.flush() + return bytes_read, info + + +if __name__ == "__main__": + + import sys + + try: + get(sys.argv[1], sys.stdout) + except Exception as err: + print("ERROR: %s" % (err)) diff --git a/suricata/update/notes.py b/suricata/update/notes.py new file mode 100644 index 0000000..6288781 --- /dev/null +++ b/suricata/update/notes.py @@ -0,0 +1,60 @@ +# Copyright (C) 2018 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import textwrap + +# Address group notes. +address_group_vars = set() + +# Port group notes. +port_group_vars = set() + +# Template for missing address-group variable. +missing_address_group_var_template = """ +A rule has been disabled due to the unknown address-group variable +%(var)s being used. You may want to add this variable to your Suricata +configuration file. +""" + +# Template for missing port-group variable. +missing_port_group_var_template = """ +A rule has been disabled due to the unknown port-group variable +%(var)s being used. You may want to add this variable to your Suricata +configuration file. +""" + +def render_note(note): + lines = textwrap.wrap(note.strip().replace("\n", " ")) + print("* %s" % (lines[0])) + for line in lines[1:]: + print(" %s" % (line)) + +def dump_notes(): + notes = [] + + for var in address_group_vars: + notes.append(missing_address_group_var_template % {"var": var}) + + for var in port_group_vars: + notes.append(missing_port_group_var_template % {"var": var}) + + if notes: + print("\nNotes:\n") + for note in notes: + render_note(note) + print("") diff --git a/suricata/update/osinfo.py b/suricata/update/osinfo.py new file mode 100644 index 0000000..c3e417b --- /dev/null +++ b/suricata/update/osinfo.py @@ -0,0 +1,75 @@ +# Copyright (C) 2020 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +import re +import os.path +import platform + +def parse_os_release(filename="/etc/os-release"): + os_release={} + + if not os.path.exists(filename): + return os_release + + with open(filename) as fileobj: + for line in fileobj: + line = line.strip() + m = re.match(r"^(\w+)=\"?(.*?)\"?$", line) + if m: + os_release[m.group(1)] = m.group(2) + return os_release + +def dist(): + os_release = parse_os_release() + if "NAME" in os_release: + version_fields = ["VERSION_ID", "BUILD_ID"] + for vf in version_fields: + if vf in os_release: + return "{}/{}".format(os_release["NAME"], os_release[vf]) + return os_release["NAME"] + + # Arch may or may not have /etc/os-release, but its easy to + # detect. + if os.path.exists("/etc/arch-release"): + return "Arch Linux" + + # Uname fallback. + uname = platform.uname() + return "{}/{}".format(uname[0], uname[2]) + +normalized_arch = { + "amd64": "x86_64", +} + +def arch(): + """Return the machine architecture. """ + machine = platform.machine() + return normalized_arch.get(machine, machine) + +if __name__ == "__main__": + # Build a user agent string. Something like: + # Suricata-Update/1.2.0dev0 (OS: Linux; \ + # CPU: x86_64; \ + # Python: 3.7.7; \ + # Dist: Fedora/31; \ + # Suricata: 4.0.0) + parts = [] + parts.append("OS: {}".format(platform.system())) + parts.append("CPU: {}".format(arch())) + parts.append("Python: {}".format(platform.python_version())) + parts.append("Dist: {}".format(dist())) + + print("Suricata-Update/1.2.0dev0 ({})".format("; ".join(parts))) diff --git a/suricata/update/parsers.py b/suricata/update/parsers.py new file mode 100644 index 0000000..185205c --- /dev/null +++ b/suricata/update/parsers.py @@ -0,0 +1,268 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2015-2017 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +# This module contains functions for command line parsers for +# suricata-update + +import argparse +import sys +from suricata.update import commands, config + +from suricata.update.version import version + +try: + from suricata.update.revision import revision +except: + revision = None + +default_update_yaml = config.DEFAULT_UPDATE_YAML_PATH + +show_advanced = False + +if "-s" in sys.argv or "--show-advanced" in sys.argv: + show_advanced = True + +# Global arguments - command line options for suricata-update +global_arg = [ + (("-v", "--verbose"), + {'action': 'store_true', 'default': None, + 'help': "Be more verbose"}), + (("-q", "--quiet"), + {'action': 'store_true', 'default': None, + 'help': "Be quiet, warning and error messages only"}), + (("-D", "--data-dir"), + {'metavar': '', 'dest': 'data_dir', + 'help': "Data directory (default: /var/lib/suricata)"}), + (("-c", "--config"), + {'metavar': '', + 'help': "configuration file (default: %s)" % (default_update_yaml)}), + (("--suricata-conf",), + {'metavar': '', + 'help': "configuration file (default: /etc/suricata/suricata.yaml)"}), + (("--suricata",), + {'metavar': '', + 'help': "Path to Suricata program"}), + (("--suricata-version",), + {'metavar': '', + 'help': "Override Suricata version"}), + (("--user-agent",), + {'metavar': '', + 'help': "Set custom user-agent string" + if show_advanced else argparse.SUPPRESS}), + (("--no-check-certificate",), + {'action': 'store_true', 'default': None, + 'help': "Disable server SSL/TLS certificate verification" + if show_advanced else argparse.SUPPRESS}), + (("-V", "--version"), + {'action': 'store_true', 'default': False, + 'help': "Display version"}), + (("-s","--show-advanced"), + {'action': 'store_true', + 'help': "Show advanced options"}), +] + +# Update arguments - command line options for suricata-update +update_arg = [ + (("-o", "--output"), + {'metavar': '', 'dest': 'output', + 'help': "Directory to write rules to"}), + (("-f", "--force"), + {'action': 'store_true', 'default': False, + 'help': "Force operations that might otherwise be skipped"}), + (("--yaml-fragment",), + {'metavar': '', + 'help': "Output YAML fragment for rule inclusion" + if show_advanced else argparse.SUPPRESS}), + (("--url",), + {'metavar': '', 'action': 'append', 'default': [], + 'help': "URL to use instead of auto-generating one " + "(can be specified multiple times)" + if show_advanced else argparse.SUPPRESS}), + (("--local",), + {'metavar': '', 'action': 'append', 'default': [], + 'help': "Local rule files or directories " + "(can be specified multiple times)" + if show_advanced else argparse.SUPPRESS}), + (("--sid-msg-map",), + {'metavar': '', + 'help': "Generate a sid-msg.map file" + if show_advanced else argparse.SUPPRESS}), + (("--sid-msg-map-2",), + {'metavar': '', + 'help': "Generate a v2 sid-msg.map file" + if show_advanced else argparse.SUPPRESS}), + + (("--disable-conf",), + {'metavar': '', + 'help': "Filename of rule disable filters"}), + (("--enable-conf",), + {'metavar': '', + 'help': "Filename of rule enable filters"}), + (("--modify-conf",), + {'metavar': '', + 'help': "Filename of rule modification filters"}), + (("--drop-conf",), + {'metavar': '', + 'help': "Filename of drop rule filters"}), + + (("--ignore",), + {'metavar': '', 'action': 'append', 'default': None, + 'help': "Filenames to ignore " + "(can be specified multiple times; default: *deleted.rules)" + if show_advanced else argparse.SUPPRESS}), + (("--no-ignore",), + {'action': 'store_true', 'default': False, + 'help': "Disables the ignore option." + if show_advanced else argparse.SUPPRESS}), + (("--threshold-in",), + {'metavar': '', + 'help': "Filename of rule thresholding configuration" + if show_advanced else argparse.SUPPRESS}), + (("--threshold-out",), + {'metavar': '', + 'help': "Output of processed threshold configuration" + if show_advanced else argparse.SUPPRESS}), + (("--dump-sample-configs",), + {'action': 'store_true', 'default': False, + 'help': "Dump sample config files to current directory" + if show_advanced else argparse.SUPPRESS}), + (("--etopen",), + {'action': 'store_true', + 'help': "Use ET-Open rules (default)" + if show_advanced else argparse.SUPPRESS}), + (("--reload-command",), + {'metavar': '', + 'help': "Command to run after update if modified" + if show_advanced else argparse.SUPPRESS}), + (("--no-reload",), + {'action': 'store_true', 'default': False, + 'help': "Disable reload"}), + (("-T", "--test-command"), + {'metavar': '', + 'help': "Command to test Suricata configuration" + if show_advanced else argparse.SUPPRESS}), + (("--no-test",), + {'action': 'store_true', 'default': None, + 'help': "Disable testing rules with Suricata"}), + (("--no-merge",), + {'action': 'store_true', 'default': False, + 'help': "Do not merge the rules into a single file" + if show_advanced else argparse.SUPPRESS}), + (("--offline",), + {'action': 'store_true', + 'help': "Run offline using most recent cached rules"}), + (("--fail",), + {'action': 'store_true', + 'help': "Strictly fail and exit in case of an error"}), + + # Hidden argument, --now to bypass the timebased bypass of + # updating a ruleset. + (("--now",), + {'default': False, 'action': 'store_true', 'help': argparse.SUPPRESS}), + + # The Python 2.7 argparse module does prefix matching which can be + # undesirable. Reserve some names here that would match existing + # options to prevent prefix matching. + (("--disable",), + {'default': False, 'help': argparse.SUPPRESS}), + (("--enable",), + {'default': False, 'help': argparse.SUPPRESS}), + (("--modify",), + {'default': False, 'help': argparse.SUPPRESS}), + (("--drop",), + {'default': False, 'help': argparse.SUPPRESS}) +] + + +def parse_global(): + global_parser = argparse.ArgumentParser(add_help=False) + + for arg, opts in global_arg: + global_parser.add_argument(*arg, **opts) + + return global_parser + + +def parse_update(subparsers, global_parser): + # The "update" (default) sub-command parser. + update_parser = subparsers.add_parser( + "update", add_help=True, parents=[global_parser], + formatter_class=argparse.RawDescriptionHelpFormatter) + + for arg, opts in update_arg: + update_parser.add_argument(*arg, **opts) + + return update_parser + + +def parse_commands(subparsers, global_parser): + commands.listsources.register(subparsers.add_parser( + "list-sources", parents=[global_parser])) + commands.listsources.register(subparsers.add_parser( + "list-enabled-sources", parents=[global_parser])) + commands.addsource.register(subparsers.add_parser( + "add-source", parents=[global_parser])) + commands.updatesources.register(subparsers.add_parser( + "update-sources", parents=[global_parser])) + commands.enablesource.register(subparsers.add_parser( + "enable-source", parents=[global_parser])) + commands.disablesource.register(subparsers.add_parser( + "disable-source", parents=[global_parser])) + commands.removesource.register(subparsers.add_parser( + "remove-source", parents=[global_parser])) + commands.checkversions.register(subparsers.add_parser( + "check-versions", parents=[global_parser])) + + +def parse_arg(): + global_parser = parse_global() + global_args, rem = global_parser.parse_known_args() + + if global_args.version: + revision_string = " (rev: %s)" % (revision) if revision else "" + print("suricata-update version {}{}".format(version, revision_string)) + sys.exit(0) + + if not rem or rem[0].startswith("-"): + rem.insert(0, "update") + + parser = argparse.ArgumentParser() + subparsers = parser.add_subparsers(dest="subcommand", metavar="") + update_parser = parse_update(subparsers, global_parser) + + update_parser.epilog = r"""other commands: + update-sources Update the source index + list-sources List available sources + enable-source Enable a source from the index + disable-source Disable an enabled source + remove-source Remove an enabled or disabled source + add-source Add a new source by URL + check-versions Check version of suricata-update +""" + + parse_commands(subparsers, global_parser) + + args = parser.parse_args(rem) + + # Merge global args into args. + for arg in vars(global_args): + if not hasattr(args, arg): + setattr(args, arg, getattr(global_args, arg)) + elif hasattr(args, arg) and getattr(args, arg) is None: + setattr(args, arg, getattr(global_args, arg)) + + return args diff --git a/suricata/update/rule.py b/suricata/update/rule.py new file mode 100644 index 0000000..169af6c --- /dev/null +++ b/suricata/update/rule.py @@ -0,0 +1,439 @@ +# Copyright (C) 2017-2019 Open Information Security Foundation +# Copyright (c) 2011 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +""" Module for parsing Snort-like rules. + +Parsing is done using regular expressions and the job of this module +is to do its best at parsing out fields of interest from the rule +rather than perform a sanity check. + +The methods that parse multiple rules for a provided input +(parse_file, parse_fileobj) return a list of rules instead of dict +keyed by ID as its not the job of this module to detect or deal with +duplicate signature IDs. +""" + +from __future__ import print_function + +import sys +import re +import logging +import io + +logger = logging.getLogger(__name__) + +# Compile an re pattern for basic rule matching. +rule_pattern = re.compile(r"^(?P#)*[\s#]*" + r"(?P" + r"(?P
[^()]+)" + r"\((?P.*)\)" + r"$)") + +# Rule actions we expect to see. +actions = ( + "alert", "log", "pass", "activate", "dynamic", "drop", "reject", "sdrop") + +class NoEndOfOptionError(Exception): + """Exception raised when the end of option terminator (semicolon) is + missing.""" + pass + +class Rule(dict): + """Class representing a rule. + + The Rule class is a class that also acts like a dictionary. + + Dictionary fields: + + - **group**: The group the rule belongs to, typically the filename. + - **enabled**: True if rule is enabled (uncommented), False is + disabled (commented) + - **action**: The action of the rule (alert, pass, etc) as a + string + - **proto**: The protocol of the rule. + - **direction**: The direction string of the rule. + - **gid**: The gid of the rule as an integer + - **sid**: The sid of the rule as an integer + - **rev**: The revision of the rule as an integer + - **msg**: The rule message as a string + - **flowbits**: List of flowbit options in the rule + - **metadata**: Metadata values as a list + - **references**: References as a list + - **classtype**: The classification type + - **priority**: The rule priority, 0 if not provided + - **noalert**: Is the rule a noalert rule + - **features**: Features required by this rule + - **raw**: The raw rule as read from the file or buffer + + :param enabled: Optional parameter to set the enabled state of the rule + :param action: Optional parameter to set the action of the rule + :param group: Optional parameter to set the group (filename) of the rule + + """ + + def __init__(self, enabled=None, action=None, group=None): + dict.__init__(self) + self["enabled"] = enabled + self["action"] = action + self["proto"] = None + self["source_addr"] = None + self["source_port"] = None + self["direction"] = None + self["dest_addr"] = None + self["dest_port"] = None + self["group"] = group + self["gid"] = 1 + self["sid"] = None + self["rev"] = 0 + self["msg"] = None + self["flowbits"] = [] + self["metadata"] = [] + self["references"] = [] + self["classtype"] = None + self["priority"] = 0 + self["noalert"] = False + + self["features"] = [] + + self["raw"] = None + + def __getattr__(self, name): + return self[name] + + @property + def id(self): + """ The ID of the rule. + + :returns: A tuple (gid, sid) representing the ID of the rule + :rtype: A tuple of 2 ints + """ + return (int(self.gid), int(self.sid)) + + @property + def idstr(self): + """Return the gid and sid of the rule as a string formatted like: + '[GID:SID]'""" + return "[%s:%s]" % (str(self.gid), str(self.sid)) + + def brief(self): + """ A brief description of the rule. + + :returns: A brief description of the rule + :rtype: string + """ + return "%s[%d:%d] %s" % ( + "" if self.enabled else "# ", self.gid, self.sid, self.msg) + + def __hash__(self): + return self["raw"].__hash__() + + def __str__(self): + """ The string representation of the rule. + + If the rule is disabled it will be returned as commented out. + """ + return self.format() + + def format(self): + if self.noalert and not "noalert;" in self.raw: + self.raw = re.sub(r'( *sid\: *[0-9]+\;)', r' noalert;\1', self.raw) + return u"%s%s" % (u"" if self.enabled else u"# ", self.raw) + +def find_opt_end(options): + """ Find the end of an option (;) handling escapes. """ + offset = 0 + + while True: + i = options[offset:].find(";") + if options[offset + i - 1] == "\\": + offset += 2 + else: + return offset + i + +class BadSidError(Exception): + """Raises exception when sid is of type null""" + +def parse(buf, group=None): + """ Parse a single rule for a string buffer. + + :param buf: A string buffer containing a single Snort-like rule + + :returns: An instance of of :py:class:`.Rule` representing the parsed rule + """ + + if type(buf) == type(b""): + buf = buf.decode("utf-8") + buf = buf.strip() + + m = rule_pattern.match(buf) + if not m: + return None + + if m.group("enabled") == "#": + enabled = False + else: + enabled = True + + header = m.group("header").strip() + + rule = Rule(enabled=enabled, group=group) + + # If a decoder rule, the header will be one word. + if len(header.split(" ")) == 1: + action = header + direction = None + else: + states = ["action", + "proto", + "source_addr", + "source_port", + "direction", + "dest_addr", + "dest_port", + ] + state = 0 + + rem = header + while state < len(states): + if not rem: + return None + if rem[0] == "[": + end = rem.find("]") + if end < 0: + return + end += 1 + token = rem[:end].strip() + rem = rem[end:].strip() + else: + end = rem.find(" ") + if end < 0: + token = rem + rem = "" + else: + token = rem[:end].strip() + rem = rem[end:].strip() + + if states[state] == "action": + action = token + elif states[state] == "proto": + rule["proto"] = token + elif states[state] == "source_addr": + rule["source_addr"] = token + elif states[state] == "source_port": + rule["source_port"] = token + elif states[state] == "direction": + direction = token + elif states[state] == "dest_addr": + rule["dest_addr"] = token + elif states[state] == "dest_port": + rule["dest_port"] = token + + state += 1 + + if action not in actions: + return None + + rule["action"] = action + rule["direction"] = direction + rule["header"] = header + + options = m.group("options") + + while True: + if not options: + break + index = find_opt_end(options) + if index < 0: + raise NoEndOfOptionError("no end of option") + option = options[:index].strip() + options = options[index + 1:].strip() + + if option.find(":") > -1: + name, val = [x.strip() for x in option.split(":", 1)] + else: + name = option + val = None + + if name in ["gid", "sid", "rev"]: + rule[name] = int(val) + elif name == "metadata": + if not name in rule: + rule[name] = [] + rule[name] += [v.strip() for v in val.split(",")] + elif name == "flowbits": + rule.flowbits.append(val) + if val and val.find("noalert") > -1: + rule["noalert"] = True + elif name == "noalert": + rule["noalert"] = True + elif name == "reference": + rule.references.append(val) + elif name == "msg": + if val and val.startswith('"') and val.endswith('"'): + val = val[1:-1] + rule[name] = val + else: + rule[name] = val + + if name.startswith("ja3"): + rule["features"].append("ja3") + + if rule["msg"] is None: + rule["msg"] = "" + + if not rule["sid"]: + raise BadSidError("Sid cannot be of type null") + + rule["raw"] = m.group("raw").strip() + + return rule + +def parse_fileobj(fileobj, group=None): + """ Parse multiple rules from a file like object. + + Note: At this time rules must exist on one line. + + :param fileobj: A file like object to parse rules from. + + :returns: A list of :py:class:`.Rule` instances, one for each rule parsed + """ + rules = [] + buf = "" + for line in fileobj: + try: + if type(line) == type(b""): + line = line.decode() + except: + pass + if line.rstrip().endswith("\\"): + buf = "%s%s " % (buf, line.rstrip()[0:-1]) + continue + buf = buf + line + try: + rule = parse(buf, group) + if rule: + rules.append(rule) + except Exception as err: + logger.error("Failed to parse rule: %s: %s", buf.rstrip(), err) + buf = "" + return rules + +def parse_file(filename, group=None): + """ Parse multiple rules from the provided filename. + + :param filename: Name of file to parse rules from + + :returns: A list of :py:class:`.Rule` instances, one for each rule parsed + """ + with io.open(filename, encoding="utf-8") as fileobj: + return parse_fileobj(fileobj, group) + +class FlowbitResolver(object): + + setters = ["set", "setx", "unset", "toggle"] + getters = ["isset", "isnotset"] + + def __init__(self): + self.enabled = [] + + def resolve(self, rules): + required = self.get_required_flowbits(rules) + enabled = self.set_required_flowbits(rules, required) + if enabled: + self.enabled += enabled + return self.resolve(rules) + return self.enabled + + def set_required_flowbits(self, rules, required): + enabled = [] + for rule in [rule for rule in rules.values() if not rule.enabled]: + for option, value in map(self.parse_flowbit, rule.flowbits): + if option in self.setters and value in required: + rule.enabled = True + enabled.append(rule) + return enabled + + def get_required_rules(self, rulemap, flowbits, include_enabled=False): + """Returns a list of rules that need to be enabled in order to satisfy + the list of required flowbits. + + """ + required = [] + + for rule in [rule for rule in rulemap.values()]: + if not rule: + continue + for option, value in map(self.parse_flowbit, rule.flowbits): + if option in self.setters and value in flowbits: + if rule.enabled and not include_enabled: + continue + required.append(rule) + + return required + + def get_required_flowbits(self, rules): + required_flowbits = set() + for rule in [rule for rule in rules.values() if rule and rule.enabled]: + for option, value in map(self.parse_flowbit, rule.flowbits): + if option in self.getters: + required_flowbits.add(value) + return required_flowbits + + def parse_flowbit(self, flowbit): + tokens = flowbit.split(",", 1) + if len(tokens) == 1: + return tokens[0], None + elif len(tokens) == 2: + return tokens[0], tokens[1] + else: + raise Exception("Flowbit parse error on %s" % (flowbit)) + +def enable_flowbit_dependencies(rulemap): + """Helper function to resolve flowbits, wrapping the FlowbitResolver + class. """ + resolver = FlowbitResolver() + return resolver.resolve(rulemap) + +def format_sidmsgmap(rule): + """ Format a rule as a sid-msg.map entry. """ + try: + return " || ".join([str(rule.sid), rule.msg] + rule.references) + except: + logger.error("Failed to format rule as sid-msg.map: %s" % (str(rule))) + return None + +def format_sidmsgmap_v2(rule): + """ Format a rule as a v2 sid-msg.map entry. + + eg: + gid || sid || rev || classification || priority || msg || ref0 || refN + """ + try: + return " || ".join([ + str(rule.gid), str(rule.sid), str(rule.rev), + "NOCLASS" if rule.classtype is None else rule.classtype, + str(rule.priority), rule.msg] + rule.references) + except: + logger.error("Failed to format rule as sid-msg-v2.map: %s" % ( + str(rule))) + return None + +def parse_var_names(var): + """ Parse out the variable names from a string. """ + if var is None: + return [] + return re.findall(r"\$([\w_]+)", var) diff --git a/suricata/update/sources.py b/suricata/update/sources.py new file mode 100644 index 0000000..a5bc673 --- /dev/null +++ b/suricata/update/sources.py @@ -0,0 +1,207 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import sys +import os +import logging +import io +import argparse + +import yaml + +from suricata.update import config +from suricata.update import net +from suricata.update import util +from suricata.update import loghandler +from suricata.update.data.index import index as bundled_index + +logger = logging.getLogger() + +DEFAULT_SOURCE_INDEX_URL = "https://www.openinfosecfoundation.org/rules/index.yaml" +SOURCE_INDEX_FILENAME = "index.yaml" + +DEFAULT_ETOPEN_URL = "https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz" + +def get_source_directory(): + """Return the directory where source configuration files are kept.""" + return os.path.join(config.get_state_dir(), config.SOURCE_DIRECTORY) + +def get_index_filename(): + return os.path.join(config.get_cache_dir(), SOURCE_INDEX_FILENAME) + +def get_sources_from_dir(): + """Return names of all files existing in the sources dir""" + source_dir = get_source_directory() + source_names = [] + (_, _, fnames) = next(os.walk(source_dir)) + source_names = [".".join(fname.split('.')[:-1]) for fname in fnames] + return source_names + +def get_enabled_source_filename(name): + return os.path.join(get_source_directory(), "%s.yaml" % ( + safe_filename(name))) + +def get_disabled_source_filename(name): + return os.path.join(get_source_directory(), "%s.yaml.disabled" % ( + safe_filename(name))) + +def source_name_exists(name): + """Return True if a source already exists with name.""" + if os.path.exists(get_enabled_source_filename(name)) or \ + os.path.exists(get_disabled_source_filename(name)): + return True + return False + +def source_index_exists(config): + """Return True if the source index file exists.""" + return os.path.exists(get_index_filename()) + +def get_source_index_url(): + if os.getenv("SOURCE_INDEX_URL"): + return os.getenv("SOURCE_INDEX_URL") + return DEFAULT_SOURCE_INDEX_URL + +def save_source_config(source_config): + if not os.path.exists(get_source_directory()): + logger.info("Creating directory %s", get_source_directory()) + os.makedirs(get_source_directory()) + with open(get_enabled_source_filename(source_config.name), "w") as fileobj: + fileobj.write(yaml.safe_dump( + source_config.dict(), default_flow_style=False)) + +class SourceConfiguration: + + def __init__(self, name, header=None, url=None, + params={}, checksum=True): + self.name = name + self.url = url + self.params = params + self.header = header + self.checksum = checksum + + def dict(self): + d = { + "source": self.name, + } + if self.url: + d["url"] = self.url + if self.params: + d["params"] = self.params + if self.header: + d["http-header"] = self.header + if self.checksum: + d["checksum"] = self.checksum + return d + +class Index: + + def __init__(self, filename): + self.filename = filename + self.index = {} + self.load() + + def load(self): + if os.path.exists(self.filename): + index = yaml.safe_load(open(self.filename, "rb")) + self.index = index + else: + self.index = bundled_index + + def resolve_url(self, name, params={}): + if not name in self.index["sources"]: + raise Exception("Source name not in index: %s" % (name)) + source = self.index["sources"][name] + try: + return source["url"] % params + except KeyError as err: + raise Exception("Missing URL parameter: %s" % (str(err.args[0]))) + + def get_sources(self): + return self.index["sources"] + + def get_source_by_name(self, name): + if name in self.index["sources"]: + return self.index["sources"][name] + return None + + def get_versions(self): + try: + return self.index["versions"] + except KeyError: + logger.error("Version information not in index. Please update with suricata-update update-sources.") + sys.exit(1) + +def load_source_index(config): + return Index(get_index_filename()) + +def get_enabled_sources(): + """Return a map of enabled sources, keyed by name.""" + if not os.path.exists(get_source_directory()): + return {} + sources = {} + for dirpath, dirnames, filenames in os.walk(get_source_directory()): + for filename in filenames: + if filename.endswith(".yaml"): + path = os.path.join(dirpath, filename) + logger.debug("Loading source specification file {}".format(path)) + source = yaml.safe_load(open(path, "rb")) + + if not "source" in source: + logger.error("Source specification file missing field \"source\": filename: {}".format( + path)) + continue + + sources[source["source"]] = source + + if "params" in source: + for param in source["params"]: + if param.startswith("secret"): + loghandler.add_secret(source["params"][param], param) + + return sources + +def remove_source(config): + name = config.args.name + + enabled_source_filename = get_enabled_source_filename(name) + if os.path.exists(enabled_source_filename): + logger.debug("Deleting file %s.", enabled_source_filename) + os.remove(enabled_source_filename) + logger.info("Source %s removed, previously enabled.", name) + return 0 + + disabled_source_filename = get_disabled_source_filename(name) + if os.path.exists(disabled_source_filename): + logger.debug("Deleting file %s.", disabled_source_filename) + os.remove(disabled_source_filename) + logger.info("Source %s removed, previously disabled.", name) + return 0 + + logger.warning("Source %s does not exist.", name) + return 1 + +def safe_filename(name): + """Utility function to make a source short-name safe as a + filename.""" + name = name.replace("/", "-") + return name + +def get_etopen_url(params): + if os.getenv("ETOPEN_URL"): + return os.getenv("ETOPEN_URL") % params + return DEFAULT_ETOPEN_URL % params diff --git a/suricata/update/util.py b/suricata/update/util.py new file mode 100644 index 0000000..50788d8 --- /dev/null +++ b/suricata/update/util.py @@ -0,0 +1,98 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2013 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +""" Module for utility functions that don't really fit anywhere else. """ + +import hashlib +import tempfile +import atexit +import shutil +import zipfile + +def md5_hexdigest(filename): + """ Compute the MD5 checksum for the contents of the provided filename. + + :param filename: Filename to computer MD5 checksum of. + + :returns: A string representing the hex value of the computed MD5. + """ + return hashlib.md5(open(filename).read().encode()).hexdigest() + +def mktempdir(delete_on_exit=True): + """ Create a temporary directory that is removed on exit. """ + tmpdir = tempfile.mkdtemp("suricata-update") + if delete_on_exit: + atexit.register(shutil.rmtree, tmpdir, ignore_errors=True) + return tmpdir + +class ZipArchiveReader: + + def __init__(self, zipfile): + self.zipfile = zipfile + self.names = self.zipfile.namelist() + + def __iter__(self): + return self + + def __enter__(self): + return self + + def __exit__(self, type, value, traceback): + self.zipfile.close() + + def next(self): + if self.names: + name = self.names.pop(0) + if name.endswith("/"): + # Is a directory, ignore + return self.next() + return name + raise StopIteration + + def open(self, name): + return self.zipfile.open(name) + + def read(self, name): + return self.zipfile.read(name) + + @classmethod + def from_fileobj(cls, fileobj): + zf = zipfile.ZipFile(fileobj) + return cls(zf) + +GREEN = "\x1b[32m" +BLUE = "\x1b[34m" +REDB = "\x1b[1;31m" +YELLOW = "\x1b[33m" +RED = "\x1b[31m" +YELLOWB = "\x1b[1;33m" +ORANGE = "\x1b[38;5;208m" +BRIGHT_MAGENTA = "\x1b[1;35m" +BRIGHT_CYAN = "\x1b[1;36m" +RESET = "\x1b[0m" + +def blue(msg): + return "%s%s%s" % (BLUE, msg, RESET) + +def bright_magenta(msg): + return "%s%s%s" % (BRIGHT_MAGENTA, msg, RESET) + +def bright_cyan(msg): + return "%s%s%s" % (BRIGHT_CYAN, msg, RESET) + +def orange(msg): + return "%s%s%s" % (ORANGE, msg, RESET) diff --git a/suricata/update/version.py b/suricata/update/version.py new file mode 100644 index 0000000..75d1205 --- /dev/null +++ b/suricata/update/version.py @@ -0,0 +1,7 @@ +# Version format: +# Release: 1.0.0 +# Beta: 1.0.0b1 +# Alpha: 1.0.0a1 +# Development: 1.0.0dev0 +# Release candidate: 1.0.0rc1 +version = "1.3.2" diff --git a/tests/classification1.config b/tests/classification1.config new file mode 100644 index 0000000..f00276f --- /dev/null +++ b/tests/classification1.config @@ -0,0 +1,51 @@ + +# +# config classification:shortname,short description,priority +# + +config classification: not-suspicious,Not Suspicious Traffic,3 +config classification: unknown,Unknown Traffic,3 +config classification: bad-unknown,Potentially Bad Traffic, 2 +config classification: attempted-recon,Attempted Information Leak,2 +config classification: successful-recon-limited,Information Leak,2 +config classification: successful-recon-largescale,Large Scale Information Leak,2 +config classification: attempted-dos,Attempted Denial of Service,2 +config classification: successful-dos,Denial of Service,2 +config classification: attempted-user,Attempted User Privilege Gain,1 +config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 +config classification: successful-user,Successful User Privilege Gain,1 +config classification: attempted-admin,Attempted Administrator Privilege Gain,1 +config classification: successful-admin,Successful Administrator Privilege Gain,1 + +# NEW CLASSIFICATIONS +config classification: rpc-portmap-decode,Decode of an RPC Query,2 +config classification: shellcode-detect,Executable code was detected,1 +config classification: string-detect,A suspicious string was detected,3 +config classification: suspicious-filename-detect,A suspicious filename was detected,2 +config classification: suspicious-login,An attempted login using a suspicious username was detected,2 +config classification: system-call-detect,A system call was detected,2 +config classification: tcp-connection,A TCP connection was detected,4 +config classification: trojan-activity,A Network Trojan was detected, 1 +config classification: unusual-client-port-connection,A client was using an unusual port,2 +config classification: network-scan,Detection of a Network Scan,3 +config classification: denial-of-service,Detection of a Denial of Service Attack,2 +config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 +config classification: protocol-command-decode,Generic Protocol Command Decode,3 +config classification: web-application-activity,access to a potentially vulnerable web application,2 +config classification: web-application-attack,Web Application Attack,1 +config classification: misc-activity,Misc activity,3 +config classification: misc-attack,Misc Attack,2 +config classification: icmp-event,Generic ICMP event,3 +config classification: kickass-porn,SCORE! Get the lotion!,1 +config classification: policy-violation,Potential Corporate Privacy Violation,1 +config classification: default-login-attempt,Attempt to login by a default username and password,2 + +# Update +config classification: targeted-activity,Targeted Malicious Activity was Detected,1 +config classification: exploit-kit,Exploit Kit Activity Detected,1 +config classification: external-ip-check,Device Retrieving External IP Address Detected,2 +config classification: domain-c2,Domain Observed Used for C2 Detected,1 +config classification: pup-activity,Possibly Unwanted Program Detected,2 +config classification: credential-theft,Successful Credential Theft Detected,1 +config classification: social-engineering,Possible Social Engineering Attempted,2 +config classification: coin-mining,Crypto Currency Mining Activity Detected,2 diff --git a/tests/classification2.config b/tests/classification2.config new file mode 100644 index 0000000..d470ab5 --- /dev/null +++ b/tests/classification2.config @@ -0,0 +1,54 @@ + +# +# config classification:shortname,short description,priority +# + +config classification: not-suspicious,Not Suspicious Traffic,3 +config classification: unknown,Unknown Traffic,3 +config classification: bad-unknown,Potentially Bad Traffic, 2 +config classification: attempted-recon,Attempted Information Leak,2 +config classification: successful-recon-limited,Information Leak,2 +config classification: successful-recon-largescale,Large Scale Information Leak,2 +config classification: attempted-dos,Attempted Denial of Service,2 +config classification: successful-dos,Denial of Service,2 +config classification: attempted-user,Attempted User Privilege Gain,1 +config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 +config classification: successful-user,Successful User Privilege Gain,1 +config classification: attempted-admin,Attempted Administrator Privilege Gain,1 +config classification: successful-admin,Successful Administrator Privilege Gain,1 + +# NEW CLASSIFICATIONS +config classification: rpc-portmap-decode,Decode of an RPC Query,2 +config classification: shellcode-detect,Executable code was detected,1 +config classification: string-detect,A suspicious string was detected,3 +config classification: suspicious-filename-detect,A suspicious filename was detected,2 +config classification: suspicious-login,An attempted login using a suspicious username was detected,2 +config classification: system-call-detect,A system call was detected,2 +config classification: tcp-connection,A TCP connection was detected,4 +config classification: trojan-activity,A Network Trojan was detected, 1 +config classification: unusual-client-port-connection,A client was using an unusual port,2 +config classification: network-scan,Detection of a Network Scan,3 +config classification: denial-of-service,Detection of a Denial of Service Attack,2 +config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 +config classification: protocol-command-decode,Generic Protocol Command Decode,3 +config classification: web-application-activity,access to a potentially vulnerable web application,2 +config classification: web-application-attack,Web Application Attack,1 +config classification: misc-activity,Misc activity,3 +config classification: misc-attack,Misc Attack,5 +config classification: icmp-event,Generic ICMP event,3 +config classification: kickass-porn,SCORE! Get the lotion!,1 +config classification: policy-violation,Potential Corporate Privacy Violation,1 +config classification: default-login-attempt,Attempt to login by a default username and password,2 + +# Update +config classification: targeted-activity,Targeted Malicious Activity was Detected,1 +config classification: exploit-kit,Exploit Kit Activity Detected,1 +config classification: external-ip-check,Device Retrieving External IP Address Detected,2 +config classification: domain-c2,Domain Observed Used for C2 Detected,1 +config classification: pup-activity,Possibly Unwanted Program Detected,2 +config classification: credential-theft,Successful Credential Theft Detected,1 +config classification: social-engineering,Possible Social Engineering Attempted,2 +config classification: coin-mining,Crypto Currency Mining Activity Detected,2 +config classification: coin-mining-test-1,Crypto Currency Mining Activity Detected Test 1,2 +config classification: coin-mining-test-2,Crypto Currency Mining Activity Detected Test 2,4 + diff --git a/tests/docker-centos-7/Dockerfile b/tests/docker-centos-7/Dockerfile new file mode 100644 index 0000000..fdf1814 --- /dev/null +++ b/tests/docker-centos-7/Dockerfile @@ -0,0 +1,25 @@ +FROM centos:7 + +RUN yum -y install epel-release +RUN yum -y install \ + git \ + python-yaml \ + python-pip \ + pytest \ + python34-yaml \ + python34-pytest \ + python34-pip \ + findutils + +COPY / /src +RUN find /src -name \*.pyc -delete + +ENV PYTEST2 py.test +ENV PYTEST3 py.test-3 + +ENV PIP2 pip2 +ENV PIP3 pip3 + +WORKDIR /src + +CMD ["./tests/docker-centos-7/run.sh"] diff --git a/tests/docker-centos-7/Makefile b/tests/docker-centos-7/Makefile new file mode 100644 index 0000000..619f3f2 --- /dev/null +++ b/tests/docker-centos-7/Makefile @@ -0,0 +1,6 @@ +TAG := suricata-update/tests/centos-7 + +all: + docker build -t $(TAG) -f Dockerfile ../.. + docker run --rm -it $(TAG) + diff --git a/tests/docker-centos-7/README.md b/tests/docker-centos-7/README.md new file mode 100644 index 0000000..c0b6664 --- /dev/null +++ b/tests/docker-centos-7/README.md @@ -0,0 +1,11 @@ +This is a live test of Suricata-Update in a CentOS 7 Docker image. + +The following tests are performed: +- Unit tests with Python 2 and Python 3. +- Installation with Python 2 pip. +- Various commands run as a user might with Python 2 install. +- Installation with Python 3 pip. +- Various commands run as a user might with Python 3 install. + +This test is "live" as the index and rule files will be downloaded +from the internet. diff --git a/tests/docker-centos-7/run.sh b/tests/docker-centos-7/run.sh new file mode 100755 index 0000000..23e52f0 --- /dev/null +++ b/tests/docker-centos-7/run.sh @@ -0,0 +1,54 @@ +#! /bin/sh + +set -e +set -x + +# Test the commands in a scenario a user might. +test_commands() { + # Cleanup. + rm -rf /var/lib/suricata + + suricata-update + test -e /var/lib/suricata/rules/suricata.rules + + suricata-update update-sources + test -e /var/lib/suricata/update/cache/index.yaml + + suricata-update enable-source oisf/trafficid + test -e /var/lib/suricata/update/sources/et-open.yaml + test -e /var/lib/suricata/update/sources/oisf-trafficid.yaml + suricata-update + + suricata-update disable-source oisf/trafficid + test ! -e /var/lib/suricata/update/sources/oisf-trafficid.yaml + test -e /var/lib/suricata/update/sources/oisf-trafficid.yaml.disabled + + suricata-update remove-source oisf/trafficid + test ! -e /var/lib/suricata/update/sources/oisf-trafficid.yaml.disabled +} + +# Python 2 unit tests. +PYTHONPATH=. ${PYTEST2} + +# Python 3 unit tests. +PYTHONPATH=. ${PYTEST3} + +# Install with Python 2. +${PIP2} install . +test -e /usr/bin/suricata-update + +test_commands + +# Uninstall Python 2 version. +${PIP2} uninstall --yes suricata-update +test ! -e /usr/bin/suricata-update + +# Install and run with Python 3. +${PIP3} install . +test -e /usr/bin/suricata-update +grep python3 -s /usr/bin/suricata-update + +test_commands + +${PIP3} uninstall --yes suricata-update +test ! -e /usr/local/bin/suricata-update diff --git a/tests/emerging-current_events.rules b/tests/emerging-current_events.rules new file mode 100644 index 0000000..8880195 --- /dev/null +++ b/tests/emerging-current_events.rules @@ -0,0 +1,5400 @@ +# Emerging Threats +# +# This distribution may contain rules under two different licenses. +# +# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2. +# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html +# +# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License +# as follows: +# +#************************************************************* +# Copyright (c) 2003-2017, Emerging Threats +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* +# +# +# +# + +# This Ruleset is EmergingThreats Open optimized for suricata-1.3. + +#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising drive by kit encountered - Loading..."; flow:established,to_client; content:"HTTP/1"; depth:6; content:"Loading...
"; nocase; reference:url,doc.emergingthreats.net/2011223; classtype:bad-unknown; sid:2011223; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for PDF exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; content:"|25 32 36|np"; distance:32; within:5; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011348; rev:4;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|j"; distance:32; within:4; http_client_body; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011349; rev:6;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java and PDF exploits"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|jp"; distance:5; within:5; http_client_body; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011350; rev:8;) + +#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby bredolab hidden div served by nginx"; flow:established,to_client; content:"|0d 0a|Server|3a| nginx"; file_data; content:"
<"; depth:120; classtype:bad-unknown; sid:2011355; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neosploit Exploit Pack Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| "; nocase; pcre:"/\.(php|asp|py|exe|htm|html)\/[joewxy](U[0-9a-f]{8})?H[0-9a-f]{8}V[0-9a-f]{8}\d{3}R[0-9a-f]{8}\d{3}T[0-9a-f]{8,}/U"; reference:url,blog.fireeye.com/research/2010/01/pdf-obfuscation.html; reference:url,blog.fireeye.com/research/2010/06/neosploit_notes.html; reference:url,dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html; classtype:attempted-user; sid:2011583; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Driveby Bredolab - client exploited by acrobat"; flow:established,to_server; content:"?reader_version="; http_uri; content:"&exn=CVE-"; http_uri; classtype:trojan-activity; sid:2011797; rev:2;) + +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SEO Exploit Kit - Landing Page"; flow:established,to_client; content:"
"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011812; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SEO Exploit Kit - client exploited"; flow:established,to_server; content:"/exe.php?exp="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011813; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS exploit kit x/load/svchost.exe"; flow:established,to_server; content:"GET"; http_method; content:"load/svchost.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011906; rev:3;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SWF served from /tmp/ "; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/tmp\/[^\/]+\.swf$/U"; classtype:bad-unknown; sid:2011970; rev:1;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PDF served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; content:".pdf"; http_uri; pcre:"/\/tmp\/[^\/]+\.pdf$/U"; classtype:bad-unknown; sid:2011972; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JAR served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".jar"; http_uri; pcre:"/\/tmp\/[^\/]+\.jar$/U"; classtype:bad-unknown; sid:2011973; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Alureon JavaScript IFRAME Redirect"; flow:established,to_client; file_data; content:"marginwidth=|5c 22|0|22 5c| marginheight=|5c 22|0|22 5c| hspace=|5c 22|0|22 5c| vspace=|5c 22|0|22 5c| frameborder=|5c 22|0|22 5c| scrolling=|5c 22|0|22 5c| bordercolor=|5c 22 23|000000|5c 22|>|22 29 3b 7d|"; classtype:bad-unknown; sid:2011978; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix-style Exploit Kit Java Request with semicolon in URI"; flow:established,to_server; content:"/?"; http_uri; content:"|3b| 1|3b| "; http_uri; content:"|29| Java/1."; http_header; pcre:"/\/\?[a-z0-9]{65,}\x3b \d\x3b \d/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2011988; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neosploit Toolkit download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/GNH11.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=piadraspgdw.com; reference:url,labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit; classtype:trojan-activity; sid:2012333; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby Download Secondary Request"; flow:established,to_server; content:".php?t"; http_uri; pcre:"/\.php\?t[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2012401; rev:11;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|45 57 73 09|"; distance:0; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel with Embedded .emf object downloaded"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"| 50 4B 03 04 |"; content:"|2F 6D 65 64 69 61 2F 69 6D 61 67 65 |"; within:64; content:"| 2E 65 6D 66 |"; within:15; classtype:bad-unknown; sid:2012504; rev:8;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RetroGuard Obfuscated JAR likely part of hostile exploit kit"; flow:established,from_server; content:"classPK"; content:"|20|by|20|RetroGuard|20|Lite|20|"; reference:url,www.retrologic.com; classtype:trojan-activity; sid:2012518; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsft Office File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype:trojan-activity; sid:2012525; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsoft Office File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype:trojan-activity; sid:2012526; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; content:"%PDF-"; classtype:trojan-activity; sid:2012527; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"%PDF-"; classtype:trojan-activity; sid:2012528; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site WindowsLive.png"; flow:established,to_server; content:"/images/WindowsLive.png"; http_uri; depth:23; classtype:bad-unknown; sid:2012529; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Landing Page"; flow:established,from_server; content:"MWL"; classtype:bad-unknown; sid:2012530; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site blt .png"; flow:established,to_server; content:"/images/blt"; http_uri; depth:11; content:".png"; http_uri; within:6; classtype:bad-unknown; sid:2012531; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Payload Download"; flow:established,to_server; content:"/MRT/update/"; http_uri; depth:12; content:".exe"; http_uri; classtype:bad-unknown; sid:2012532; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix Java Exploit Attempt Request for .class from octal host"; flow:established,to_server; content:".class|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012609; rev:6;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit io.exe download served"; flow:established,from_server; content:"|3b 20|filename=io.exe|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2012610; rev:2;) + +#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks"; flow:established,from_server; content:""; within:100; reference:url,malwaresurvival.net/tag/lizamoon-com/; classtype:web-application-attack; sid:2012614; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash SWF File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"SWF"; fast_pattern:only; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012621; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in Office File Caution - Could be Hostile"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; content:"S|00|W|00|F|00|"; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; reference:cve,2011-0611; classtype:attempted-user; sid:2012622; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client"; flow:established,from_server; content:""; within:100; classtype:attempted-user; sid:2012624; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Lizamoon Client Request /ur.php"; flow:established,to_server; content:"GET"; http_method; content:"/ur.php"; http_uri; content:"GET /ur.php "; depth:12; classtype:trojan-activity; sid:2012625; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for .id from octal host"; flow:established,to_server; content:".id|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012628; rev:5;) + +#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Potential Paypal Phishing Form Attachment"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"Restore Your Account"; distance:0; nocase; content:"paypal"; distance:0; nocase; content:"form.php|22| method=|22|post|22|"; nocase; distance:0; classtype:bad-unknown; sid:2012632; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing victim POSTing data"; flow:established,to_server; content:"POST"; http_method; content:"usr="; content:"&pwd="; content:"&name-on="; content:"&cu-on="; content:"&how2-on="; fast_pattern; classtype:bad-unknown; sid:2012630; rev:3;) + +#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Potential ACH Transaction Phishing Attachment"; flow:established,to_server; content:"ACH transaction"; nocase; content:".pdf.exe"; nocase; classtype:bad-unknown; sid:2012635; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for hostile binary"; flow:established,to_server; content:"&|20|HTTP/1.1|0d 0a|User-A"; fast_pattern; content:".php?height="; http_uri; content:"|20|Java/"; http_header; pcre:"/\/[a-z0-9]{30,}\.php\?height=\d+&sid=\d+&width=[a-z0-9]+&/U"; classtype:trojan-activity; sid:2012644; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious JAR olig"; flow:established,from_server; content:"|00 00|META-INF/PK|0a|"; fast_pattern; content:"|00|olig/"; classtype:trojan-activity; sid:2012646; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?sex="; nocase; http_uri; content:"&children="; nocase; http_uri; content:"&userid="; nocase; http_uri; pcre:"/\.php\?sex=\d+&children=\d+&userid=/U"; classtype:trojan-activity; sid:2012687; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Redirector to Exploit Page /in/rdrct/rckt/?"; flow:established,to_server; content:"/in/rdrct/rckt/?"; http_uri; classtype:attempted-user; sid:2012731; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown .ru Exploit Redirect Page"; flow:established,to_server; content:"people/?"; http_uri; content:"&top="; http_uri; content:".ru|0d 0a|"; http_header; classtype:bad-unknown; sid:2012732; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI param"; flow:established,from_server; content:"applet"; nocase; content:"file|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012884; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Eleonore Exploit Pack exemple.com Request"; flow:established,to_server; content:"/exemple.com/"; nocase; http_uri; classtype:trojan-activity; sid:2012940; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit Newplayer.pdf"; flow:established,to_server; content:"/newplayer.pdf"; http_uri; reference:cve,2009-4324; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012941; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit Printf.pdf"; flow:established,to_server; content:"/printf.pdf"; http_uri; reference:cve,2008-2992; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012942; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit Geticon.pdf"; flow:established,to_server; content:"/geticon.pdf"; http_uri; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012943; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit All.pdf"; flow:established,to_server; content:"/tmp/all.pdf"; http_uri; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012944; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to malicious info.php drive-by landing"; flow:established,to_server; content:"/info.php?n="; http_uri; fast_pattern:only; content:!"&"; http_uri; content:!"|0d 0a|Referer|3a|"; pcre:"/\/info.php\?n=\d/U"; classtype:trojan-activity; sid:2013010; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious PHP 302 redirect response with avtor URI and cookie"; flow:established,from_server; content:"302"; http_stat_code; content:".php?avtor="; fast_pattern; content:"Set-Cookie|3a| "; content:"avtor="; within:40; classtype:trojan-activity; sid:2013011; rev:6;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Exploit kit mario.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/mario.jar"; http_uri; classtype:trojan-activity; sid:2013024; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java/PDF Exploit kit from /Home/games/ initial landing"; flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri; classtype:trojan-activity; sid:2013025; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java/PDF Exploit kit initial landing"; flow:established,to_server; content:"/2fdp.php?f="; http_uri; classtype:trojan-activity; sid:2013027; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable"; flow:established,to_server; content:"/invoice"; nocase; http_uri; content:".JPG.exe"; nocase; fast_pattern; classtype:trojan-activity; sid:2013048; rev:4;) + +#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sidename.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"/sidename.js\">"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013061; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt"; flow:established,to_server; content:"GET /"; depth:5; content:".swf?info=02"; http_uri; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617; classtype:trojan-activity; sid:2013065; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI setAttribute"; flow:established,from_server; content:"setAttribute("; content:"C|3a 5c 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013066; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013077; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Clickfraud Framework Request"; flow:to_server,established; content:"/go.php?uid="; http_uri; fast_pattern; content:"&data="; http_uri; urilen:>400; classtype:bad-unknown; sid:2013093; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; pcre:"/\/\?[0-9a-f]{60,66}[\;\d\x2c]*$/U"; classtype:bad-unknown; sid:2013094; rev:9;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded"; flow:established,to_server; content:"/?"; http_uri; content:!" Java/"; http_header; pcre:"/\/\?[a-f0-9]{64}\;\d\;\d/U"; classtype:trojan-activity; sid:2013098; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt Embedded in Web Page"; flow:established,to_client; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:trojan-activity; sid:2013175; rev:4;) + +#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS cssminibar.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"cssminibar.js|22|>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013192; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript Often Used in Drivebys"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|
\d{16}/R"; classtype:trojan-activity; sid:2013237; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Injected Credit Card Fraud Malvertisement Script"; flow:established,to_client; content:"|3C|script|3E|ba|28 27|Windows.class|27 2C 27|Windows.jar|27 29 3B 3C 2F|script|3E|"; nocase; reference:url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-credit-cards-site-injected-with-malware/; classtype:misc-activity; sid:2013244; rev:2;) + +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query for Known Hostile Domain gooqlepics com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|gooqlepics|03|com|00|"; reference:url,blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html; classtype:bad-unknown; sid:2013328; rev:4;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - flickr.com.* "; content:"|05|flickr|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013353; rev:3;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - picasa.com.* "; content:"|06|picasa|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013354; rev:3;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - blogger.com.* "; content:"|07|blogger|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013355; rev:3;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013357; rev:1;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - img.youtube.com.* "; content:"|03|img|07|youtube|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013358; rev:2;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.* "; content:"|06|upload|09|wikimedia|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013359; rev:2;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - photobucket.com.* "; content:"|0b|photobucket|03|com"; nocase; content:!"|00|"; within:1; content:!"|09|footprint|03|net|00|"; nocase; distance:0; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013360; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious 1px iframe related to Mass Wordpress Injections"; flow:established,from_server; content:"/?go=1|22 20|width=|22|1|22 20|height=|22|1|22|>"; fast_pattern; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY ACH - Redirection"; flow:from_server,established; file_data; content:"NACHA"; classtype:bad-unknown; sid:2013474; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received By Vulnerable Client"; flow:established,to_client; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013484; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013485; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix landing page JAVASMB"; flow:established,to_client; file_data; content:"JAVASMB()"; classtype:bad-unknown; sid:2013486; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Generic Java Exploit Attempt Request for Java to decimal host"; flow:established,to_server; content:" Java/1"; http_header; pcre:"/Host\x3a \d{8,10}(\x0d\x0a|\x3a\d{1,5}\x0d\x0a)/H"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013487; rev:5;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com"; flow:established,from_server; content:"|0C 76 DA 9C 91 0C 4E 2C 9E FE 15 D0 58 93 3C 4C|"; content:"google.com"; within:250; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; classtype:misc-activity; sid:2013500; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit"; flow:established,to_server; content:"/pch.php?f="; http_uri; pcre:"/pch\.php\?f=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013548; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 2"; flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri; pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013549; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013551; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt 2"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files (x86)|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013552; rev:3;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:""; classtype:bad-unknown; sid:2013553; rev:6;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole MapYandex.class malicious jar"; flow:established,from_server; content:"|0d 0a|Content-Type|3a 20|application/java-archive|0d 0a|"; content:"MapYandex.class"; fast_pattern:only; content:"PK"; classtype:bad-unknown; sid:2013554; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Reporting Successful Java Compromise"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\.php\?spl=[A-Z]{3}/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013652; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Response Malicious JavaScript"; flow:established,from_server; content:""; distance:1; within:10; classtype:attempted-user; sid:2014607; rev:10;) + +alert http $HOME_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nikjju Mass Injection Internal WebServer Compromised"; flow:established,from_server; file_data; content:""; distance:1; within:10; classtype:attempted-user; sid:2014608; rev:9;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito Exploit Kit Java request to images.php?t="; flow:established,to_server; content:"/images.php?t="; http_uri; content:"|29 20|Java/"; http_header; pcre:"/^\/images\.php\?t=\d+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014609; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - cookie set RULEZ"; flow:established,from_server; content:"sutraRULEZcookies"; fast_pattern:only; content:"sutraRULEZcookiessupport"; http_cookie; classtype:trojan-activity; sid:2014611; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - cookie is set RULEZ"; flow:established,to_server; content:"sutraRULEZcookies"; fast_pattern:only; content:"sutraRULEZcookiessupport"; http_cookie; classtype:trojan-activity; sid:2014612; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (file upload)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; nocase; content:"jembot"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014613; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (system command)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; nocase; content:"empix="; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014614; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (hell.php)"; flow:established,to_server; content:"/hell.php"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014615; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito Exploit Kit PDF request to images.php?t=81118"; flow:established,to_server; content:"/images.php?t=81118"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014639; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito Exploit Kit payload request to images.php?t=N"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:15; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014640; rev:1;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:22; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014641; rev:4;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - Landing Page Recieved - applet PluginDetect and 10hexchar title"; flow:established,to_client; file_data; content:"PluginDetect"; content:"[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2014644; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unkown exploit kit pdf download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".pdf"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014657; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unkown exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014658; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Obfuscated Please wait Message"; flow:established,to_client; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; flowbits:set,et.exploitkitlanding; reference:url,isc.sans.edu/diary.html?storyid=13051; classtype:trojan-activity; sid:2014659; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing for prototype catch substr"; flow:established,from_server; content:"try{prototype|3b|}catch("; fast_pattern; content:"substr"; distance:0; classtype:trojan-activity; sid:2014661; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/=[0-9a-f]{8}\.jar/H"; file_data; content:"PK"; depth:2; classtype:trojan-activity; sid:2014664; rev:11;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit"; flow:established,from_server; file_data; content:"var stopit = BrowserDetect.browser"; distance:0; classtype:trojan-activity; sid:2014665; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Injected Page Leading To Driveby"; flow:established,to_client; file_data; content:"/images.php?t="; distance:0; fast_pattern; content:"width=\"1\" height=\"1\""; within:100; classtype:trojan-activity; sid:2014666; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack exploit request"; flow:to_server,established; content:"/load_module.php?e="; http_uri; classtype:trojan-activity; sid:2014705; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload request (exploit successful!)"; flow:established,to_server; content:"/download_file.php?e="; http_uri; classtype:trojan-activity; sid:2014706; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload download"; flow:established,from_server; content:"filename=payload.exe.exe|0d 0a|"; http_header; classtype:trojan-activity; sid:2014707; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Request for Blackhole Exploit Kit Landing Page - src.php?case="; flow:established,to_server; content:"/src.php?case="; http_uri; pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2014725; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeAV Landing Page - Viruses were found"; flow:established,from_server; file_data; content:">Viruses were found on your computer! $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redkit Java Exploit request to /24842.jar"; flow:established,to_server; content:"/24842.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014749; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito/RedKit Exploit Kit vulnerable Java payload request to /1digit.html"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; urilen:7; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]\.html$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014750; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear/Safe/CritX/FlashPack - Java Request - 32char hex-ascii"; flow:to_server,established; content:".jar"; offset:32; http_uri; fast_pattern; content:"Java/1"; http_user_agent; pcre:"/\/[a-z0-9]{32}\.jar$/U"; classtype:bad-unknown; sid:2014751; rev:8;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page JavaScript Split String Obfuscation of CharCode"; flow:established,to_client; content:"|22|h|22|+|22|arCode|22 3B|"; classtype:trojan-activity; sid:2014773; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Malicious PDF qweqwe="; flow:established,to_client; content:"> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole PDF Payload Request With Double Colon"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; content:"|3A 3A|"; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}\x3A\x3A[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014776; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Try App.title Catch - May 22nd 2012"; flow:established,to_client; file_data; content:"try{app.title}catch("; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014801; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fragus Exploit jar Download"; flow:established,to_server; content:"_.jar?"; http_uri; pcre:"/\w_\.jar\?[a-f0-9]{8}$/U"; classtype:trojan-activity; sid:2014802; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown java_ara Bin Download"; flow:established,to_server; content:"java_ara&name="; http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014805; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Wordpress timthumb look-alike domain list RFI"; flow:to_server,established; content:"/timthumb.php?"; http_uri; content:!"webshot=1"; http_uri; distance:0; content:"src="; http_uri; distance:0; content:"http"; distance:0; http_uri; pcre:"/src\s*=\s*https?\x3A\x2f+[^\x2f]*?(?:(?:(?:(?:static)?flick|blogge)r|p(?:hotobucket|icasa)|wordpress|tinypic)\.com|im(?:g(?:\.youtube|ur)\.com|ageshack\.us)|upload\.wikimedia\.org)[^\x2f]/Ui"; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:web-application-attack; sid:2014846; rev:12;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Obfuscated Javascript Blob"; flow:established,to_client; file_data; content:"
 $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole RawValue Specific Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; depth:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014821; rev:6;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Malicious PDF asdvsa"; flow:established,from_server; file_data; content:"obj"; content:"<<"; within:4; content:"(asdvsa"; within:80; classtype:trojan-activity; sid:2014823; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Script Profile ASD"; flow:established,to_client; file_data; content:"pre id=|22|asd|22|"; classtype:trojan-activity; sid:2014825; rev:5;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS FedEX Spam Inbound"; flow:established,to_server; content:"name=|22|FEDEX"; nocase; content:".zip|22|"; within:47; nocase; pcre:"/name=\x22FEDEX(\s|_|\-)?[a-z0-9\-_\.\s]{0,42}\.zip\x22/i"; classtype:trojan-activity; sid:2014827; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"name=|22|"; nocase; content:"UPS"; nocase; within:11; content:".zip|22|"; within:74; nocase; pcre:"/name=\x22([a-z_]{0,8})?UPS(\s|_|\-)?[a-z0-9\-_\.\s]{0,69}\.zip\x22/i"; classtype:trojan-activity; sid:2014828; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Post Express Spam Inbound"; flow:established,to_server; content:"name=|22|Post_Express_Label_"; nocase; content:".zip|22|"; within:15; nocase; pcre:"/name=\x22Post_Express_Label_[a-z0-9\-_\.\s]{0,10}\.zip\x22/i"; classtype:trojan-activity; sid:2014829; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS php with eval/gzinflate/base64_decode possible webshell"; flow:to_client,established; file_data; content:" $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS webshell used In timthumb attacks GIF98a 16129xX with PHP"; flow:to_client,established; file_data; content:"|0d 0a 0d 0a|GIF89a|01 3f|"; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Archive Request"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; pcre:"/\x2Fgetfile\x2Ephp\x3Fi\x3D[0-9]\x26key\x3D[a-f0-9]{32}$/Ui"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014851; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Exploit Kit Version 1.1 document.write Fake 404 - Landing Page"; flow:established,to_client; content:"document.write(|22|404|22 3B|"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014852; rev:3;)
+
+alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; file_data; content:"value=|22|lxxt>33"; fast_pattern:only; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014853; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely TDS redirecting to exploit kit"; flow:established,to_server; content:".php?go="; http_uri; pcre:"/\.php\?go=\d$/U"; classtype:bad-unknown; sid:2014854; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Fraudulent Paypal Mailing Server Response June 04 2012"; flow:from_server,established; content:"|0d 0a|Paypal"; fast_pattern; content:"|3a 20|Loading<"; distance:0; classtype:trojan-activity; sid:2014858; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redirect to driveby sid=mix"; flow:to_server,established; content:"/go.php?sid=mix"; http_uri; classtype:bad-unknown; sid:2014866; rev:2;)
+
+alert http any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SN and CN From MS TS Revoked Cert Chain Seen"; flow:established,from_server; content:"|c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40|"; content:"Microsoft Root Authority"; distance:105; within:24; content:"Microsoft Enforced Licensing Intermediate PCA"; distance:0; content:"|61 1a 02 b7 00 02 00 00 00 12|"; distance:0; content:"Microsoft Enforced Licensing Registration Authority CA"; distance:378; within:54; reference:url,blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/; reference:url,rmhrisk.wpengine.com/?p=52; reference:url,msdn.microsoft.com/en-us/library/aa448396.aspx; reference:md5,1f61d280067e2564999cac20e386041c; classtype:bad-unknown; sid:2014870; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to Blackhole June 7 2012"; flow:established,from_server; file_data; content:"st=\"no3"; content:"3rxtc\"\;Date"; distance:12; within:60; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014873; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Request to malicious SutraTDS - lonly= in cookie"; flow:established,to_server; content:" lonly="; fast_pattern:only; content:" lonly="; http_cookie; classtype:bad-unknown; sid:2014884; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SutraTDS (enema) used in Blackhole campaigns"; flow:to_server,established; content:"/top2.html"; http_uri; content:"|0d 0a|Host|3a| enema."; http_header; classtype:bad-unknown; sid:2014885; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Try Prototype Catch June 11 2012"; flow:from_server,established; content:"try{"; content:"=prototype"; within:25; content:"|3b|}catch("; within:15; classtype:bad-unknown; sid:2014888; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit - Java Exploit Requested - 5 digit jar"; flow:established,to_server; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; classtype:trojan-activity; sid:2014891; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition: inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; content:"|0D 0A 0D 0A|PK"; pcre:"/=[0-9a-f]{8}\.jar/H"; classtype:trojan-activity; sid:2014892; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page Received - applet and code"; flow:established,to_client; content:"<applet"; content:"code="; pcre:"/code=\"[a-z]\.[a-z][\.\"][ c]/"; classtype:trojan-activity; sid:2014895; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing - UPS Number Loading.. Jun 15 2012"; flow:established,from_server; content:"|20|Number|3A 20 09|Loading|2E 2E 3C|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014907; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing - Verizon Balance Due Jun 15 2012"; flow:established,from_server; content:"|20|Balance Due|3a| Loading|2c 20|please wait|2e 2e 2e|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014908; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole obfuscated Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 9c 62 d8 66 66 66 66 54|"; classtype:trojan-activity; sid:2014909; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown - Java Request  - gt 60char hex-ascii"; flow:established,to_server; urilen:>60; content:"Java/1."; http_user_agent; fast_pattern; content:"Mozilla"; http_user_agent;  depth:7; pcre:"/[\/\?][a-z0-9]{60,66}[\;0-9]/Ui"; classtype:trojan-activity; sid:2014912; rev:6;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; pcre:"/=[.\"]\w{8}\.jar/Hi"; content:"|0D 0A 0D 0A|PK"; fast_pattern; classtype:trojan-activity; sid:2014913; rev:2;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - PDF Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".pdf"; http_header; pcre:"/=\w{8}\.pdf/Hi"; content:"|0D 0A 0D 0A|%PDF"; fast_pattern; content:"/Filter/FlateDecode"; classtype:trojan-activity; sid:2014914; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet archive=32CharHex"; flow:established,to_client; content:"<applet"; content:"archive=|22|"; pcre:"/^\?[a-f0-9]{32}\" /R"; classtype:trojan-activity; sid:2014915; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Try Prototype Catch Jun 18 2012"; flow:established,from_server; content:"try{prototype"; content:"|3B|}catch("; distance:0; within:12; classtype:trojan-activity; sid:2014921; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Requested .php?showtopic=6digit"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.http.driveby.incognito.uri; urilen:25<>45; content:".php?showtopic="; http_uri; pcre:"/\.php\?showtopic=[0-9]{6}$/U"; classtype:trojan-activity; sid:2014922; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Received applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.incognito.uri; content:"<applet"; classtype:attempted-user; sid:2014923; rev:1;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Payload Requested /getfile.php by Java Client"; flow:established,to_server; content:"/getfile.php?"; http_uri; content:"Java/1"; http_header; classtype:attempted-user; sid:2014924; rev:1;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Malicious Jar /eeltff.jar"; flow:to_server,established; content:"/eeltff.jar"; nocase; http_uri; classtype:trojan-activity; sid:2014927; rev:1;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com"; flow:established,to_server; content:"dl.dropbox.com|0D 0A|"; http_header; content:" Java/1"; http_header; content:".jar"; http_uri; classtype:bad-unknown; sid:2014928; rev:1;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness 21 June 2012"; flow:established,from_server; file_data; content:"javascript'>var wow="; content:"Date&&"; distance:12; within:60; classtype:bad-unknown; sid:2014930; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Please wait a moment Jun 20 2012"; flow:established,to_client; file_data; content:"Please wait a moment. You will be forwarded..."; classtype:trojan-activity; sid:2014931; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page"; flow:established,to_client; content:"eval(function(p,a,c,"; content:"|7C|zzz|7C|"; distance:0; classtype:trojan-activity; sid:2014934; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - foxxysoftware"; flow:established,to_client; content:"|7C|foxxysoftware|7C|"; classtype:trojan-activity; sid:2014935; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - applet and 0px"; flow:established,to_client; content:"<applet"; content:"'0px'"; within:20; classtype:trojan-activity; sid:2014936; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole RawValue Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; depth:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B 26 23|"; distance:0;  reference:cve,2010-0188; classtype:trojan-activity; sid:2014940; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Base64 - Java Exploit Requested - /1Digit"; flow:established,to_server; urilen:2; content:" Java/1"; http_header; pcre:"/^\/[0-9]$/U"; classtype:trojan-activity; sid:2014959; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Base64 - Landing Page Received - base64encode(GetOs()"; flow:established,to_client; content:"base64encode(GetOs()"; classtype:trojan-activity; sid:2014960; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic - PDF with NEW PDF EXPLOIT"; flow:established,to_client; file_data; content:"%PDF"; depth:4; fast_pattern; content:"NEW PDF EXPLOIT"; classtype:trojan-activity; sid:2014966; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS - Landing Page Requested - 15Alpha1Digit.php"; flow:established,to_server; urilen:21; content:"GET"; http_method; content:".php"; http_uri; pcre:"/^\/[a-z]{15}[0-9]\.php$/U"; classtype:trojan-activity; sid:2014967; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown - Java Exploit Requested - 13-14Alpha.jar"; flow:established,to_server; urilen:16<>19; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-z]{13,14}\.jar$/U"; classtype:trojan-activity; sid:2014969; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website"; flow:established,to_client; content:"setAttribute|28 22|src|22|, |22|http|3A|//|22| + "; nocase; content:"+ |22|/runforestrun?sid="; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014970; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JS.Runfore Malware Campaign Request"; flow:established,to_server; content:"/runforestrun?"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014971; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HeapLib JS Library"; flow:established,to_client; file_data; content:"heapLib.ie|28|"; nocase; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:bad-unknown; sid:2014972; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Try Renamed Prototype Catch - June 28th 2012"; flow:established,to_client; file_data; content:"try {"; content:"=prototype|2d|"; within:80; content:"} catch"; within:80; reference:url,research.zscaler.com/2012/06/cleartripcom-infected-with-blackhole.html; classtype:trojan-activity; sid:2014981; rev:7;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Googlebot UA POST to /uploadify.php"; flow:established,to_server; content:"POST"; http_method; content:"/uploadify.php"; http_uri; nocase; fast_pattern; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b|"; http_header; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2014982; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"C1.class"; fast_pattern; distance:0; content:"C2.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014983; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*km0ae9gr6m*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014984; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*qhk6sa6g1c*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014985; rev:6;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA"; flow:established,to_client; file_data; content:"*/window.eval(String.fromCharCode("; isdataat:80,relative; content:!")"; within:80; pcre:"/\x2A[a-z0-9]{10}\x2A\x2Fwindow\x2Eeval\x28String\x2EfromCharCode\x28[0-9]{1,3}\x2C[0-9]{1,3}\x2C/sm"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014998; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NuclearPack Java exploit binary get request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern:only; http_user_agent; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:trojan-activity; sid:2015000; rev:6;)
+
+alert  http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL 3"; flow:established,from_server; content:"|3c|applet"; fast_pattern; content:"56|3a|14|3a|14|3a|19|3a|27|3a|50|3a|50|3a|"; within:100; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015005; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ Java exploit"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015010; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 1"; flow:established,to_client; file_data; content:"e|22|+|22|va"; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22va/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015012; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 2"; flow:established,to_client; file_data; content:"e|22|+|22|v|22|+|22|a"; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22v\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015013; rev:5;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 3"; flow:established,to_client; content:"ev|22|+|22|a"; pcre:"/(\x3D|\x5B\x22])ev\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015014; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito - Malicious PDF Requested - /getfile.php"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; content:!" Java/1"; http_header; classtype:trojan-activity; sid:2015024; rev:1;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ payload"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".php"; http_uri; content:"fid="; http_uri; content:"quote="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015011; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 1"; flow:established,to_client; file_data; content:"=|22|ev|22 3B|"; content:"+|22|al|22|"; distance:0; pcre:"/\x2B\x22al\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015025; rev:7;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 2"; flow:established,to_client; file_data; content:"=|22|e|22 3B|"; content:"+|22|val|22|"; distance:0; pcre:"/\x2B\x22val\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015026; rev:7;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito - Java Exploit Requested - /gotit.php by Java Client"; flow:established,to_server; content:"/gotit.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015030; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito - Payload Request - /load.php by Java Client"; flow:established,to_server; content:"/load.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015031; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack - 32Char.php by Java Client"; flow:established,to_server; urilen:52<>130; content:".php?"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z]{1,10}\/[a-z0-9]{32}\.php\?/U"; classtype:trojan-activity; sid:2015042; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS 09 July 2012 Blackhole Landing Page - Please Wait Loading"; flow:established,from_server; file_data; content:"Please wait, the page is loading..."; nocase; content:"x-java-applet"; distance:0; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015048; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 1)"; flow:established,to_client; file_data; content:"#c3284d#"; distance:0; content:"#/c3284d#"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015051; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 2)"; flow:established,to_client; file_data; content:"<!--c3284d-->"; distance:0; content:"<!--/c3284d-->"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015052; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 10HexChar Title and applet"; flow:established,to_client; file_data; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2015053; rev:6;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; content:"value=\""; pcre:"/value=.[a-f0-9]{100}/"; classtype:trojan-activity; sid:2015054; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Payload Requested - 32AlphaNum?s=1 Java Request"; flow:established,to_server; urilen:37; content:"?s=1"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z0-9]{32}\?s=1$/Ui"; classtype:trojan-activity; sid:2015055; rev:2;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; content:"<html><body><script>"; content:"Math.floor"; fast_pattern; distance:0; content:"try{"; distance:0; content:"prototype"; within:20; content:"}catch("; within:20; classtype:trojan-activity; sid:2015056; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d malware network iframe"; flow:established,to_client; file_data; content:"|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|></iframe>"; classtype:trojan-activity; sid:2015057; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackHole TKR Landing Page /last/index.php"; flow:established,to_server; content:"/last/index.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015475; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Unknown TDS /top2.html"; flow:established,to_server; urilen:9; content:"/top2.html"; http_uri; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015478; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Unknown TDS /rem2.html"; flow:established,to_server; urilen:10; content:"/rem2.html"; http_uri; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015479; rev:3;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Compromised WordPress Server pulling Malicious JS"; flow:established,to_server; content:"/net/?u="; http_uri; fast_pattern:only; content:"Host|3a| net"; http_header; content:"net.net"; http_header; distance:2; within:7; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.0)"; http_header; pcre:"/^Host\x3a\snet[0-4]{2}net\.net\r?\n$/Hmi"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015480; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compromised Wordpress Install Serving Malicious JS"; flow:established,to_client; file_data; content:"var wow"; fast_pattern; content:"Date"; distance:0; within:200; pcre:"/var wow\s*=\s*\x22[^\x22\n]+?\x22\x3b[^\x3b\n]*?Date[^\x3b\n]*?\x3b/"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015481; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"chcyih.class"; classtype:trojan-activity; sid:2015486; rev:8;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (2)"; flow:established,to_server; content:"/java.jar"; http_uri; nocase; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2015487; rev:10;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"NewClass1.class"; classtype:trojan-activity; sid:2015488; rev:9;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon"; flow:established,from_server; content:"var Saigon={version|3a 22|"; classtype:trojan-activity; sid:2015516; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS .HTM being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".htm"; nocase; distance:0; http_uri; classtype:bad-unknown; sid:2015517; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS .PHP being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".php"; nocase; distance:0; http_uri; classtype:bad-unknown; sid:2015518; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 3)"; flow:established,from_server; file_data; content:"/*c3284d*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2015524; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake-AV Conditional Redirect (Blackmuscats)"; flow:established,to_server; content:"/blackmuscats?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/07/blackmuscats-conditional-redirections-to-faveav.html/; classtype:trojan-activity; sid:2015553; rev:3;)
+
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cridex Self Signed SSL Certificate (TR Some-State Internet Widgits)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 06 13 02|TR"; content:"|55 04 08 13 0a|Some-State"; distance:0; content:"|13 18|Internet Widgits Pty"; within:35; classtype:trojan-activity; sid:2015559; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yszz JS/Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"|2f 2a|Yszz 0.7 vip|2a 2f|"; fast_pattern:only; nocase; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015573; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; depth:3; content:"<doswf version="; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015574; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"Gond"; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015575; rev:11;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness August 6 2012"; flow:established,from_server; content:"text/javascript'>var wow="; content:"document.cookie.indexOf"; distance:0; within:70; classtype:bad-unknown; sid:2015578; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments"; flow:established,to_client; file_data; content:"FoxxySF Website Copier"; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015583; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments(2)"; flow:established,to_client; content:"Added By FoxxySF"; fast_pattern:only; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015584; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access"; flow:to_server,established; content:"/wtf/callback=getip"; fast_pattern:only; http_uri; nocase; content:".php?username="; nocase; http_uri; content:"&website="; nocase; http_uri; content:"foxxysoftware.org"; http_header; nocase; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015585; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Redirection Page Try Math.Round Catch - 7th August 2012"; flow:established,to_client; file_data; content:"try{"; content:"=Math.round|3B|}catch("; distance:0; classtype:trojan-activity; sid:2015586; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sutra TDS /simmetry"; flow:to_server,established; content:"/simmetry?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/08/very-good-malware-redirection.html; classtype:trojan-activity; sid:2015593; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested - /spl_data/"; flow:established,to_server; content:"/spl_data/"; http_uri; fast_pattern:only; content:" Java/"; http_header; classtype:trojan-activity; sid:2015603; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested .jar Naming Pattern"; flow:established,to_server; content:"-a."; http_uri; content:".jar"; http_uri; fast_pattern:only; content:" Java/"; http_header; pcre:"/\/[a-z]{4,20}-a\.[a-z]{4,20}\.jar$/U"; classtype:trojan-activity; sid:2015604; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|0|22| height=|22|0|22|>"; fast_pattern; within:100; classtype:trojan-activity; sid:2015605; rev:6;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool jnlp URI Struct"; flow:established,to_server; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jnlp(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015619; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Hwehes String - August 13th 2012"; flow:established,to_client; file_data; content:"hwehes"; content:"hwehes"; distance:0; content:"hwehes"; distance:0; content:"hwehes"; distance:0; classtype:trojan-activity; sid:2015622; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /form"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/search|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015646; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /search"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/form|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015647; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect n.php h=*&s=*"; flow:to_server,established; content:"/n.php?h="; fast_pattern:only; http_uri; content:"&s="; http_uri; content:".rr.nu|0d 0a|"; http_header; pcre:"/\/n\.php\?h=\w*?&s=\w{1,5}$/Ui"; reference:url,0xicf.wordpress.com/category/security-updates/; reference:url,support.clean-mx.de/clean-mx viruses.php?domain=rr.nu&sort=first%20desc; reference:url,urlquery.net/report.php?id=111302; classtype:attempted-user; sid:2015669; rev:10;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Exploit"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"xploit.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Admin bhadmin.php access Outbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015659; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS - Blackhole Admin Login Outbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015660; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Admin bhadmin.php access Inbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015661; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS - Blackhole Admin Login Inbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015662; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; offset:75; depth:3; http_uri; content:"|2e|"; distance:1; within:1; http_uri; content:"|2e|"; distance:1; within:1; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015666; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015667; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit/Other - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?[a-f0-9]{100}/R"; classtype:attempted-user; sid:2015668; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit suspected Blackhole"; flow:established,to_server; content:".js?"; http_uri; fast_pattern; urilen:33<>34; pcre:"/\/\d+\.js\?\d+&[a-f0-9]{16}$/U"; classtype:bad-unknown; sid:2015670; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET 1342 (msg:"ET CURRENT_EVENTS Unknown Exploit Kit redirect"; flow:established,to_server; urilen:35; content:"GET"; http_method; content:"/t/"; depth:3; http_uri; pcre:"/^\/t\/[a-f0-9]{32}/Ui"; content:"|0d 0a|Host|3a| "; http_header; content:"|3a|1342|0d 0a|"; http_header; fast_pattern:only; classtype:bad-unknown; sid:2015672; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit Payload Download Request - Sep 04 2012"; flow:established,to_server; content:" Java/"; http_header; fast_pattern:only; urilen:>24; content:!".jar"; nocase; http_uri; content:"!.class"; nocase; http_uri; pcre:"/\/[A-Z]{20,}\?[A-Z]=\d$/Ui"; classtype:trojan-activity; sid:2015676; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /view.php"; flow:established,to_server; content:"/view.php?i="; http_uri; fast_pattern:only; pcre:"/\/view.php\?i=\d&key=[0-9a-f]{32}$/U"; classtype:trojan-activity; sid:2015678; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"applet"; content:"myyu?44"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015679; rev:2;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Nov 09 2012"; flow:established,from_server; file_data; content:"applet"; content:"0b0909041f"; fast_pattern; within:200; classtype:bad-unknown; sid:2015680; rev:9;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior static initial landing - Sep 05 2012"; flow:established,to_server; content:"/PJeHubmUD"; http_uri; classtype:trojan-activity; sid:2015682; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior hostile java archive - Sep 05 2012"; flow:established,to_server; content:"pqvjdujfllkwl.jar"; http_uri; classtype:trojan-activity; sid:2015683; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg)"; flow:established,to_server; content:"POST"; http_method; content:".php.pjpg"; fast_pattern:only; http_uri; nocase; reference:url,exploitsdownload.com/search/Arbitrary%20File%20Upload/27; classtype:web-application-attack; sid:2015688; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY NeoSploit - Java Exploit Requested"; flow:established,to_server; urilen:>89; content:".jar"; http_uri; fast_pattern:only; content:" Java/1"; http_header; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.jar$/U"; classtype:attempted-user; sid:2015689; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015690; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS  NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:attempted-user; sid:2015691; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015693; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015694; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern:only; pcre:"/[=\"]\w{8}\.jar/Hi"; file_data; content:"PK"; within:2; classtype:attempted-user; sid:2015695; rev:4;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole2 - URI Structure"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/U"; classtype:attempted-user; sid:2015700; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption Banner"; flow:to_client,established; file_data; content:"FWS"; within:3; content:"DoSWF"; distance:0; classtype:attempted-user; sid:2015704; rev:6;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015710; rev:2;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}$/C"; content:"/x-java-archive|0d 0a|"; fast_pattern:only; http_header; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2015724; rev:10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /sarah.php"; flow:established,to_server; content:"/sarah.php?s="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015733; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /nano.php"; flow:established,to_server; content:"/nano.php?x="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015734; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura Java applet with obfuscated URL Sep 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"nzzv@55"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015735; rev:3;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript --- padding"; flow:established,from_server; file_data; content:"d---o---c---u---m---"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015738; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING - Redirect To Blackhole - Push JavaScript"; flow:established,to_client; file_data; content:".push( 'h' )\;"; content:".push( 't' )\;"; within:20; classtype:trojan-activity; sid:2015740; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit Landing Page (2)"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".mine.nu|0d 0a|"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015758; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (4)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"hw.class"; content:"test.class"; classtype:trojan-activity; sid:2015759; rev:7;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit 32-32 byte hex initial landing"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; isdataat:64,relative; content:"="; http_uri; distance:32; within:1; pcre:"/\/\?[a-f0-9]{32}=[^&]+&[a-f0-9]{32}=[^&]+$/U"; classtype:trojan-activity; sid:2015781; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Other Java Exploit Kit 32-32 byte hex hostile jar"; flow:established,to_server; content:".jar"; http_uri; fast_pattern:only; urilen:70; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/U"; classtype:trojan-activity; sid:2015782; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOp Exploit Kit Payload"; flow:established,from_server; content:"Content-Type|3a| image/"; http_header; fast_pattern:only; file_data; content:"M"; within:1; content:!"Z"; within:1; content:"Z"; distance:1; within:1; classtype:trojan-activity; sid:2015783; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BegOpEK - TDS - icon.php"; flow:established,to_server; content:"/icon.php"; urilen:9; classtype:trojan-activity; sid:2015789; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOpEK - Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"Ini.class"; distance:0; within:50; classtype:trojan-activity; sid:2015788; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool eot URI Struct"; flow:to_server,established; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.eot(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015787; rev:3;)
+
+alert http $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Scalaxy Secondary Landing Page 10/11/12"; flow:to_server,established; content:"/q"; http_uri; depth:2; pcre:"/^\/q[a-zA-Z0-9+-]{3,14}\/[a-zA-Z0-9+-]{3,16}\?[a-z]{1,6}=[a-zA-Z0-9+-\._]{7,18}$/U"; classtype:trojan-activity; sid:2015792; rev:2;)
+
+alert http $HOME_NET any -> 209.139.208.0/23 any (msg:"ET CURRENT_EVENTS Scalaxy Java Exploit 10/11/12"; flow:to_server,established; content:"/m"; http_uri; depth:2; pcre:"/^\/m[a-zA-Z0-9-_]{3,14}\/[a-zA-Z0-9-_]{3,17}$/U"; classtype:trojan-activity; sid:2015793; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool Jar URI Struct"; flow:to_server,established; content:".jar"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jar(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015796; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (3)"; flow:to_server,established; content:"/ngen/controlling/"; fast_pattern:only; http_uri; content:".php"; http_uri; classtype:trojan-activity; sid:2015797; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool EXE URI Struct"; flow:to_server,established; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.exe(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015798; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (5)"; flow:to_server,established; content:"/forum/links/column.php"; http_uri; nocase; content:".ru:8080|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015802; rev:3;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Blackhole/Cool Landing URI Struct"; flow:to_server,established; content:".php"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.php(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015803; rev:8;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BlackHole 2 PDF Exploit"; flow:established,from_server; file_data; content:"/Index[5 1 7 1 9 4 23 4 50 3]"; flowbits:isset,ET.pdf.in.http; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015804; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern; distance:0; content:"Mac.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015812; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole2 Non-Vulnerable Client Fed Fake Flash Executable"; flow: established,to_server; content:"/adobe/update_flash_player.exe"; http_uri; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:2015817; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .homeip. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homeip."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015818; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .homelinux. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homelinux."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015819; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 2.0 Binary Get Request"; flow:established,to_server; content:"GET"; http_method; content:"Java/1."; http_user_agent;  content:".php?"; http_uri; pcre:"/\.php\?\w{2,8}\=(0[0-9a-b]|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}$/U"; reference:url,fortknoxnetworks.blogspot.be/2012/10/blackhole-20-binary-get-request.html; classtype:successful-user; sid:2015836; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/beacon/"; http_uri; fast_pattern:only; pcre:"/\/beacon\/[a-f0-9]{8}\.htm$/U"; classtype:successful-user; sid:2015840; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/Applet.jar"; http_uri; fast_pattern:only; pcre:"/^\/Applet\.jar$/U"; classtype:successful-user; sid:2015841; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NeoSploit Jar with three-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(\0[a-z]{3}\.classPK.{43}){4}/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015846; rev:3;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Imposter USPS Domain"; flow:established,to_server; content:".usps.com."; http_header; nocase; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]\.usps\.com\./Hi"; classtype:trojan-activity; sid:2015848; rev:2;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"cve1723/"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015849; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015858; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Attacker.class (Seen in Unknown EK) 11/01/12"; flow:to_client,established; file_data; content:"<applet"; content:"Attacker.class"; distance:0; classtype:trojan-activity; sid:2015859; rev:4;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (2)"; flow:established,to_server; content:"php?fbebf=nt34t4"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015863; rev:6;)
+
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Self-Singed SSL Cert Used in Conjunction with Neosploit"; flow:from_server,established; content:"|16 03 01|"; content:"|00 be d3 cf b1 fe a1 55 bf|"; distance:0; content:"webmaster@localhost"; distance:0; content:"|30 81 89 02 81 81 00 ac 12 38 fc 5c bf 7c 8c 18 e7 db 09 dc|"; distance:0; classtype:trojan-activity; sid:2015865; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/Length"; within:200; pcre:"/^[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))((?!>>).)+\/R\s+3[\r\n\s>]/Rs"; classtype:trojan-activity; sid:2015866; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/R 3"; within:200; pcre:"/^[\r\n\s]+((?!>>).)+?\/Length[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))/Rs"; classtype:trojan-activity; sid:2015867; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (3)"; flow:established,to_server; content:".php?asvvab=125qwafdsg"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015871; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit Requesting Payload"; flow:established,to_server; content:"/f.php?k="; http_uri; fast_pattern:only; pcre:"/^\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015873; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern:only; content:"Anony"; pcre:"/^(mous)?\.class/R"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015876; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Landing Page URI"; flow:established,to_server; content:".php"; http_uri; content:"/"; http_uri; distance:-6; within:1; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015877; rev:6;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page NOP String"; flow:established,to_client; file_data; content:" == -1 {|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0"; distance:0; reference:url,ondailybasis.com/blog/?p=1610; classtype:trojan-activity; sid:2015881; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page parseInt Javascript Replace"; flow:established,to_client; file_data; content:" = parseInt("; distance:0; content:".replace(|2F 5C 2E 7C 5C 5F 2F|g, ''))|3B|"; within:30; reference:url,ondailybasis.com/blog/?p=1610; classtype:trojan-activity; sid:2015882; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Campaign SetAttribute Java Applet"; flow:established,to_client; file_data; content:"document.createElement(|22|applet|22|)|3B|"; fast_pattern:13,20; distance:0; nocase; content:".setAttribute(|22|code"; distance:0; nocase; content:".class|22 29 3B|"; nocase; within:50; content:".setAttribute(|22|archive"; nocase; distance:0; content:"document.createElement|22|param"; nocase; distance:0; reference:url,ondailybasis.com/blog/?p=1593; classtype:trojan-activity; sid:2015883; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"a.Test"; fast_pattern; classtype:trojan-activity; sid:2015884; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack - No Java URI - Dot.class"; flow:established,to_server; urilen:10; content:"/Dot.class"; http_uri; classtype:trojan-activity; sid:2015885; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CirtXPack - No Java URI - /a.Test"; flow:established,to_server; urilen:7; content:"/a.Test"; classtype:trojan-activity; sid:2015886; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request"; flow:established,to_server; urilen:>32; content:"Java/1."; http_user_agent; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}\/\d+?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015888; rev:8;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page - FlashExploit"; flow:established,to_client; file_data; content:"FlashExploit()"; classtype:trojan-activity; sid:2015890; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible TDS Exploit Kit /flow redirect at .ru domain"; flow:established,to_server; urilen:<12; content:"/flow"; fast_pattern; depth:5; http_uri; content:".php"; distance:1; within:5; http_uri; content:"GET"; http_method; content:".ru|0d 0a|"; http_header; pcre:"/^\/flow\d{1,2}\.php$/U"; classtype:bad-unknown; sid:2015897; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) - Landing Page - Java ClassID and 32HexChar.jar"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:".jar"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:trojan-activity; sid:2015901; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WSO - WebShell Activity - WSO Title"; flow:established,to_client; file_data; content:"<title>"; content:" - WSO "; fast_pattern; distance:0; content:""; distance:0; classtype:attempted-user; sid:2015905; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WSO - WebShell Activity - POST structure"; flow:established,to_server; content:"POST"; http_method; content:"&c="; http_client_body; content:"&p1="; http_client_body; content:"&p2="; http_client_body; content:"&p3="; http_client_body; fast_pattern; pcre:"/a=(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/P"; classtype:attempted-user; sid:2015906; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BoA -Account Phished"; flow:established,to_server; content:"POST"; http_method; content:"creditcard="; http_client_body; content:"expyear="; http_client_body; content:"ccv="; http_client_body; content:"pin="; http_client_body; classtype:bad-unknown; sid:2015907; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BoA - PII Phished"; flow:established,to_server; content:"POST"; http_method; content:"&phone3="; http_client_body; content:"&ssn3="; http_client_body; content:"&dob3="; http_client_body; classtype:bad-unknown; sid:2015908; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bank of America Phish Oct 1 M1"; flow:established,to_server; content:"POST"; http_method; content:"reason="; nocase; depth:7; fast_pattern; http_client_body; content:"Access_ID="; nocase; distance:0; http_client_body; content:"Current_Passcode="; nocase; distance:0; http_client_body; classtype:bad-unknown; sid:2015909; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - AOL Creds"; flow:established,to_server; content:"POST"; http_method; content:"aoluser="; http_client_body; content:"aolpassword="; http_client_body; classtype:bad-unknown; sid:2015910; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Yahoo Creds"; flow:established,to_server; content:"POST"; http_method; content:"yahoouser="; http_client_body; content:"yahoopassword="; http_client_body; classtype:bad-unknown; sid:2015911; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Gmail Creds"; flow:established,to_server; content:"POST"; http_method; content:"gmailuser="; http_client_body; content:"gmailpassword="; http_client_body; classtype:bad-unknown; sid:2015912; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Hotmail Creds"; flow:established,to_server; content:"POST"; http_method; content:"hotmailuser="; http_client_body; content:"hotmailpassword="; http_client_body; classtype:bad-unknown; sid:2015913; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Other Creds"; flow:established,to_server; content:"POST"; http_method; content:"otheruser="; http_client_body; content:"otherpassword="; http_client_body; classtype:bad-unknown; sid:2015914; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Spam Campaign JPG CnC Link"; flow:established,to_client; file_data; content:"he1l0|3A|hxxp|3A|//"; distance:0; content:".jpg"; distance:0; reference:url,blog.fireeye.com/research/2012/11/more-phish.html; classtype:trojan-activity; sid:2015921; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Glazunov Java exploit request /9-10-/4-5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_user_agent; urilen:14<>18; pcre:"/^\/\d{9,10}\/\d{4,5}$/U";  flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015922; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Glazunov Java payload request /5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_user_agent; urilen:6; pcre:"/^\/\d{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015923; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (1)"; flow:established,to_server; content:"/332.jar"; fast_pattern:only; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015928; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (2)"; flow:established,to_server; content:"/887.jar"; fast_pattern:only; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015929; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Vulnerable Java Payload Request URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/33.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015930; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit vulnerable Java Payload Request to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/41.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015931; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (7)"; flow:to_server,established; content:"/news/enter/2012-1"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/news\/enter\/2012-1[0-2]-([0-2][0-9]|3[0-1])\.php/U"; classtype:trojan-activity; sid:2015932; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool txt URI Struct"; flow:to_server,established; content:".txt"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.txt(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015933; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear Exploit Kit HTTP Off-port Landing Page Request"; flow:established,to_server; urilen:35; content:"/t/"; depth:3; http_uri; pcre:"/\/t\/[a-f0-9]{32}$/U"; classtype:trojan-activity; sid:2015936; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Banking PHISH - Login.php?LOB=RBG"; flow:established,to_server; content:"/Logon.php?LOB=RBG"; http_uri; content:"&_pageLabel=page_"; http_uri; classtype:trojan-activity; sid:2015938; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .blogsite. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".blogsite."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015939; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (1)"; flow:established,to_server; content:"/amor"; http_uri; content:".jar"; http_uri; within:6; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/amor\d{0,2}\.jar/U"; classtype:trojan-activity; sid:2015941; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (2)"; flow:established,to_server; content:"/java7.jar?r="; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2015942; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Crimeboss - Java Exploit - Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"amor.class"; distance:0; classtype:trojan-activity; sid:2015943; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Access"; flow:established,to_server; content:".php?action=stats_access"; http_uri; classtype:trojan-activity; sid:2015944; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Java On"; flow:established,to_server; content:".php?action=stats_javaon"; http_uri; classtype:trojan-activity; sid:2015945; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Setup"; flow:established,to_server; content:".php?setup=d&s="; http_uri; content:"&r="; pcre:"/\.php\?setup=d&s=\d+&r=\d+$/U"; classtype:trojan-activity; sid:2015946; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Propack Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"propack/"; distance:0; classtype:trojan-activity; sid:2015949; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Propack Payload Request"; flow:established,to_server; content:".php?j=1&k="; http_uri; nocase; fast_pattern:only; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; classtype:trojan-activity; sid:2015950; rev:2;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SibHost Jar Request"; flow:established,to_server; content:".jar?m="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; pcre:"/\.jar\?m=[1-2]$/U"; classtype:trojan-activity; sid:2015951; rev:17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH Generic -SSN - ssn1 ssn2 ssn3"; flow:established,to_server; content:"POST"; http_method; content:"ssn1="; http_client_body; content:"ssn2="; http_client_body; content:"ssn3="; http_client_body; content:!"LabTech Agent"; http_user_agent; classtype:trojan-activity; sid:2015952; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF /FlateDecode and PDF version 1.1 (seen in pamdql EK)"; flow:established,from_server; file_data; content:"%PDF-1.1"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015955; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Serenity Exploit Kit Landing Page HTML Header"; flow:established,to_client; file_data; content:"Loading... Please wait<|2F|title><meta name=|22|robots|22| content=|22|noindex|22|><|2F|head>"; distance:0; classtype:trojan-activity; sid:2015956; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request"; flow:established,to_server; content:"/j.php?t=u00"; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2015960; rev:12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack PDF Request"; flow:established,to_server; content:"/p5.php?t=u00"; http_uri; content:"&oh="; http_uri; classtype:trojan-activity; sid:2015961; rev:11;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e="; http_uri; fast_pattern:only; content:"&token="; http_uri; classtype:trojan-activity; sid:2015962; rev:11;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Zuponcic EK Java Exploit Jar"; flow:established,from_server; file_data; content:"PK"; within:2; content:"FlashPlayer.class"; distance:0; content:".SF"; content:".RSA"; classtype:trojan-activity; sid:2015971; rev:9;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zuponcic EK Payload Request"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"|29 20|Java/1"; http_header; content:"/"; http_uri; content:"i=2ZI"; fast_pattern; http_client_body; depth:5; classtype:trojan-activity; sid:2015970; rev:11;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing URL"; flow:established,to_server; content:".php?dentesus=208779"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015964; rev:11;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful PayPal Account Phish"; flow:established,to_server; content:"POST"; http_method; content:"login_email="; http_client_body; content:"login_password="; http_client_body; content:"target_page="; http_client_body; classtype:bad-unknown; sid:2015972; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; content:"text="; http_client_body; depth:5; pcre:"/\?(s|page|id)=\d+$/U"; classtype:trojan-activity; sid:2015974; rev:14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS probable malicious Glazunov Javascript injection"; flow:established,from_server; file_data; content:"(|22|"; distance:0; content:"|22|))|3b|"; distance:52; within:106; content:")|3b|</script></body>"; within:200; fast_pattern; pcre:"/\(\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,100}\x22\).{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015977; rev:7;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Dec 03 2012"; flow:established,from_server; file_data; content:"applet"; content:"yy3Ojj"; within:1600; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015978; rev:7;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page"; flow:established,from_server; file_data; content:"|7C|pdfver|7C|"; content:"|7C|applet|7C|"; classtype:bad-unknown; sid:2015979; rev:1;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Google Account Phish"; flow:established,to_server; content:"POST"; http_method; content:"continue="; http_client_body; content:"followup="; http_client_body; content:"checkedDomains="; http_client_body; classtype:bad-unknown; sid:2015980; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zuponcic Hostile Jar"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"Java/"; http_header; content:".jar"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; pcre:"/^\/[a-zA-Z]{7}\.jar$/U"; classtype:trojan-activity; sid:2015981; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zuponcic Hostile JavaScript"; flow:established,to_server; urilen:11; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"/js/java.js"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; classtype:trojan-activity; sid:2015982; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH Bank - York - Creds Phished"; flow:established,to_server; content:"POST"; http_method; content:"/secured/private/login.php"; http_uri; classtype:bad-unknown; sid:2015983; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Load Fail"; flow:established,to_server; content:"?action=stats_loadfail"; http_uri; classtype:bad-unknown; sid:2015988; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit - Potential Java Exploit Requested - 3 digit jar"; flow:established,to_server; urilen:6<>9; content:".jar"; http_uri; pcre:"/^\/[0-9]{3}\.jar$/U"; classtype:bad-unknown; sid:2015989; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit - Potential Payload Requested - /2Digit.html"; flow:established,to_server; urilen:8; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]{2}\.html$/U"; classtype:bad-unknown; sid:2015990; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Robopak - Landing Page Received"; flow:established,to_client; file_data; content:"|22|ors.class|22|"; fast_pattern:only; content:"|22|bhjwfffiorjwe|22|"; classtype:bad-unknown; sid:2015991; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Google Chrome Update/Install"; flow:established,to_server; content:"/chrome/google_chrome_"; http_uri; content:".exe"; http_uri; distance:0; pcre:"/\/chrome\/google_chrome_(update|installer)\.exe$/U"; reference:url,www.barracudanetworks.com/blogs/labsblog?bid=3108; reference:url,www.bluecoat.com/security-blog/2012-12-05/blackhole-kit-doesnt-chrome; classtype:trojan-activity; sid:2015997; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request (2)"; flow:established,to_server; content:".php?i="; http_uri; pcre:"/\/j\d{2}\.php\?i=/U"; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2016013; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack PDF Request (2)"; flow:established,to_server; content:"/lpdf.php?i="; http_uri; fast_pattern:only; pcre:"/\/lpdf\.php\?i=[a-zA-Z0-9]+&?$/U"; classtype:trojan-activity; sid:2016012; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Landing Pattern"; flow:established,to_server; content:"/i.php?token="; http_uri; fast_pattern:only; nocase; pcre:"/\/i.php?token=[a-z0-9]+$/Ui"; classtype:trojan-activity; sid:2015998; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs)"; flow:established,to_client; file_data; content:"%PDF-1."; within:7; pcre:"/^[0-4][^0-9]/R"; content:"/XFA"; distance:0; fast_pattern; pcre:"/^[\r\n\s]*[\d\x5b]/R"; classtype:trojan-activity; sid:2016001; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Embedded Open Type Font file .eot seeing at Cool Exploit Kit"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|D|00|e|00|x|00|t|00|e|00|r|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:attempted-user; sid:2016018; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING FlashPost - Redirection IFRAME"; flow:established,to_client; file_data; content:"{|22|iframe|22 3a|true,|22|url|22|"; within:20; classtype:bad-unknown; sid:2016022; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MALVERTISING FlashPost - POST to *.stats"; flow:established,to_server; content:"POST"; http_method; content:".stats"; http_uri; content:"pageURL="; http_client_body; classtype:bad-unknown; sid:2016023; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - TDS Redirection To Exploit Kit - Loading"; flow:established,to_client; file_data; content:"<title>Loading...!"; classtype:bad-unknown; sid:2016024; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet and 32HexChar.jar"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS g01pack - Landing Page Received - applet and 32AlphaNum.jar"; flow:established,to_client; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible SibHost PDF Request"; flow:established,to_server; content:".pdf?p=1&s="; http_uri; fast_pattern:only; pcre:"/\.pdf\?p=1&s=[1-2]$/U"; classtype:trojan-activity; sid:2016035; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Payload Download Requested"; flow:established,to_server; content:"/getmyfile.exe"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016052; rev:4;)
+
+alert http $EXTERNAL_NET any ->  $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Payload Download Received"; flow:established,to_client; content:".exe.crypted"; http_header; fast_pattern; content:"attachment"; http_header; classtype:trojan-activity; sid:2016053; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Server Response - Application Error"; flow:established,to_client; content:"X-Powered-By|3a| Application Error...."; http_header; classtype:trojan-activity; sid:2016054; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - pdfx.html"; flow:established,to_server; content:"/pdfx.html"; http_uri; classtype:trojan-activity; sid:2016055; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - flsh.html"; flow:established,to_server; urilen:>80; content:"/flsh.html"; http_uri; classtype:trojan-activity; sid:2016056; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful PayPal Account Phish"; flow:established,to_server; content:"login_email="; http_client_body; content:"login_password="; http_client_body; content:"browser_version="; http_client_body; content:"operating_system="; fast_pattern; http_client_body; classtype:bad-unknown; sid:2016063; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Embedded Open Type Font file .eot"; flow:established,to_client; file_data; content:"|02 00 02  00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40  00|a|00|b|00|c|00|d|00|e|00|f|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:attempted-user; sid:2016065; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO obfuscator string 19 Dec 12 - possible landing"; flow:from_server,established; file_data; content:"cRxmlqC14I8yhr92sovp"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016070; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO 20 Dec 12 - .jar file request"; flow:established,to_server; urilen:>44; content:".jar"; offset:38; http_uri; content:"Java/1."; http_user_agent; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016071; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO 20 Dec 12 - .pdf file request"; flow:established,to_server; urilen:>44; content:".pdf"; offset:38; http_uri; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016072; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO - possible second stage landing page"; flow:established,to_server; urilen:>40; content:".js"; offset:38; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([tZFBeDauxR]+q){3}[tZFBeDauxR]+(_[tZFBeDauxR]+)?|O7dd)k(([tZFBeDauxR]+q){3}[tZFBeDauxR]+|O7dd)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016073; rev:7;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet Orange /in.php?q="; flow:established,to_server; content:"/in.php?q="; http_uri; classtype:trojan-activity; sid:2016090; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet Orange base64"; flow:established,to_server; content:"KAhFXlx9"; http_uri; pcre:"/\.php\?[a-z]=.{2}KAhFXlx9.{2}Oj[^&]+$/U"; classtype:trojan-activity; sid:2016091; rev:2;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS pamdql/Sweet Orange delivering exploit kit payload"; flow:established,to_server; content:"/command/"; http_uri; urilen:15; pcre:"/^\/command\/[a-zA-Z]{6}$/U"; classtype:trojan-activity; sid:2016093; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Drupal Mass Injection Campaign Inbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016098; rev:2;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Drupal Mass Injection Campaign Outbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016099; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Page"; flow:established,from_server; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Topic EK Requesting Jar"; flow:established,to_server; content:".php?exp="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; content:"Java/1."; http_user_agent; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016107; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Topic EK Requesting PDF"; flow:established,to_server; content:".php?exp=lib"; http_uri; content:"&b="; http_uri; content:"&k="; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016108; rev:3;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java payload request (1)"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"openparadise1"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016111; rev:4;)
+
+alert  http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|fb 67 1f 49|"; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016113; rev:3;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; classtype:trojan-activity; sid:2016128; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf/Styx EK - fnts.html "; flow:established,to_server; content:"/fnts.html"; http_uri; classtype:trojan-activity; sid:2016129; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Window Location CVE-2012-4792 EIP"; flow:established,from_server; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Location CVE-2012-4792 EIP (Exploit Specific replace)"; flow:established,from_server; file_data; content:"jj2Ejj6Cjj6Fjj63jj61jj74jj69jj6Fjj6Ejj20jj3Djj20jj75jj6Ejj65jj73jj63jj61jj70jj65jj28jj22jj25jj75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016133; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Location CVE-2012-4792 EIP % Hex Encode"; flow:established,from_server; file_data; content:"%2e%6c%6f%63%61%74%69%6f%6e%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016134; rev:3;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS CFR DRIVEBY CVE-2012-4792 DNS Query for C2 domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|provide|08|yourtrap|03|com|00|"; fast_pattern; nocase; distance:0; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016135; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-4792 EIP in URI IE 8"; flow:established,to_server;  content:"/%E0%AC%B0%E0%B0%8C"; http_raw_uri; fast_pattern; content:"MSIE 8.0|3b|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016136; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (1)"; flow:established,to_server; content:"/%E0%B4%8C%E1%88%92"; http_raw_uri; fast_pattern; content:"MSIE 8.0|3b|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016137; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Exodus Intel IE HTML+TIME EIP Control Technique"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java payload request (2)"; flow:established,to_server; content:"Java/1"; http_header; content:"&partners="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016142; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Injected iframe leading to Redkit Jan 02 2013"; flow:established,from_server; file_data; content:"iframe name="; pcre:"/^[\r\n\s]*[\w]+[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2 src=http|3a|//"; within:71; fast_pattern:48,20; pcre:"/^[^\r\n\s>]+\/[a-z]{4,5}\.html\>\<\/iframe\>/R"; classtype:trojan-activity; sid:2016144; rev:3;)
+
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible TURKTRUST Spoofed Google Cert"; flow:established,from_server; content:"|16 03|"; depth:2; content:"*.EGO.GOV.TR"; nocase; fast_pattern:only; content:"*.google.com"; classtype:policy-violation; sid:2016154; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit PluginDetect FromCharCode Jan 04 2013"; flowbits:set,et.exploitkitlanding; flow:established,to_client; file_data; content:"80,108,117,103,105,110,68,101,116,101,99,116"; nocase; classtype:attempted-user; sid:2016166; rev:7;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:"/cb.php?action="; http_uri; classtype:bad-unknown; sid:2016169; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (2)"; flow:established,to_server; content:"/%E0%B4%8C%E1%82%AB"; http_raw_uri; fast_pattern; content:"MSIE 8.0|3b|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016170; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; pcre:"/\/[0-9]{3}\.jar/"; pcre:"/\/[0-9]{3}\.pdf/"; classtype:trojan-activity; sid:2016174; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type YAML"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a|Content-Type|3a 20|"; pcre:"/^(?:application\/(?:x-)?|text\/)xml/R"; content:" type="; http_client_body; nocase; fast_pattern; content:"yaml"; distance:0; nocase; http_client_body; pcre:"/<[^>]*\stype\s*=\s*([\x22\x27])yaml\1/Pi"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016175; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type SYMBOL"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a|Content-Type|3a 20|"; pcre:"/^(?:application\/(?:x-)?|text\/)xml/R"; content:" type="; http_client_body; nocase; fast_pattern; content:"symbol"; distance:0; nocase; http_client_body; pcre:"/<[^>]*\stype\s*=\s*([\x22\x27])symbol\1/Pi"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-activity; sid:2016176; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|000"; content:"height=|22|000"; classtype:bad-unknown; sid:2016190; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page Received"; flow:established,to_client; file_data; content:"
"; classtype:bad-unknown; sid:2016191; rev:6;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown - Please wait..."; flow:established,to_client; file_data; content:"Please wait..."; nocase; content:"
16; content:"/?"; http_uri; depth:13;  pcre:"/^\/[a-z0-9]{6,10}\/\?[0-9]{1,2}$/Ui"; classtype:bad-unknown; sid:2016193; rev:7;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request"; flow:established,to_server; urilen:8; content:".pdf"; http_uri; pcre:"/\x2F[0-9]{3}\.pdf$/U"; reference:url,blogs.mcafee.com/mcafee-labs/red-kit-an-emerging-exploit-pack; reference:cve,2010-0188; classtype:trojan-activity; sid:2016210; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2013-0422 Landing Page"; flow:established,from_server; file_data; content:"Loading, Please Wait..."; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{8}\.jar/"; classtype:attempted-user; sid:2016227; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2013-0422 Jar"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"B.class"; fast_pattern:only; pcre:"/[^a-zA-Z0-9_\-.]B\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; content:!"Browser.class"; classtype:attempted-user; sid:2016228; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Jar Download"; flow:established,to_server; content:".php"; http_uri; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016229; rev:11;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Class Download"; flow:established,to_server; content:"/com/sun/org/glassfish/gmbal/util/GenericConstructor.class"; fast_pattern:13,20; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016240; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Jan 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"Dyy"; within:300; content:"Ojj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016242; rev:6;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,from_server; file_data; content:"|22|pdfx.ht|5C|x6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016247; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,to_server; content:"/i.html?0x"; http_uri; depth:10; urilen:>100; pcre:"/\/i\.html\?0x\d{1,2}=[a-zA-Z0-9+=]{100}/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016248; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redkit Class Request (1)"; flow:established,to_server; content:"/Gobon.class"; http_uri; content:"Java/1."; http_user_agent; classtype:bad-unknown; sid:2016249; rev:8;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redkit Class Request (2)"; flow:established,to_server; content:"/Runs.class"; http_uri; content:"Java/1."; http_user_agent; classtype:bad-unknown; sid:2016250; rev:8;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Red Dot Exploit Kit Single Character JAR Request"; flow:established,to_server; urilen:6; content:".jar"; http_uri; pcre:"/\x2F[a-z]\x2Ejar$/U"; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016254; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Red Dot Exploit Kit Binary Payload Request"; flow:established,to_server; content:"/load.php?guid="; http_uri; content:"&thread="; http_uri; content:"&exploit="; http_uri; content:"&version="; http_uri; content:"&rnd="; http_uri; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016255; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Gondad Exploit Kit Post Exploitation Request"; flow:established,to_server; content:"/cve2012xxxx/Gondvv.class"; http_uri; classtype:trojan-activity; sid:2016256; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS - in.php"; flow:established,to_server; content:"/in.php?s="; http_uri; classtype:trojan-activity; sid:2016272; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"ConfusingClassLoader.class"; classtype:bad-unknown; sid:2016276; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Confuser.class"; classtype:bad-unknown; sid:2016277; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:").)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2"; within:59; fast_pattern:39,20; classtype:trojan-activity; sid:2016297; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:").)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|"; within:69; fast_pattern:49,20; classtype:trojan-activity; sid:2016298; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redkit Class Request (3)"; flow:established,to_server; content:"/Vlast.class"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:bad-unknown; sid:2016299; rev:10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing URL structure"; flow:established,from_client; content:"/inf.php?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/inf\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016306; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"Adobe Flash must be updated to view this"; content:"/lib/adobe.php?id="; distance:0; fast_pattern; pcre:"/^[a-f0-9]{32}/R"; classtype:trojan-activity; sid:2016307; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible JDB Exploit Kit Class Request"; flow:established,to_server; content:"/jdb/"; http_uri; nocase; content:".class"; http_uri; nocase; pcre:"/\/jdb\/[^\/]+\.class$/Ui"; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016308; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit JAR Download"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016309; rev:7;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Fake Adobe Download"; flow:established,to_server; content:"/lib/adobe.php?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/lib\/adobe\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016310; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Non-Standard HTML page in Joomla /com_content/ dir (Observed in Recent Pharma Spam)"; flow:established,to_server; content:"/components/com_content/"; http_uri; content:!"index.html"; nocase; within:10; http_uri; content:".html"; nocase; http_uri; distance:0; classtype:bad-unknown; sid:2016311; rev:6;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH Generic - POST to myform.php"; flow:established,to_server; content:"POST"; http_method; content:"/myform.php"; http_uri; classtype:bad-unknown; sid:2016327; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible g01pack Landing Page"; flow:established,to_client; file_data; content:"[\x22\x27])((?!(?P=q)).)+?\.(gif|jpe?g|p(ng|sd))(?P=q)/Rsi"; classtype:trojan-activity; sid:2016333; rev:4;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Feb 04 2012"; flow:established,from_server; file_data; content:"applet"; content:"Ojj"; within:300; content:"Dyy"; within:300; classtype:bad-unknown; sid:2016341; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Secondary Landing"; flow:established,to_server; content:".js"; http_uri; content:"/i.html"; http_header; fast_pattern:only; pcre:"/^[a-z]+\.js$/U"; pcre:"/^Referer\x3a[^\r\n]+\/i.html(\?[^=]{1,10}=[^&\r\n]{100,})?\r?$/Hmi"; classtype:bad-unknown; sid:2016347; rev:6;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WhiteHole Exploit Landing Page"; flow:established,from_server; file_data; content:".jar?java="; nocase; fast_pattern:only; content:").)+?\.jar\?java=\d+/R"; content:" name="; content:"http"; within:5; content:" name="; content:"ftp"; within:4; classtype:trojan-activity; sid:2016348; rev:7;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WhiteHole Exploit Kit Jar Request"; flow:to_server,established; content:".jar?java="; http_uri; fast_pattern:only; nocase; content:"Java/1."; http_user_agent; pcre:"/\.jar\?java=\d+$/Ui"; classtype:trojan-activity; sid:2016349; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WhiteHole Exploit Kit Payload Download"; flow:established,to_server; content:"/?whole="; nocase; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; pcre:"/\/\?whole=\d+$/Ui"; classtype:trojan-activity; sid:2016350; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Jerk.cgi TDS"; flow:established,to_server; content:"/jerk.cgi?"; fast_pattern:only; http_uri; pcre:"/\x2Fjerk\x2Ecgi\x3F[0-9]$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016352; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; file_data; content:"[\x22\x27])a(?P=q)[^\r\n]*\r\n[\r\n\s]+(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/Pi"; classtype:attempted-user; sid:2016354; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page - Received"; flow:established,to_client; file_data; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:trojan-activity; sid:2016356; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:trojan-activity; sid:2016357; rev:2;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request (3)"; flow:established,to_server; content:"/j17.php?i="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2016365; rev:5;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016371; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM EK - Landing Page"; flow:established,to_client; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jaxws.jar"; flow:established,to_server; content:"/jaxws.jar"; http_uri; content:"Java/"; http_user_agent; classtype:trojan-activity; sid:2016374; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jre.jar"; flow:established,to_server; content:"/jre.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016375; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Payload Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:"stealth.exe"; within:60; classtype:trojan-activity; sid:2016377; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_MM EK - Java Exploit - fbyte.jar"; flow:established,to_server; content:"/fbyte.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016378; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - JAR Containing Windows Executable"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:trojan-activity; sid:2016379; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Encrypted Binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|25 3e fc 75 7b|"; within:5; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016380; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Zero Day LadyBoyle Infection Campaign"; flow:established,to_client; file_data; content:"FWS"; distance:0; content:"LadyBoyle"; distance:0; reference:md5,3de314089db35af9baaeefc598f09b23; reference:md5,2568615875525003688839cb8950aeae; reference:url,blog.fireeye.com/research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html; reference:url,www.adobe.com/go/apsb13-04; reference:cve,2013-0633; reference:cve,2013-0633; classtype:trojan-activity; sid:2016391; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"value"; distance:0; pcre:"/^(\s*=\s*|[\x22\x27]\s*,\s*)[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:trojan-activity; sid:2016393; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Specific Uncompressed Flash CVE-2013-0634"; flow:established,to_client; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016396; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Specific Uncompressed Flash Inside of OLE CVE-2013-0634"; flow:established,to_client; flowbits:isset,OLE.WithFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016397; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,HTTP.UncompressedFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0634; classtype:trojan-activity; sid:2016400; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,OLE.WithFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0364; classtype:trojan-activity; sid:2016401; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload - obfuscated binary base 0"; flow:established,to_client; file_data; content:"|af 9e b6 98 09 fc ee d0|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016403; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"SunJCE.class"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016407; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarhlp32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarhlp32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016409; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarext32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarext32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016410; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS Vdele"; flow:established,to_server; content:"GET"; nocase; http_method; urilen:>37; content:"/vd/"; http_uri; nocase; fast_pattern:only; pcre:"/\/vd\/\d+\x3b[a-f0-9]{32}/Ui"; classtype:trojan-activity; sid:2016412; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload Download (5)"; flow:established,to_server; content:".txt?e="; http_uri; nocase; fast_pattern:only; content:!"Referer|3a| "; http_header; pcre:"/\.txt\?e=\d+(&[fh]=\d+)?$/U"; classtype:trojan-activity; sid:2016414; rev:8;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK landing applet plus class Feb 18 2013"; flow:established,to_client; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK Possible Java Payload Download"; flow:to_server,established; content:".exe?"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\.exe\?(e=)?\d+$/U"; classtype:trojan-activity; sid:2016427; rev:7;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (1)"; flow:established,to_server; content:"/java/lang/ClassBeanInfo.class"; http_uri; fast_pattern:10,20; content:"Java/1.7"; http_user_agent; classtype:trojan-activity; sid:2016490; rev:12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (2)"; flow:established,to_server; content:"/java/lang/ObjectBeanInfo.class"; http_uri; fast_pattern:11,20; content:"Java/1.7"; http_user_agent; classtype:trojan-activity; sid:2016491; rev:11;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ObjectCustomizer.class"; http_uri; fast_pattern:13,20; content:"Java/1.7"; http_user_agent; classtype:trojan-activity; sid:2016492; rev:12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ClassCustomizer.class"; http_uri; fast_pattern:12,20; content:"Java/1.7"; http_user_agent; classtype:trojan-activity; sid:2016493; rev:11;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page (2)"; flow:established,from_server; file_data; content:"|22|pdf|5c|78.ht|5c|6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016497; rev:7;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload"; flow:established,to_client;  file_data; content:".exe?"; fast_pattern:only; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Payload Download"; flow:established,to_server; content:".exe"; http_uri; nocase; fast_pattern:only; content:"&h="; http_uri; pcre:"/\.exe(?:\?[a-zA-Z0-9]+=[a-zA-Z0-9]+)?&h=\d+$/Ui"; content:!"Referer|3a|"; http_header; classtype:bad-unknown; sid:2016499; rev:14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Nicepack EK Landing (Anti-VM)"; flow:established,to_client; file_data; content:"if(document.body.onclick!=null)"; content:"if(document.styleSheets.length!=0)"; classtype:bad-unknown; sid:2016500; rev:8;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Compromise svchost.jpg Beacon - Java  Zeroday"; flow:established,to_server; content:"/svchost.jpg"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; reference:url,blog.fireeye.com/research/2013/02/yaj0-yet-another- java-zero-day-2.html; classtype:trojan-activity; sid:2016511; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - jhan.jar"; flow:established,to_server; content:"/jhan.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016514; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 1 2013"; flow:established,from_server; file_data; content:"<#a#p#p#l#e#t#"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016520; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java Archive Request (Java-SPLOIT.jar)"; flow:established,to_server; content:"/Java-SPLOIT.jar"; http_uri; content:"Java/1."; fast_pattern:only; http_user_agent; classtype:bad-unknown; sid:2016521; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Payload Request"; flow:established,to_server; content:"/download.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:bad-unknown; sid:2016522; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Exploit Request"; flow:established,to_server; content:"/module.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:bad-unknown; sid:2016523; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try Catch Body Specific -  4/3/2013"; flow:established,to_client; file_data; content:"}try{doc[|22|body|22|]^=2}catch("; distance:0; classtype:trojan-activity; sid:2016524; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try Catch Body Style 2 Specific -  4/3/2013"; flow:established,to_client; file_data; content:"try{document.body^=2}catch("; distance:0; classtype:trojan-activity; sid:2016525; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try Catch False Specific -  4/3/2013"; flow:established,to_client; file_data; content:"}try{}catch("; distance:0; content:"=false|3B|}"; within:30; classtype:trojan-activity; sid:2016526; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java Download non Jar file"; flow:established,to_server; content:!".jar"; http_uri; nocase; content:!".jnlp"; http_uri; nocase; content:!".hpi"; http_uri; nocase; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.JavaNotJar; flowbits:noalert; classtype:bad-unknown; sid:2016539; rev:6;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs"; flow:established,from_server; content:!".jar"; http_header; nocase; file_data; content:"PK"; within:2; content:".class"; distance:0; fast_pattern; flowbits:isset,ET.JavaNotJar; flowbits:unset,ET.JavaNotJar; classtype:bad-unknown; sid:2016540; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/GrandSoft landing applet plus class Mar 03 2013"; flow:established,to_client; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Portal TDS Kit GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?pprec"; nocase; fast_pattern:only; http_uri; pcre:"/\.php\?pprec$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:trojan-activity; sid:2016542; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Portal TDS Kit GET (2)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?c002"; nocase; fast_pattern:only; http_uri; pcre:"/\.php\?c002$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:trojan-activity; sid:2016543; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Base64 http argument in applet (Neutrino/Angler)"; flow:established,from_server; file_data; content:").)+?[\x22\x27]aHR0cDov/Rs"; content:"aHR0cDov"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016549; rev:4;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/m"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/m[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2016551; rev:8;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:".php?action=jv&h="; http_uri; classtype:bad-unknown; sid:2016558; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GonDadEK Plugin Detect March 11 2013"; flow:to_client,established; file_data; content:"this.gondad = arrVersion"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016560; rev:10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"h"; depth:1; http_client_body; content:"="; within:12; http_client_body; content:"&p"; distance:24; within:2; http_client_body; pcre:"/^h[a-z0-9]{0,10}\x3d[a-f0-9]{24}&p[a-z0-9]{0,10}\x3d[a-z0-9]{1,11}&i/P"; classtype:trojan-activity; sid:2016562; rev:7;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/q.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:23; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016563; rev:7;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/q.php Jar Download"; flow:established,to_server; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016564; rev:9;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SNET EK Downloading Payload"; flow:to_server,established; content:"get"; http_uri; content:"?src="; http_uri; fast_pattern; distance:0;content:"snet"; http_uri; distance:0; pcre:"/\?src=[a-z]+snet$/U"; content:" WinHttp.WinHttpRequest"; http_user_agent; classtype:trojan-activity; sid:2016566; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DynDNS Pro Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:i(?:s(?:-(?:a(?:-(?:(?:(?:h(?:ard-work|unt)e|financialadviso)r|d(?:e(?:mocrat|signer)|octor)|t(?:e(?:acher|chie)|herapist)|r(?:epublican|ockstar)|n(?:ascarfan|urse)|anarchist|musician)\.com|c(?:(?:(?:ubicle-sla|onservati)ve|pa)\.com|a(?:ndidate\.org|terer\.com)|hef\.(?:com|net|org)|elticsfan\.org)|l(?:i(?:ber(?:tarian|al)\.com|nux-user\.org)|(?:a(?:ndscap|wy)er|lama)\.com)|p(?:(?:ersonaltrain|hotograph|lay)er\.com|a(?:inter\.com|tsfan\.org))|b(?:(?:(?:ookkeep|logg)er|ulls-fan)\.com|ruinsfan\.org)|s(?:o(?:cialist\.com|xfan\.org)|tudent\.com)|g(?:eek\.(?:com|net|org)|(?:reen|uru)\.com)|knight\.org)|n-(?:a(?:c(?:t(?:ress|or)|countant)|(?:narch|rt)ist)|en(?:tertain|gine)er)\.com)|(?:into-(?:(?:car(?:toon)?|game)s|anime)|(?:(?:not-)?certifie|with-theban)d|uberleet|gone)\.com|(?:very-(?:(?:goo|ba)d|sweet|evil|nice)|found)\.org|s(?:aved\.org|lick\.com)|l(?:eet\.com|ost\.org)|by\.us)|a-(?:geek\.(?:com|net|org)|hockeynut\.com)|t(?:eingeek|mein)\.de|smarterthanyou\.com)|n-the-band\.net|amallama\.com)|f(?:rom-(?:(?:i[adln]|w[aivy]|o[hkr]|[hr]i|d[ce]|k[sy]|p[ar]|s[cd]|t[nx]|v[at]|fl|ga|ut)\.com|m(?:[adinost]\.com|e\.org)|n(?:[cdehjmv]\.com|y\.net)|a(?:[klr]\.com|z\.net)|c(?:[at]\.com|o\.net)|la\.net)|or(?:-(?:(?:(?:mor|som|th)e|better)\.biz|our\.info)|got\.h(?:er|is)\.name)|uettertdasnetz\.de|tpaccess\.cc)|s(?:e(?:l(?:ls(?:-(?:for-(?:less|u)\.com|it\.net)|yourhome\.org)|fip\.(?:info|biz|com|net|org))|rve(?:bbs\.(?:com|net|org)|ftp\.(?:net|org)|game\.org))|(?:aves-the-whales|pace-to-rent|imple-url)\.com|crapp(?:er-site\.net|ing\.cc)|tuff-4-sale\.(?:org|us)|hacknet\.nu)|d(?:o(?:es(?:ntexist\.(?:com|org)|-it\.net)|ntexist\.(?:com|net|org)|omdns\.(?:com|org))|yn(?:a(?:lias\.(?:com|net|org)|thome\.net)|-o-saur\.com|dns\.ws)|ns(?:alias\.(?:com|net|org)|dojo\.(?:com|net|org))|vrdns\.org)|h(?:o(?:me(?:linux\.(?:com|net|org)|unix\.(?:com|net|org)|(?:\.dyn)?dns\.org|ftp\.(?:net|org)|ip\.net)|bby-site\.(?:com|org))|ere-for-more\.info|am-radio-op\.net)|b(?:log(?:dns\.(?:com|net|org)|site\.org)|(?:uyshouses|roke-it)\.net|arrel?l-of-knowledge\.info|oldlygoingnowhere\.org|etter-than\.tv)|g(?:o(?:tdns\.(?:com|org)|\.dyndns\.org)|ame-(?:server\.cc|host\.org)|et(?:myip\.com|s-it\.net)|roks-th(?:is|e)\.info)|e(?:st-(?:(?:a-la-ma(?:is|si)|le-patr)on|mon-blogueur)\.com|ndof(?:internet\.(?:net|org)|theinternet\.org))|l(?:e(?:btimnetz|itungsen)\.de|ikes(?:candy|-pie)\.com|and-4-sale\.us)|m(?:i(?:sconfused\.org|ne\.nu)|yp(?:hotos\.cc|ets\.ws)|erseine\.nu)|w(?:ebhop\.(?:info|biz|net|org)|ritesthisblog\.com|orse-than\.tv)|t(?:eaches-yoga\.com|raeumtgerade\.de|hruhere\.net)|k(?:icks-ass\.(?:net|org)|nowsitall\.info)|o(?:ffice-on-the\.net|n-the-web\.tv)|(?:neat-url|cechire)\.com|podzone\.(?:net|org)|at-band-camp\.net|readmyblog\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016580; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to ChangeIP Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016581; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp)\.com|m(?:inecraft\.net|p3\.com)|b(?:eer\.com|log\.net))|curity(?:exploit|tactic)s\.com)|tufftoread\.com|ytes\.net)|m(?:y(?:(?:(?:dissen|effec)t|mediapc|psx)\.net|securitycamera\.(?:com|net|org)|(?:activedirectory|vnc)\.com|ftp\.(?:biz|org))|lbfan\.org|mafan\.biz)|d(?:(?:itchyourip|amnserver|ynns)\.com|dns(?:\.(?:net|me)|king\.com)|ns(?:iskinky\.com|for\.me)|vrcam\.info)|n(?:o(?:-ip\.(?:c(?:o\.uk|a)|info|biz|net|org)|ip\.(?:me|us))|et-freaks\.com|flfan\.org|hlfan\.net)|h(?:o(?:mesecurity(?:ma|p)c\.com|pto\.(?:org|me))|ealth-carereform\.com)|p(?:(?:rivatizehealthinsurance|gafan)\.net|oint(?:2this\.com|to\.us))|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem)\.org|iscofreak\.com)|g(?:o(?:lffan\.us|tdns\.ch)|eekgalaxy\.com)|b(?:logsyte\.com|ounceme\.net|rasilia\.me)|re(?:ad-books\.org|directme\.net)|u(?:nusualperson\.com|fcfan\.org)|w(?:orkisboring\.com|ebhop\.me)|(?:3utiliti|quicksyt)es\.com|eating-organic\.net|ilovecollege\.info|fantasyleague\.cc|loginto\.me|zapto\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016582; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DNSDynamic Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:d(?:ns(?:d(?:ynamic\.(?:com|net)|\.(?:info|me))|api\.info|get\.org|53\.biz)|dns01\.com)|(?:f(?:lashserv|e100|tp21)|adultdns|mysq1|wow64)\.net|(?:(?:ima|voi)p01|(?:user|ole)32|kadm5)\.com|t(?:tl60\.(?:com|org)|empors\.com|ftpd\.net)|s(?:sh(?:01\.com|22\.net)|ql01\.com)|http(?:(?:s443|01)\.com|80\.info)|n(?:s360\.info|tdll\.net)|x(?:ns01\.com|64\.me)|craftx\.biz)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016583; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DtDNS Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:(?:b(?:bsindex|0ne)|chatnook|gotgeeks|3d-game|4irc)\.com|s(?:(?:cieron|uroot)\.com|lyip\.(?:com|net))|d(?:arktech\.org|eaftone\.com|tdns\.net)|e(?:towns\.(?:net|org)|ffers\.com)|flnet\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016584; rev:4;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; content:"103sdj115sdj115sdj111sdj57sdj46sdj46sdj"; fast_pattern; within:250; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016585; rev:7;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Query to a *.opengw.net Open VPN Relay Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|opengw|03|net|00|"; nocase; fast_pattern:only; reference:url,www.vpngate.net; classtype:bad-unknown; sid:2016586; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit Landing Page URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"u33&299"; within:200; content:"u3v7"; within:50; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016587; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedDotv2 Java Check-in"; flow:established,to_server; content:"/search/"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/^\/search\/[0-9]{64}/U"; classtype:trojan-activity; sid:2016593; rev:8;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedDotv2 Jar March 18 2013"; flow:established,to_server; content:"/sexy.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2016594; rev:7;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to cd.am Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; content:"cd.am"; http_header; nocase; pcre:"/^Host\x3a\x20[^\r\n]+\.cd\.am(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016595; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - jmx.jar"; flow:established,to_server; content:"/jmx.jar"; http_uri; content:"Java/1."; http_user_agent; content:!"hermesjms.com"; http_header; classtype:trojan-activity; sid:2016598; rev:5;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain peocity.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|peocity|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016600; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain rusview.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|rusview|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016601; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain skyruss.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|skyruss|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016602; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain commanal.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|commanal|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016603; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain natareport.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|natareport|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016604; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogellrey.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|photogellrey|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016605; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogalaxyzone.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|photogalaxyzone|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016606; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insdet.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|insdet|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016607; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain creditrept.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|creditrept|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016608; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pollingvoter.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|pollingvoter|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016609; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dfasonline.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|dfasonline|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016610; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hudsoninst.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|hudsoninst|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016611; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain wsurveymaster.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|wsurveymaster|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016612; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nhrasurvey.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|nhrasurvey|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016613; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pdi2012.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|pdi2012|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016614; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nceba.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|nceba|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016615; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain linkedin-blog.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|linkedin-blog|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016616; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain aafbonus.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|aafbonus|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016617; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain milstars.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|milstars|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016618; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain vatdex.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|vatdex|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016619; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insightpublicaffairs.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|insightpublicaffairs|03|org|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016620; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain applesea.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|applesea|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016621; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledmg.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appledmg|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016622; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appleintouch.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|appleintouch|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016623; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain seyuieyahooapis.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|seyuieyahooapis|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016624; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledns.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appledns|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016625; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain emailserverctr.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|emailserverctr|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016626; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dailynewsjustin.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|dailynewsjustin|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016627; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hi-tecsolutions.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|hi-tecsolutions|03|org|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016628; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain slashdoc.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|slashdoc|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016629; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photosmagnum.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|photosmagnum|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016630; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain resume4jobs.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|resume4jobs|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016631; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain searching-job.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|searching-job|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016632; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain servagency.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|servagency|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016633; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain gsasmartpay.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|gsasmartpay|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016634; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain tech-att.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|tech-att|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016635; rev:1;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Watering Hole applet name AppletHigh.jar"; flow:established,to_server; content:"/AppletHigh.jar"; http_uri; content:"Java/1."; http_user_agent; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:trojan-activity; sid:2016639; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Watering Hole applet name AppletLow.jar"; flow:established,to_server; content:"/AppletLow.jar"; http_uri; content:"Java/1."; http_user_agent; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:trojan-activity; sid:2016640; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:").)+[\r\n\s]value[\r\n\s]*=[\r\n\s]*(?P[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:trojan-activity; sid:2016643; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Postal Reciept EXE in Zip"; flow:from_server,established; file_data; content:"PK"; within:2; content:"Postal-Receipt.exe"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016654; rev:2;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java obfuscated binary (3)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|20 3b|"; within:2; content:"|3d 24 00 00|"; within:512; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016655; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Karagany encrypted binary (1)"; flow:established,to_client; file_data; content:"|81 f2 90 00 cf a8 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016663; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL April 01 2013"; flow:established,from_server; file_data; content:")).)+?[\r\n\s]value[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?(\d{2,3})?(?P([^a-zA-Z0-9]{1,100}|[a-zA-Z0-9]{1,100}))\d{2,3}((?P=sep)\d{2,3}){20}/Rs"; classtype:trojan-activity; sid:2016705; rev:19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS svchost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/svchost.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/svchost\.exe$/Ui"; classtype:bad-unknown; sid:2016696; rev:13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS winlogon.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/winlogon.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/winlogon\.exe$/Ui"; reference:md5,fd95cc0bb7d3ea5a0c86d45570df5228; reference:md5,09330c596a33689a610a1b183a651118; classtype:bad-unknown; sid:2016697; rev:13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS services.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/services.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/services\.exe$/Ui"; reference:md5,145c06300d61b3a0ce2c944fe7cdcb96; classtype:bad-unknown; sid:2016698; rev:13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS lsass.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/lsass.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/lsass\.exe$/Ui"; reference:md5,d929747212309559cb702dd062fb3e5d; classtype:bad-unknown; sid:2016699; rev:13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS explorer.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/explorer.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/explorer\.exe$/Ui"; reference:md5,de1bc32ad135b14ad3a5cf72566a63ff; classtype:bad-unknown; sid:2016700; rev:13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS smss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/smss.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/smss\.exe$/Ui"; reference:md5,450dbe96d7f4108474071aca5826fc43; classtype:bad-unknown; sid:2016701; rev:12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS csrss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/csrss.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/csrss\.exe$/Ui"; reference:md5,21a069667a6dba38f06765e414e48824; classtype:bad-unknown; sid:2016702; rev:12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS rundll32.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/rundll32.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/rundll32\.exe$/Ui";  reference:md5,ea3dec87f79ff97512c637a5c8868a7e; classtype:bad-unknown; sid:2016703; rev:12;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 28 2013"; flow:established,from_server; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss Recent Jar (3)"; flow:established,to_server; content:"/m1"; http_uri; nocase; content:".jar"; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/m1[1-6]\.jar$/U"; classtype:trojan-activity; sid:2016708; rev:8;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss Recent Jar (4)"; flow:established,to_server; content:"/cmm.jar"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2016709; rev:8;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Targeted Tibetan Android Malware C2 Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|android|06|uyghur|04|dnsd|02|me|00|"; nocase; fast_pattern; distance:0; reference:url,citizenlab.org/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/; classtype:trojan-activity; sid:2016711; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS W32/BaneChant.APT Winword.pkg Redirect"; flow:established,to_client; content:"301"; http_stat_code; content:"Moved Permanently"; http_stat_msg; content:"/update/winword.pkg"; http_header; pcre:"/Location\x3A[^\r\n]*\x2Fupdate\x2Fwinword\x2Epkg/H"; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:trojan-activity; sid:2016713; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BHEK q.php iframe inbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern:only; content:"[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016716; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BHEK ff.php iframe inbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern:only; content:"[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016717; rev:4;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK q.php iframe outbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern:only; content:"[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016718; rev:4;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK ff.php iframe outbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern:only; content:"[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016719; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; fast_pattern:22,20; pcre:"/Last-Modified\x3a Mon, (?!(?:0[29]|16|23|30))\d{2} Jul 2001/H"; classtype:trojan-activity; sid:2016721; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 32-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:40; content:"/ff.php"; http_uri; offset:33; pcre:"/^\/[0-9a-f]{32}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016722; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 32-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:33; depth:7; http_uri; pcre:"/^\/[0-9a-f]{32}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016723; rev:7;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:24; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016724; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016725; rev:8;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Fiesta Flash Exploit"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:60; within:7; http_uri; pcre:"/\/\?[0-9a-f]{60,66}\x3b(?:1(?:0[0-3]|1\d)|90)\d{1,3}\x3b\d{1,3}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016726; rev:6;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Reversed Applet Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"eulav "; nocase; fast_pattern:only; content:"eman "; nocase; content:"marap<"; nocase; within:500; content:"telppa"; within:500; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016729; rev:11;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|74 3d c0 19|"; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016733; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit applet + obfuscated URL Apr 7 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"8ss&299"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016734; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/wmck.jpg"; nocase; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016735; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/ckwm.jpg"; nocase; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016736; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GonDadEK Kit Jar"; flow:to_client,established; file_data; content:"ckwm"; pcre:"/^(ckwm)*?(Exp|cc)\.class/R"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016737; rev:11;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/Citadel Infection or Config URL Request"; flow:established,to_server; content:"/file.php|7C|file="; http_uri; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016738; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit/Sakura/CritX/SafePack/FlashPack applet + obfuscated URL Apr 10 2013"; flow:established,from_server; file_data; content:")).)+?(?i:value)[\r\n\s]*=[\r\n\s]*\x5c?[\x22\x27](?!http\x3a\/\/)(?P[^\x22\x27])(?P(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]+(?P=slash)/Rs"; classtype:trojan-activity; sid:2016751; rev:10;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino EK Plugin-Detect April 12 2013"; flow:established,from_server; file_data; content:"PluginDetect"; fast_pattern:only; nocase; content:"$(document).ready"; content:"function"; distance:0; pcre:"/\x28[\r\n\s]*?(?P[\x22\x27]?)[a-f0-9]{24}(?P=qa1)[\r\n\s]*?,[\r\n\s]*?(?P[\x22\x27]?)[a-z0-9]{1,20}(?P=qa2)[\r\n\s]*?/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016756; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data April 12 2013"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/c"; http_uri; depth:2; pcre:"/^\/c[a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; content:"p"; depth:1; http_client_body; pcre:"/^p[a-z0-9]{0,20}\x3d[a-z0-9]{1,20}&i[a-z0-9]{0,20}\x3d%[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016753; rev:10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (9)"; flow:to_server,established; content:"/closest/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/^\/closest\/(([a-z]{1,16}[-_]){1,4}[a-z]{1,16}|[a-z0-9]{20,}+)\.php/U"; classtype:trojan-activity; sid:2016755; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO PDF Payload Download"; flow:established,to_server; content:"User-Agent|3a 20|http|3a|//"; http_header; fast_pattern:only; pcre:"/^GET (?P(\/[A-Za-z0-9]+)?\/\d+\/\d+)\sHTTP\/1\.1\r\nUser-Agent\x3a\x20http\x3a\/\/(?P[^\r\n]+)(?P=uri)\r\nHost\x3a\x20(?P=host)\r\n(\r\n)?$/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016764; rev:15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake DHL Kuluoz.B URI"; flow:established,to_server; content:".php?get"; http_uri; fast_pattern:only; pcre:"/\.php\?get[^=]*=\d_\d{5,}$/U"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016779; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Apr 21 2013"; flow:established,from_server; file_data; content:"OD&|3a|x9T6"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016781; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta - Payload - flashplayer11"; flow:established,to_client; content:"flashplayer11_"; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2016784; rev:3;)
+
+alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Java Exploit Recievied"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"javax/crypto/spec/SecretKeySpec"; distance:0; classtype:trojan-activity; sid:2016785; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET CURRENT_EVENTS Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".html"; http_uri; pcre:"/\/[0-9]{4}\.html$/Ui"; classtype:trojan-activity; sid:2016786; rev:5;)
+
+alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Payload Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient; content:".txt|0d 0a|"; http_header; fast_pattern:only; pcre:"/filename=[a-z]{4}\.txt\x0D\x0A/H"; classtype:trojan-activity; sid:2016787; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection mfunc"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"mfunc"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mfunc/Pi"; classtype:attempted-user; sid:2016788; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection mclude"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"mclude"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mclude/Pi"; classtype:attempted-user; sid:2016789; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection dynamic-cached-content"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"dynamic-cached-content"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?dynamic-cached-content/Pi"; classtype:attempted-user; sid:2016790; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received"; flow:established,to_client; file_data; content:"value"; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27]((?P%[A-Fa-f0-9]{2})|(?P[a-zA-Z0-9]))((?P=hex){10}|(?P=ascii){10})/R"; content:"var PluginDetect"; distance:0; classtype:trojan-activity; sid:2016791; rev:6;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command"; flow:established,to_server; content:"SECID="; http_cookie;  pcre:"/\?[0-9a-f]{6}$/U"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:attempted-user; sid:2016794; rev:7;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64"; flow:established,to_client; file_data; content:"X19hcHBsZXRfc3N2X3ZhbGlkYXRl"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016796; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass"; flow:established,to_client; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java JNLP Requested"; flow:established,to_server; flowbits:isset,ET.http.javaclient; urilen:71; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:trojan-activity; sid:2016798; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Flash Exploit Requested"; flow:established,to_server; urilen:70; content:".swf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$/Ui"; classtype:trojan-activity; sid:2016799; rev:3;)
+
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear landing with obfuscated plugindetect Apr 29 2013"; flow:established,from_server; file_data; content:"visibility|3a|hidden"; pcre:"/(?P\d{2})(?P(?!(?P=e))\d{2})(?P=e)\d{2}(?P=t)\d{6}(?P=e)\d{12}(?P(?!((?P=e)|(?P=t)))\d{2})\d{2}(?P(?!((?P=e)|(?P=t)|(?P=q)))\d{2})\d{2}(?P=dot)\d{2}(?P=q)/R"; classtype:trojan-activity; sid:2016801; rev:9;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jreg.jar"; flow:established,to_server; content:"/jreg.jar"; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016804; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK UAC Disable in Uncompressed JAR"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"UACDisableNotify"; fast_pattern:only; classtype:trojan-activity; sid:2016805; rev:3;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Eval With Base64.decode seen in DOL Watering Hole Attack 05/01/13"; flow:established,from_server; content:"Base64.decode"; nocase; fast_pattern:only; content:"eval("; nocase; pcre:"/^[\r\n\s]*?Base64\.decode[\r\n\s]*?\x28[\r\n\s]*?[\x22\x27]/Ri"; content:!"|22|J0RVREFPTkUn|22|"; content:!"|22|J01PQklMRSc|3D 22|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016807; rev:6;)
+
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1)"; flow:established,from_server; content:"|55 04 03|"; content:"*.tor2web."; nocase; distance:2; within:10; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016806; rev:5;)
+
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (2)"; flow:established,from_server; content:"|55 04 03|"; content:"*.onion."; nocase; distance:2; within:8; pcre:"/^(?:sh|lu|to)/Rsi"; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016810; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS - Possible Redkit 1-4 char JNLP request "; flow:established,to_server; urilen:<11; content:".jnlp"; nocase; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/U"; classtype:trojan-activity; sid:2016811; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS - Possible BlackHole request with decryption Base "; flow:established,to_server; content:"&jopa="; nocase; http_uri; fast_pattern:only; pcre:"/&jopa=\d+$/U"; classtype:trojan-activity; sid:2016813; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2"; flow:established,to_client; file_data; content:"9fYXBwbGV0X3Nzdl92YWxpZGF0"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016817; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 3"; flow:established,to_client; file_data; content:"fX2FwcGxldF9zc3ZfdmFsaWRhdGVk"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016818; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Requsting Payload"; flow:established,to_server; content:"/FlashPlayer.cpl"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016828; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Injection - var j=0"; flow:established,to_client; file_data; content:"00|3a|00|3a|00|3b| path=/|22 3b|var j=0|3b| while(j"; classtype:trojan-activity; sid:2016830; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2013-2423 IVKM PoC Seen in Unknown EK"; flow:to_client,established; content:"Union1.class"; content:"Union2.class"; fast_pattern; content:"SystemClass.class"; content:"PoC.class"; flowbits:isset,ET.http.javaclient; reference:url,weblog.ikvm.net/CommentView.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0; classtype:trojan-activity; sid:2016831; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Requesting Jar"; flow:established,to_server; content:"/j21.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016832; rev:7;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS IE HTML+TIME ANIMATECOLOR with eval as seen in unknown EK"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlimKit hex.zip Java Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".zip"; http_uri; pcre:"/\/[a-f0-9]+\.zip$/U"; classtype:trojan-activity; sid:2016839; rev:6;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; fast_pattern:only; content:""; content:"[\x22\x27])[a-f0-9]{9,16}\.(jar|zip)(?P=q)/R"; classtype:trojan-activity; sid:2016840; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS BlackHole Java Exploit Artifact"; flow:established,to_server; content:"/hw.class"; http_uri; content:"Java/1."; http_user_agent; reference:url,vanheusden.com/httping/; classtype:policy-violation; sid:2016848; rev:12;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Winwebsec/Zbot/Luder Checkin Response"; flow:established,from_server; file_data; content:"ingdx.htmA{ip}"; nocase; classtype:trojan-activity; sid:2016851; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript May 10 2013"; flow:established,from_server; file_data; content:"qV7/|3b|pF"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016852; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data May 15 2013"; flow:established,to_server; content:"POST"; nocase; http_method; pcre:"/^\/[a-z][a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+[?&][a-z]+=\d+\r$/Hmi"; content:"=%25"; http_client_body;  pcre:"/=%25[0-9A-F]{2}%25[0-9A-F]{2}/P";  flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016853; rev:15;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Page May 16 2013"; flow:established,from_server; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - cee.jar"; flow:established,to_server; content:"/cee.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016859; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino EK Plugin-Detect 2 May 20 2013"; flow:established,from_server; file_data; content:"encodeURIComponent(xor(JSON.stringify"; fast_pattern:8,20; content:"PluginDetect.getVersion"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016868; rev:14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlimKit Post Exploit Payload Download"; flow:to_server,established; content:"POST"; http_method; urilen:17; pcre:"/^\/[a-f0-9]{16}$/U"; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:"HTTP/1.0|0d 0a|"; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\r\nContent-Length\x3a\s0\r\nConnection\x3a\sclose\r\n(\r\n)?$/H"; classtype:trojan-activity; sid:2016869; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Requesting Payload"; flow:established,to_server; content:".php?ex="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016896; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect URL"; flow:established,to_server; content:"/8gcf744Waxolp752.php"; http_uri; classtype:trojan-activity; sid:2016919; rev:8;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 1 May 24 2013"; flow:to_client,established; file_data; content:"gonagExp.class"; fast_pattern:only; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016923; rev:14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 2 May 24 2013"; flow:to_client,established; file_data; content:"20130422.class"; fast_pattern:only; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016924; rev:11;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 1 May 24 2013"; flow:to_client,established; file_data; content:"AppletObject.code"; nocase; content:"Gond"; nocase; distance:0; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016925; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 2 May 24 2013"; flow:to_client,established; file_data; content:"1337.exe"; nocase; fast_pattern:only; content:").)+?[\x22\x27]1337\.exe/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016926; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 1 May 24 2013"; flow:to_client,established; file_data; content:"function weCameFromHell("; nocase; fast_pattern:4,20; content:"spawAnyone("; nocase; distance:0; classtype:trojan-activity; sid:2016927; rev:11;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 2 May 24 2013"; flow:to_client,established; file_data; content:"FlashPlayer.cpl"; nocase; fast_pattern:only; content:"window.location"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P[_a-zA-Z][a-zA-Z0-9_-]+)\([\r\n\s]*?[\x22\x27](?!http\x3a\/\/)(?P[^\x22\x27])(?P(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]*?[\x22\x27][\r\n\s]*?,[\r\n\s]*?[\x22\x27][^\x22\x27]+[\x22\x27][\r\n\s]*?\)\+(?P=func)/Rsi"; classtype:trojan-activity; sid:2016928; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible HellSpawn EK Fake Flash May 24 2013"; flow:to_server,established; content:"/FlashPlayer.cpl"; http_uri; nocase; fast_pattern:only; pcre:"/\/FlashPlayer\.cpl$/U"; classtype:trojan-activity; sid:2016929; rev:11;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible HellSpawn EK Java Artifact May 24 2013"; flow:to_server,established; content:"/PoC.class"; http_uri; nocase; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016930; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackHole EK JNLP request"; flow:established,to_server; content:".php?jnlp="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?jnlp=[a-f0-9]{10}(,|$)/Ui"; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016931; rev:7;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to Afraid.org Top 100 Dynamic DNS Domain May 28 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016933; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received May 29 2013"; flow:established,to_client; file_data; content:"
]*?>((?P%[A-Fa-f0-9]{2})|(?P[a-zA-Z0-9]))((?P=hex){9,20}|(?P=ascii){9,20})%3C/R"; content:"{version:|22|0.8.0|22|"; distance:0; nocase; classtype:trojan-activity; sid:2016942; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".pkg"; http_uri; nocase; pcre:"/\/\d+\.pkg$/Ui"; classtype:trojan-activity; sid:2016943; rev:8;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|58 23 3a d4|"; within:4; classtype:trojan-activity; sid:2016945; rev:8;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Probable Nuclear exploit kit landing page"; flow:established,to_server; content:".html"; http_uri; content:"GET"; http_method; pcre:"/^\/[0-9a-f]{32}\.html$/U"; content:"Referer|3a|"; http_header; classtype:bad-unknown; sid:2016952; rev:8;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack Reporting Plugin Detect Data June 03 2013"; flow:established,to_server; content:"/gate.php?ver="; http_uri; nocase; fast_pattern:only; pcre:"/&p=\d+\.\d+\.\d+\.\d+&j=\d+\.\d+\.\d+\.\d+&f=\d+\.\d+\.\d+\.\d+$/U"; classtype:trojan-activity; sid:2016964; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Metasploit Based Unknown EK Jar Download June 03 2013"; flow:established,to_server; content:"/j_"; http_uri; pcre:"/\/j_[a-z0-9]+_(?:0422|1723|3544|5076)\.jar$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2016965; rev:7;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Jun 1 2013"; flow:established,from_server; file_data; content:"a5chZev!"; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016966; rev:7;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Karagany encrypted binary (3)"; flow:established,to_client; file_data; content:"|f2 fd 90 00 bc a7 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016970; rev:4;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 32-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016971; rev:5;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 32-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016972; rev:8;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016973; rev:7;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016974; rev:9;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neutrino EK Landing URI Format"; flow:established,to_server; content:"GET"; http_method; content:"/a"; depth:2; http_uri; pcre:"/^\/a[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?q[a-z]{4,11}=\d{6,7}$/U"; classtype:trojan-activity; sid:2016975; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload Download (9)"; flow:established,to_server; content:".txt?f="; fast_pattern:only; content:!"Referer|3a| "; http_header; pcre:"/\.txt\?f=\d+$/U"; classtype:trojan-activity; sid:2016976; rev:9;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackHole EK Initial Gate from Linked-In Mailing Campaign"; flow:established,to_server; content:"/linkendorse.html"; http_uri; classtype:trojan-activity; sid:2016984; rev:2;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Office PNG overflow attempt invalid tEXt chunk length"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; byte_test:4,>,2147483647,-8,relative; reference:cve,2013-1331; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017005; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Kuluoz.B Shipping Label Spam Campaign"; flow:established,to_server; content:".php?"; http_uri; content:"_info="; distance:1; within:6; http_uri; pcre:"/\.php\?[a-z]_info=[a-z0-9]{1,4}_\d+?$/Ui"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2017002; rev:6;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Kuluoz.B Spam Campaign Shipment_Label.exe in Zip"; flow:from_server,established; content:"Shipment_Label.zip"; nocase; fast_pattern:only; http_header; file_data; content:"PK"; within:2; content:".exe"; distance:0; classtype:trojan-activity; sid:2017003; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Glazunov EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".zip"; http_uri; pcre:"/\/\d+\/\d\.zip$/U"; classtype:trojan-activity; sid:2017011; rev:7;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible 2012-1533 altjvm (jvm.dll) Requested Over WeBDAV"; flow:established,to_server; content:"/jvm.dll"; http_uri; fast_pattern:only; pcre:"/\/jvm\.dll$/U"; reference:cve,2012-1533; classtype:trojan-activity; sid:2017012; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible 2012-1533 altjvm RCE via JNLP command injection"; flow:established,from_server; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing (Payload Downloaded Via Dropbox)"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; content:"6u27.jar"; content:"6u41.jar"; fast_pattern:only; classtype:trojan-activity; sid:2017014; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Jar 1 June 12 2013"; flow:established,to_server; content:"/6u27.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2017016; rev:7;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Jar 2 June 12 2013"; flow:established,to_server; content:"/6u41.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2017017; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Jar 3 June 12 2013"; flow:established,to_server; content:"/7u17.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2017018; rev:6;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dotka Chef EK .cache request"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"/.cache/?f|3d|"; fast_pattern:only; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017019; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dotka Chef EK exploit/payload URI request"; flow:to_server,established; content:"?f="; http_uri; content:"&k="; http_uri; pcre:"/&k=\d{16}(&|$)/U"; content:"Java/1"; http_user_agent; classtype:trojan-activity; sid:2017020; rev:10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 1"; flow:established,to_server; content:".php?"; http_uri; content:"3a313"; http_uri; fast_pattern:only; pcre:"/=(3[0-9a]|2e)+3a313[3-9](3[0-9]){8}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017022; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 2"; flow:established,to_server;  content:".php?hash=I3QxW"; http_uri; fast_pattern:only; pcre:"/\.php\?hash=I3QxW[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017023; rev:5;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 3"; flow:established,to_server; content:".php?hash="; http_uri; fast_pattern:only; pcre:"/\/(?:java(?:byte|db)|o(?:utput|ther)|r(?:hino|otat)|msie\d|load)\.php\?hash=/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017024; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Unknown_InIFRAME - RedTDS URI Structure"; flow:established,to_server; content:"/red"; depth:7; http_uri; content:".php"; distance:2; within:6; http_uri; pcre:"/^\/[0-9]{1,2}\/red[0-9]{1,4}\.php[0-9]{0,1}$/Ui"; classtype:trojan-activity; sid:2017028; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - URI Structure"; flow:established,to_server; content:"/iniframe/"; depth:10; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/"; distance:1; within:5; http_uri; content:"/"; distance:32; within:1; http_uri; classtype:trojan-activity; sid:2017029; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - Redirect to /iniframe/ URI"; flow:established,to_client; content:"302"; http_stat_code; content:"/iniframe/"; http_header; classtype:trojan-activity; sid:2017030; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - In Referer"; flow:established,to_server; content:"/iniframe/"; http_header; content:"/"; distance:32; within:1; http_header; content:"/"; distance:1; within:5; http_header; content:"/"; distance:32; within:1; http_header; classtype:trojan-activity; sid:2017031; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Flash - URI - /loading?vkn="; flow:established,to_server; content:"/loading?vkn="; http_uri; classtype:trojan-activity; sid:2017032; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect June 18 2013"; flow:established,to_client; file_data; content:",53,154,170,170,164,76,63,63,"; classtype:trojan-activity; sid:2017035; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NailedPack EK Landing June 18 2013"; flow:established,to_client; file_data; content:"report_and_get_exploits(_0x"; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:2017034; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Javadoc API Redirect CVE-2013-1571"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?//"; http_header; fast_pattern:only; pcre:"/^Referer\x3a\x20[^\r\n]+\/((index|toc)\.html?)?\?\/\//Hmi"; reference:cve,2013-1571; classtype:bad-unknown; sid:2017037; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Jar Download June 20 2013"; flow:established,to_server; content:"/contacts.asp"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2017038; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS X20 EK Payload Download"; flow:established,to_server; content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2017039; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Landing URI Struct"; flow:established,to_server; content:".php?"; http_uri; content:"v=1."; http_uri; fast_pattern; content:"."; http_uri; distance:1; within:1; pcre:"/\.php\?(b=[a-fA-F0-9]{6}&)?v=1\.(?:(?:4\.[0-2]\.[0-3]|5\.0\.[0-2]|6.0\.[0-4])\d?|[7-8]\.0\.\d{1,2})$/U"; classtype:trojan-activity; sid:2017040; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.7.x"; flow:established,to_server; content:"/frozen.jar"; http_uri; fast_pattern:only; content:"Java/1.7"; http_user_agent; classtype:trojan-activity; sid:2017041; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (Old)"; flow:established,to_server; content:"/arina.jar"; http_uri; fast_pattern:only; content:"Java/1.6"; http_user_agent; classtype:trojan-activity; sid:2017042; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/sigwer.jar"; http_uri; fast_pattern:only; content:"Java/1.6"; http_user_agent; classtype:trojan-activity; sid:2017043; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/dubstep.jar"; http_uri; fast_pattern:only; content:"Java/1.6"; http_user_agent; classtype:trojan-activity; sid:2017044; rev:4;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot CnC1"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:"|20 3a 03|10OK|3a 03 20|"; within:30; classtype:trojan-activity; sid:2017055; rev:1;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot CnC2"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:" |3a|[AryaN]|3a| "; within:30; content: "download"; nocase; classtype:trojan-activity; sid:2017056; rev:1;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Download and Execute Scheduled file command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Download and Execute Scheduled [File|3a|"; classtype:trojan-activity; sid:2017057; rev:1;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Flood command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Flood|3a| Started [Type|3a|"; classtype:trojan-activity; sid:2017058; rev:1;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Botkill command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Botkill|3a| Cycled once"; classtype:trojan-activity; sid:2017059; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity"; flow:established,from_server; file_data; content:").)+?&#(?:0*?(?:1(?:[0-1]\d|2[0-2])|[78][0-9]|9[07-9]|4[8-9]|5[0-7]|6[5-9])|x0*?(?:[46][1-9A-F]|[57][0-9A]|3[0-9]))(\x3b|&#)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017064; rev:18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Pony Loader default URI struct"; flow:to_server,established; content:"GET"; http_method; content:"/pony"; http_uri; fast_pattern:only; content:"/gate.php"; http_uri; nocase; classtype:trojan-activity; sid:2017065; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit Redirector To Landing Page"; flow:established,to_server; content:"/?wps="; http_uri; fast_pattern:only; pcre:"/^\x2F\x3Fwps\x3D[0-9]$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:trojan-activity; sid:2017068; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit Clicker.php TDS"; flow:established,to_server; content:"/clicker.php"; http_uri; fast_pattern:only; pcre:"/^\x2Fclicker\x2Ephp$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:trojan-activity; sid:2017069; rev:2;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit XOR decodeURIComponent"; flow:established,to_client; file_data; content:"xor(decodeURIComponent("; distance:0; classtype:trojan-activity; sid:2017071; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Applet tag in jjencode as (as seen in Dotka Chef EK)"; flow:established,from_server; file_data; content:",$$$$|3a|(![]+|22 22|)"; fast_pattern:only; content:"<|22|+"; pcre:"/^(?P.{1,10})\.\$\_\$\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\(\!\[\]\+\x22\x22\)\[(?P=var)\.\_\$\_\]\+(?P=var)\.\$\$\$\_\+(?P=var)\.\_\_\+/R"; classtype:trojan-activity; sid:2017070; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:""; within:500; content:!"|0d|"; within:500; pcre:"/^\s*[^>]*?[a-zA-Z]+\s*?=\s*?[\x22\x27](?=[a-z]{0,20}[A-Z])(?=[A-Z]{0,20}[a-z])[A-Za-z]{15,21}[\x22\x27][^>]*?>(?=[A-Za-z_]{0,200}[0-9])(?=[0-9a-z_]{0,200}[A-Z])(?=[0-9A-Z_]{0,200}[a-z])[A-Za-z0-9_]{200}/R"; classtype:trojan-activity; sid:2020975; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing Apr 23 2015"; flow:established,from_server; file_data; content:"=window|3b|"; fast_pattern:only; content:"String.fromCharCode"; content:"|28 2f|Win64|3b 2f|i,"; nocase; content:"function"; pcre:"/^\s*?[^\x28\s]*?\x28\s*?(?P[^\s,\x29]+)\s*?,\s*?(?P[^\s,\x29]+)\s*?\x29\{[^\r\n]*?[\+=]String.fromCharCode\((?P=a2)\)[^\r\n]*?\}/Rs"; classtype:trojan-activity; sid:2020979; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK IE Exploit Apr 23 2015"; flow:established,from_server; file_data; content:"some"; fast_pattern:only; content:"<style>"; content:"|5c 3a|*{display|3a|inline-block|3b|behavior|3a|url(#default#VML)|3b|}</style>"; distance:3; within:65; classtype:trojan-activity; sid:2020980; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Flash Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".swf"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.swf\r\n/Hm"; file_data; content:"WS"; within:3; classtype:trojan-activity; sid:2020981; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK SilverLight Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".xap"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.xap\r\n/Hm"; file_data; content:"AppManifest.xaml"; fast_pattern:only; classtype:trojan-activity; sid:2020982; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Java Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".jar"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.jar\r\n/Hm"; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2020983; rev:3;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK PDF Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".pdf"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{7,8}\d{2,3}\.pdf\r\n/Hm"; file_data; content:"PDF-"; within:500; classtype:trojan-activity; sid:2020984; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Secondary Landing Apr 20 2015"; flow:established,from_server; file_data; content:"2147023083"; content:"BlackList"; nocase; content:"lenBadFiles"; nocase; fast_pattern:only; content:"ProgFilePath"; nocase; content:"lenProgFiles"; nocase; classtype:trojan-activity; sid:2020985; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020986; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download file with Powershell via LNK file (observed in Sundown EK)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"c|00|m|00|d|00|.|00|e|00|x|00|e"; nocase; content:"P|00|o|00|w|00|e|00|r|00|S|00|h|00|e|00|l|00|l"; nocase; content:"D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00|F|00|i|00|l|00|e"; nocase; classtype:trojan-activity; sid:2020987; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sundown EK URI Struct T1 Apr 24 2015"; flow:established,to_server; content:"/street"; http_uri; fast_pattern:only; pcre:"/\/street[1-5]\.php$/U"; classtype:trojan-activity; sid:2020988; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; content:"/XV-"; fast_pattern:only; pcre:"/\/XV-\d+\.exe$/U"; classtype:trojan-activity; sid:2020989; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Secondary Landing T1 M2 Apr 24 2015"; flow:established,from_server; file_data; content:"System.Net.WebClient"; nocase; content:"Powershell"; nocase; content:"DownloadFile"; nocase; content:"|3b|d=unescape(m)|3b|document.write(d)|3b|"; classtype:trojan-activity; sid:2020990; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:Flash[23]?|Ink|New|One|HQ).exe$/U"; classtype:trojan-activity; sid:2020991; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M2 Apr 24 2015"; flow:established,to_server; content:"/BrowserUpdate.lnk"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2020992; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS IonCube Encoded Page (no alert)"; flow:established,from_server; file_data; content:"javascript>c=|22|"; content:"|3b|eval(unescape("; flowbits:noalert; flowbits:set,ET.IonCube; classtype:trojan-activity; sid:2020993; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sundown EK Flash Exploit Struct T2 Apr 24 2015"; flow:established,to_server; flowbits:isset,ET.IonCube; content:"/"; http_uri; content:".swf"; http_uri; distance:4; within:4; pcre:"/\/(?=[A-Za-z]{0,3}\d)(?=\d{0,3}[A-Za-z])[A-Za-z0-9]{4,5}\.swf$/U"; content:".php"; http_header; classtype:trojan-activity; sid:2020994; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct April 29 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:"/|20|http|3a|/"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/\x20http\x3a\x2f/U"; classtype:trojan-activity; sid:2021033; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct April 29 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"/5/"; http_uri; fast_pattern; content:"http|3a|/"; distance:0; http_uri; pcre:"/\/5\/[a-f0-9]{32}\/\x20*http\x3a\x2f/U"; classtype:trojan-activity; sid:2021034; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Java Exploit URI Struct April 29 2015"; flow:established,to_server; content:"Java/"; http_user_agent; fast_pattern:only; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?(?:\.[a-z]+)?$/U"; classtype:trojan-activity; sid:2021035; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK URI Struct April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern:only; pcre:"/\/5\/[A-Z]{3,}\/[a-f0-9]{32}(?:\.[^\x2f]+|\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?|\/\d+\/?)?$/U"; classtype:trojan-activity; sid:2021036; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Payload April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]+\/[a-z]+\/5\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?$/U"; content:"Referer|3a 20|"; http_header; pcre:"/^[^\r\n]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?/RH"; classtype:trojan-activity; sid:2021037; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK POST Beacon April 29 2015"; flow:established,to_server; content:"POST"; http_method; content:"0/"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; fast_pattern:21,20; content:"%"; http_client_body; pcre:"/^\/[a-z]+\/[a-z]+\//U"; pcre:"/^-?\d+=(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P<var1>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){6}(?P<var2>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P=var2)(?:[a-zA-Z0-9]|%[A-F0-9]{2}){4}(?P=var1)/P"; classtype:trojan-activity; sid:2021038; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing April 29 2015"; flow:established,from_server; file_data; content:"lortnoCgA.lortnoCgA"; content:"reverse"; classtype:trojan-activity; sid:2021039; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Exploit Struct April 30 2015"; flow:established,to_server; content:"GET"; http_method; pcre:"/\/\d\/[A-Z]+\/[a-f0-9]{32}\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?$/U"; content:"/%20http%3A"; http_header; fast_pattern:only; flowbits:set,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021042; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"ZWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021043; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"CWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021044; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SilverLight Exploit April 30 2015"; flow:established,from_server; file_data; content:"AppManifest.xaml"; fast_pattern:only; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021045; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Page May 01 2015"; flow:from_server,established; file_data; content:"CM|3a 20|u.indexOf(|27|NT 5.1|27|) > -1"; content:"PS|3a 20|u.indexOf(|27|NT 6.|27|) > -1"; classtype:trojan-activity; sid:2021046; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M1"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=Y21kIC9jIGVjaG8g"; classtype:trojan-activity; sid:2021047; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M2"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=cG93ZXJzaGVsbC5leGUg"; classtype:trojan-activity; sid:2021048; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Flash Payload ShellCode Apr 23 2015"; flow:established,from_server; file_data; content:"urlmon.dll|00|http|3a 2f|"; pcre:"/^\x2f+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\??[a-f0-9]+\x7chttp\x3a\x2f/Rs"; classtype:trojan-activity; sid:2021054; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (23)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021059; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Receiving Payload May 7 2015"; flow:established,from_server; content:"Content-Type|3a 20|application/postscript|0d 0a|"; http_header; fast_pattern:18,20; content:"Cache-Control|3a 20|no-cache,no-store,max-age=0,must-revalidate|0d 0a|"; http_header; content:"Content-Disposition|3a 20|inline|3b| filename="; http_header; pcre:"/^[a-z]{10}\.[a-z]{3}\r?$/RHm"; classtype:trojan-activity; sid:2021064; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"JnB3ZD"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021081; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"Zwd2Q9"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021082; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M3"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"mcHdkP"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021083; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WebRTC IP tracker Observed in DNSChanger EK May 12 2015"; flow:established,from_server; file_data; content:"function getIPs|28|callback|29|"; nocase; fast_pattern; content:"ip_dups"; nocase; content:"handleCandidate"; nocase; content:"RTCPeerConnection"; nocase; reference:url,github.com/diafygi/webrtc-ips; classtype:trojan-activity; sid:2021089; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Landing May 12 2015"; flow:established,from_server; file_data; content:"<input type=|22|hidden|22| id=|22|myip|22|>"; nocase; fast_pattern:11,20; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021090; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download file with BITS via LNK file (Likely Malicious)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"|00|b|00|i|00|t|00|s|00|a|00|d|00|m|00|i|00|n|00|"; nocase; content:"|00|t|00|r|00|a|00|n|00|s|00|f|00|e|00|r|00|"; nocase; classtype:trojan-activity; sid:2021092; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Remote Macro Download"; flow:established,from_server; file_data; content:"(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80)"; nocase; classtype:trojan-activity; sid:2021093; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Secondary Landing May 12 2015 M2"; flow:established,from_server; file_data; content:"&|22|+DetectRTC.isWebSocketsSupported+|22|&|22|+"; nocase; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021110; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (24)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021126; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (25)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021127; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M1"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 20 53 45 45 44 3a|"; nocase; fast_pattern:only; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; classtype:trojan-activity; sid:2021136; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M2"; flow:from_server,established; file_data; content:"|5e 23 7e 40|"; nocase; fast_pattern:only; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2021137; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Landing URI Struct May 22 2015"; flow:to_server,established; content:"/stat/load"; http_uri; fast_pattern:only; content:".php"; http_uri; pcre:"/^GET\s*?\/stat\/load(?=(?-i)[a-z0-9]*?[A-Z])(?=(?-i)[A-Z0-9]*?[a-z])(?P<hname>[a-z0-9]+)\.php\s.+?Host\x3a\x20(?P=hname)\./smi"; classtype:trojan-activity; sid:2021141; rev:2;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|14|formationtraffic.com"; distance:1; within:21; classtype:trojan-activity; sid:2021146; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JS iframe Embedded In GIF"; flow:established,from_server; file_data; content:"GIF89a="; nocase; within:8; content:"|3b|url="; nocase; distance:0; content:"iframe"; nocase; distance:0; content:"|3b|tail="; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021156; rev:2;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Exploit URI Struct May 28 2015 M1"; flow:to_server,established; urilen:>51; content:"."; http_uri; offset:49; depth:1; content:!"/"; http_uri; offset:1; pcre:"/^\/(?=[a-z0-9_-]{0,47}?[A-Z][a-z0-9_-]{0,46}?[A-Z])(?=[A-Z0-9_-]{0,47}?[a-z][A-Z0-9_-]{0,46}?[a-z])(?=[A-Za-z_-]{0,47}?[0-9][A-Za-z_-]{0,46}?[0-9])[A-Za-z0-9_-]{48}\.[a-z]{2,25}\d?\??/U"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f?[^\x2f]+\/[a-z]{3,20}((?P<sep>[_-]?)[a-z]{3,20}(?P=sep)(?:[a-z]{3,20}(?P=sep))?)?[a-z]{3,20}\/\d{10,20}(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,AnglerEK.Struct; classtype:trojan-activity; sid:2021157; rev:8;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS suspicious VBE-encoded script (seen in Sundown EK)"; flow:established,from_server; file_data; content:"Script.Encode"; content:"<!--"; within:8; content:"#@~"; within:5; flowbits:set,et.exploitkitlanding; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2021169; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 2 2015"; flow:established,from_server; file_data; content:"<title>WARNING|3a| INTERNET SECURITY ALERT"; nocase; fast_pattern; content:"function myFunction|28 29|"; nocase; distance:0; content:"Due to Suspicious Activity"; nocase; distance:0; classtype:trojan-activity; sid:2021177; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M1"; flow:established,to_client; file_data; content:"MICROSOFT WINDOWS SECURITY ALERT"; nocase; fast_pattern; content:"WARNING: VIRUS CHECK"; nocase; distance:0; classtype:trojan-activity; sid:2021181; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M2"; flow:established,to_client; file_data; content:"WARNING: VIRUS CHECK"; fast_pattern; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"There is a .net frame work file missing due to some harmfull virus"; nocase; distance:0; classtype:trojan-activity; sid:2021182; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M3"; flow:established,to_client; file_data; content:"Advised System Support!"; fast_pattern; nocase; content:"Your Computer May Not Be Protected"; nocase; distance:0; content:"Possible network damages if virus not removed immediately"; nocase; distance:0; classtype:trojan-activity; sid:2021183; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 8 2015 M1"; flow:established,to_client; file_data; content:"INTERNET BROWSER PROCESS WARNING ERROR"; nocase; fast_pattern:33,20; content:"WINDOWS HEALTH IS CRITICAL"; nocase; distance:0; classtype:trojan-activity; sid:2021206; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 8 2015 M2"; flow:established,to_client; file_data; content:"Norton Firewall Warning"; fast_pattern:18,20; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"Windows has blocked access to the Internet."; nocase; distance:0; classtype:trojan-activity; sid:2021207; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"|74 3d 75 74 66 38 74 6f 31 36 28 78 78 74 65 61 5f 64 65 63 72 79 70 74 28 62 61 73 65 36 34 64 65 63 6f 64 65 28 74 29 2c|"; nocase; classtype:trojan-activity; sid:2021217; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"base64decode"; nocase; content:"xxtea_decrypt"; nocase; fast_pattern:only; content:"long2str"; nocase; content:"str2long"; nocase; classtype:trojan-activity; sid:2021218; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Jun 09 2015"; flow:established,to_server; content:"/main.html"; http_uri; nocase; fast_pattern:only; content:"/index.html"; http_header; nocase; content:"cck_lasttime"; http_cookie; nocase; classtype:trojan-activity; sid:2021219; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing URI Struct Jun 11"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?:(?P=refhost)|www\.))/Hsi"; flowbits:set,AnglerEK; classtype:trojan-activity; sid:2021248; rev:7;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK June 11 2015"; flow:established,from_server; content:"javascript"; http_header; content:"nginx"; nocase; http_header; file_data; pcre:"/^\s*?/Rs"; content:"document.write|28 28 22|"; pcre:"/^\s*?/Rs"; content:"document.write(iframe)|3b|"; isdataat:!2,relative; classtype:trojan-activity; sid:2022341; rev:2;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoinMiner Malicious Authline Seen in JAR Backdoor"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz|22 2c 20 22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:trojan-activity; sid:2022349; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Jan 13 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"SECURITY WARNING"; fast_pattern:3,20; content:"0x0000007E"; nocase; distance:0; content:"0xFFFFFFFFFC000000047"; nocase; distance:0; content:"Serious security threat"; nocase; distance:0; content:"msg.mp3"; nocase; classtype:trojan-activity; sid:2022364; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Jan 13 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS"; content:"WINDOWS HEALTH IS CRITICAL"; fast_pattern:6,20; distance:0; content:"myFunction()|3b|"; classtype:trojan-activity; sid:2022365; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Jan 13 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"getURLParameter"; nocase; content:"PhoneNumber"; nocase; distance:0; content:"AlertMessage"; content:"Windows Certified Support"; fast_pattern:5,20; nocase; distance:0; content:"myFunction"; nocase; distance:0; content:"needToConfirm"; nocase; distance:0; content:"msg1.mp3"; nocase; distance:0; classtype:trojan-activity; sid:2022366; rev:2;)
+
+#alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Chrome Extension Phishing DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"chrome-extension"; nocase; distance:0; fast_pattern; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022372; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Extension Phishing HTTP Request"; flow:to_server,established; content:"Host|3a| chrome-extension."; http_header; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022373; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious LastPass URI Structure - Possible Phishing"; flow:established,to_server; content:"GET"; http_method; content:"/tabDialog.html?dialog=login"; http_uri; fast_pattern:only; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022374; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Script Loaded from Pastebin"; flow:established,to_client; file_data; content:"pastebin.com/raw"; fast_pattern:only; content:"<script "; pcre:"/^(?:(?!<\/script>).)*?src\s*=\s*\x5c?[\x22\x27]https?\x3a\/\/(?:www\.)?pastebin\.com\/raw(?:\/|\.php\?i=)[A-Z-a-z0-9]{8}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2022376; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Critical Error"; nocase; content:"WINDOWS VIRUS"; nocase; content:".net framework file missing"; nocase; fast_pattern:7,20; content:"contact Microsoft Support"; nocase; distance:0; classtype:trojan-activity; sid:2022409; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chrome Tech Support Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function pop"; fast_pattern; nocase; content:"function progressUpdate"; nocase; content:"Operating System"; nocase; content:"Browser"; nocase; content:"Internet Provider"; nocase; content:"Location"; nocase; content:"Scan progress"; nocase; classtype:trojan-activity; sid:2022410; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 27 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:>5; content:"/?3b"; http_uri; depth:4; pcre:"/^\/\?3b[A-Z0-9a-z]{2}(&subid=[^&]*)?$/U"; flowbits:set,evil.Keitaro; flowbits:noalert; classtype:trojan-activity; sid:2022464; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (Known Evil Keitaro TDS)"; flow:established,from_server; flowbits:isset,evil.Keitaro; content:"302"; http_stat_code; content:"LOCATION|3a 20|http"; http_header; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; http_header; fast_pattern:5,20; classtype:trojan-activity; sid:2022465; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Keitaro TDS Redirect"; flow:established,from_server; content:"302"; http_stat_code; content:"LOCATION|3a 20|http"; http_header; nocase; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; http_header; fast_pattern:5,20; pcre:"/Date\x3a\x20(?P<dstring>[^\r\n]+)\r\n.*?Last-Modified\x3a\x20(?P=dstring)\r\n/Hs"; content:"Cache-Control|3a 20|max-age=0|0d 0a|Pragma|3a 20|no-cache|0d 0a|"; classtype:bad-unknown; sid:2022466; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Evil Redirect Leading to EK Feb 01 2016"; flow:established,from_server; file_data; content:"|7a 2d 69 6e 64 65 78 3a 2d 31 3b|"; content:"|6f 70 61 63 69 74 79 3a 30 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 3b 20 2d 6d 6f 7a 2d 6f 70 61 63 69 74 79 3a 30 3b 22 3e|"; fast_pattern:32,20; distance:0; content:"|63 6c 73 69 64 3a 64 32 37 63 64 62 36 65 2d 61 65 36 64 2d 31 31 63 66 2d 39 36 62 38 2d 34 34 34 35 35 33 35 34 30 30 30 30|"; nocase; within:500; reference:url,malware-traffic-analysis.net/2016/01/26/index.html; classtype:trojan-activity; sid:2022479; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Compromised WP Feb 01 2016"; flow:established,from_server; file_data; content:"|5c 22 5d 5d 2e 6a 6f 69 6e 28 5c 22 5c 22 29 3b 22 29 29 3b 2f 2a|"; fast_pattern:2,20; pcre:"/^\s*[a-f0-9]{32}\s*\x2a\x2f/R"; reference:url,blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html; classtype:trojan-activity; sid:2022481; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG encrypted payload Feb 02 (1)"; flow:established,to_client; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:trojan-activity; sid:2022484; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Landing via GetGoPhish Phishing Tool"; flow:to_server,established; content:"GET"; http_method; content:"?rid="; http_uri; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}$/Ui"; reference:url,getgophish.com; classtype:trojan-activity; sid:2022486; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Phishing Attempt via GetGoPhish Phishing Tool"; flow:to_server,established; content:"POST"; http_method; content:"?rid="; http_header; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}\x0d\x0a/Hi"; reference:url,getgophish.com; classtype:trojan-activity; sid:2022487; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 05 2016"; flow:established,to_server; content:"/?keyword="; http_uri; fast_pattern:only; pcre:"/\/\?keyword=(?:(?=[a-f]{0,31}[0-9])(?=[0-9]{0,31}[a-f])[a-f0-9]{32}|\d{5})$/U"; classtype:trojan-activity; sid:2022493; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 07 2016"; flow:established,to_server; content:"/QrQ8Gr"; http_uri; urilen:7; classtype:trojan-activity; sid:2022496; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish Feb 6th M1"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"id="; depth:3; nocase; http_client_body; content:"&password="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2022497; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish Feb 6th M2"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"fName="; depth:6; nocase; http_client_body; content:"&lName="; nocase; http_client_body; distance:0; content:"&ZIPCode="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2022498; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish Feb 6th M3"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"ccNum="; depth:6; nocase; http_client_body; content:"&NameOnCard="; nocase; http_client_body; distance:0; content:"&CVV="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2022499; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Xbagger Macro Encrypted DL"; flow:established,to_server; content:".jpg?"; http_uri; fast_pattern:only; content:"MSIE 7.0|3b| Windows NT"; http_header; content:"Range"; http_header; pcre:"/^\/[a-z0-9]+\.jpg\?(?=[a-z0-9]*[A-Z]+[a-z0-9])[A-Za-z0-9]+=\d{1,4}$/U"; classtype:trojan-activity; sid:2022500; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dridex AlphaNum DL Feb 10 2016"; flow:established,to_server; urilen:15<>50; content:"MSIE 7.0|3b| Windows NT"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; content:!"="; http_uri; content:!"&"; http_uri; content:!"?"; http_uri; pcre:"/\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}$/U"; content:!"Cookie|3a|"; classtype:trojan-activity; sid:2022503; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<!-- get the phone number"; nocase; fast_pattern:5,20; content:"//Flag we have not run the script"; nocase; distance:0; content:"//This is the scripting used to replace"; nocase; distance:0; content:"// alert the visitor with a message"; nocase; distance:0; content:"// Setup whatever you want for an exit"; nocase; distance:0; classtype:trojan-activity; sid:2022525; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"background-color|3a| #FF1C1C|3b|"; fast_pattern:6,20; nocase; content:"color|3a| #FFFFFF|3b|"; nocase; distance:0; content:"function countdown"; nocase; distance:0; content:"function updateTimer"; nocase; distance:0; classtype:trojan-activity; sid:2022526; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; fast_pattern:3,20; nocase; content:"src=|22|a1.mp4|22|"; nocase; distance:0; content:"To STOP Deleting Hard Drive"; nocase; distance:0; classtype:trojan-activity; sid:2022527; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M4"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function main_alert"; nocase; fast_pattern; content:"WARNING"; nocase; distance:0; content:"Your hard drive will be DELETED"; nocase; distance:0; content:"To Stop This Process"; nocase; distance:0; classtype:trojan-activity; sid:2022528; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Feb 17"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"keyframes poplzatvci"; fast_pattern; content:"#lzatvciovlwmiiqxbwxywuerkhtunrlvherk"; nocase; distance:0; classtype:trojan-activity; sid:2022530; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dridex DL Pattern Feb 18 2016"; flow:established,to_server; content:"GET"; http_method; content:".exe?."; http_uri; fast_pattern:only; pcre:"/\.exe\?\.\d+$/U"; content:"MSIE 7.0|3b| Windows NT"; http_user_agent; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022549; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|o(?:sts?\/[a-z0-9]+|ny[a-z]*)|rogcicicic|m\d{1,2})|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|vchost[^\x2f]*|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|in(?:voice(?:\/[^\x2f]+|[^\x2f]*)|st\d+|fos?)|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|[\x2f\s]order|keem)\.exe$)/Ui"; content:!".bloomberg.com|0d 0a|"; http_header; nocase; content:!".bitdefender.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2022550; rev:15;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Feb 23 2016"; flow:established,from_server; file_data; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; distance:0; content:"|3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e|"; pcre:"/^\s+\d+\x3b\s*\}/R"; content:"|5d 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65|"; fast_pattern; classtype:trojan-activity; sid:2022565; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL"; flow:established,to_server; urilen:10<>40; content:".exe"; fast_pattern; http_uri; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/U"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_user_agent; depth:45; content:!"Referer|3a|"; http_header; content:!".bloomberg.com|0d 0a|"; http_header; nocase; content:!"leg1.state.va.us"; http_header; nocase; classtype:trojan-activity; sid:2022566; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Feb 25 2016"; flow:established,from_server; file_data; content:"|36 31 2c 39 31 2c 33 34 2c 31 31 34 2c 31 31 38 2c 35 38 2c 34 39 2c 34 39 2c 33 34 2c 34 34 2c 33 34 2c 37 37 2c 38 33 2c 37 33 2c 36 39 2c 33 34 2c 34 34 2c 39 33 2c 35 39|"; content:"|39 39 2c 31 30 34 2c 39 37 2c 31 31 34 2c 36 37 2c 31 31 31 2c 31 30 30 2c 31 30 31 2c 36 35 2c 31 31 36|"; classtype:trojan-activity; sid:2022567; rev:2;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Landing Feb 26"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"rackcdn.com|0d 0a|"; http_header; fast_pattern; pcre:"/^\/[a-zA-Z0-9]+\.html$/U"; pcre:"/\x0d\x0aHost\x3a\x20[a-f0-9]{20}-[a-f0-9]{32}\.r[0-9]{1,2}\.cf[0-9]\.rackcdn\.com\x0d\x0a/H"; classtype:trojan-activity; sid:2022574; rev:3;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain M1 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"helpdesk"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022575; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain M2 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"errorcode"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022576; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phishing Landing Obfuscation Mar 1"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"%75%6E%65%73%63%61%70%65%3D%66%75%6E%63%74%69%6F%6E"; fast_pattern:31,20; content:"%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%22%25%32%36%22%2C%20%22%67%22%29%2C%20%22%26%22%29%3B"; distance:0; content:"%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%22%25%33%42%22%2C%20%22%67%22%29%2C%20%22%3B%22%29%3B"; distance:0; content:"%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65"; distance:0; content:"%72%65%70%6C%61%63%65%28%27%3C%21%2D%2D%3F%2D%2D%3E%3C%3F%27%2C%27%3C%21%2D%2D%3F%2D%2D%3E%27%29%29%3B"; distance:0; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:trojan-activity; sid:2022578; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL Malicious Scanning 1"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"GRANT ALTER, ALTER ROUTINE"; distance:0; nocase; within:30; content:"TO root@% WITH"; fast_pattern:only; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022579; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL Malicious Scanning 2"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"set global log_bin_trust_function_creators=1"; fast_pattern:only; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022580; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL Malicious Scanning 3"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"select unhex("; fast_pattern; distance:0; content:"into dumpfile|20 27|"; distance:0; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022581; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Domain M1 Mar 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"errorfound"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022591; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Domain M2 Mar 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"unattendedfile"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022592; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Domain M3 Mar 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"internetsituation"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022593; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Landing - Data URI Inline Javascript Mar 7"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"data|3a|text/html|3b|"; fast_pattern; content:"|3b|base64,"; distance:0; within:21; pcre:"/^[^\x22|\x27]+<\s*?script(?:(?!<\s*?\/\s*?script).)+?data\x3atext\/html\x3b(?:charset=UTF-8\x3b)?base64\x2c/si"; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:trojan-activity; sid:2022597; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Fake Support Phone Scam Mar 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; nocase; content:"function myFunction()"; pcre:"/^\s*?\{\s*?setInterval\s*?\(\s*?function/Rsi"; content:"alert2.mp3"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2022602; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 8"; flow:established,from_server; file_data; content:"onload=|22|myFunction|28 29 3b 22|"; fast_pattern; nocase; content:"onclick=|22|myFunction|28 29 3b 22|"; nocase; content:"onkeydown=|22|myFunction|28 29 3b 22|"; nocase; content:"onunload=|22|myFunction|28 29 3b 22|"; nocase; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:trojan-activity; sid:2022603; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Enom Phish Mar 8"; flow:to_server,established; content:"POST"; http_method; content:"enom"; http_header; nocase; content:"ctl00_ScriptManager"; depth:19; nocase; fast_pattern; http_client_body; content:"user="; nocase; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; content:"Login=Login"; nocase; distance:0; http_client_body; reference:url,welivesecurity.com/2016/03/07/beware-spear-phishers-hijack-website/; classtype:trojan-activity; sid:2022604; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 9 M1"; flow:established,from_server; file_data; content:"Callpixels"; fast_pattern; nocase; pcre:"/^\s*?\.\s*?Campaign\s*?\(\s*?\{\s*?campaign_key/Rsi"; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:trojan-activity; sid:2022605; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 9 M2"; flow:established,from_server; file_data; content:"//Flag we have not"; fast_pattern; nocase; content:"//The location of the page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; content:"//allow for the traffic source to send in their own default number"; nocase; distance:0; content:"//if no unformatted number just use it"; nocase; distance:0; classtype:trojan-activity; sid:2022606; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 9 M3"; flow:established,from_server; file_data; content:"<title>ALERT"; fast_pattern; content:"makeNewPosition"; nocase; distance:0; content:"animateDiv"; nocase; distance:0; content:"div.fakeCursor"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; classtype:trojan-activity; sid:2022607; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Mar 9 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function myFunction"; nocase; fast_pattern; content:"MICROSOFT COMPUTER HAS BEEN BLOCKED"; nocase; distance:0; content:"Windows System Alert"; nocase; distance:0; content:"Contact Microsoft"; nocase; distance:0; classtype:trojan-activity; sid:2022608; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Chase Phishing Domain Mar 14"; flow:to_server,established; content:"GET"; http_method; content:"chase.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"chase.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+chase\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2022615; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Apple Phishing Domain Mar 14"; flow:to_server,established; content:"GET"; http_method; content:"apple.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"apple.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+apple\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2022616; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible USAA Phishing Domain Mar 14"; flow:to_server,established; content:"GET"; http_method; content:"usaa.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"usaa.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+usaa\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2022617; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Paypal Phishing Domain Mar 14"; flow:to_server,established; content:"GET"; http_method; content:"paypal.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"paypal.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+paypal\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2022618; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Mar 15"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Security"; fast_pattern; nocase; content:"function DetectMobile"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"Please call"; nocase; distance:0; classtype:trojan-activity; sid:2022619; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 15 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; isdataat:!10,relative; classtype:trojan-activity; sid:2022620; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 15 2016 M2"; flow:established,to_server; content:"/track/k.track?wd="; http_uri; depth:18; content:"fid="; http_uri; content:"rds="; http_uri; classtype:trojan-activity; sid:2022621; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Evil Macro EXE DL mar 15 2016"; flow:established,to_server; content:"/image/"; http_uri; depth:13; content:".exe"; http_uri; fast_pattern:only; pcre:"/^\/image\/(?:data|flags)\/[^\x2f]+\.exe$/Ui"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022622; rev:2;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"suspiciousactivity"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022625; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Mar 18 2016"; flow:from_server,established; file_data; content:"|52 65 67 45 78 70 28 27|"; content:"|27 2b 27 3d 28 5b 5e 3b 5d 29 7b 31 2c 7d 27 29 3b|"; distance:32; within:17; content:"|3b 64 2e 73 65 74 44 61 74 65 28 64 2e 67 65 74 44 61 74 65 28 29 2b 31 29 3b|"; content:"|3c 69 66 72 61 6d 65|"; distance:0; classtype:trojan-activity; sid:2022628; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f|"; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; distance:0; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; classtype:trojan-activity; sid:2022629; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19 2016 M2"; flow:established,to_server; content:"/imp/one.trk?wid="; http_uri; classtype:trojan-activity; sid:2022630; rev:2;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 21 M1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"errorunauthorized"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022631; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 21 M2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"drivercrashed"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022632; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 21 M3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"computer-is-locked"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022633; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Mar 22 2016"; flow:established,from_server; file_data; content:"|6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 2e 55 41 20 3d 20 55 41|"; content:"|2e 73 70 6c 69 74 28 22 2c 22 29 2c 20 69 3d 30 2c 20 6b 3b 20 66 6f 72 20 28 3b 20 6b 20 3d 20 61 5b 69 5d 2c 20 69 20 3c 20 61 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 72 2e 70 75 73 68 28|"; content:"|2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 20 74 72 79 20 7b 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28|"; classtype:trojan-activity; sid:2022635; rev:2;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 23"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"unauthorized-transaction"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022648; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Mar 23"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*?\(\s*?function\s*?\(\s*?\)\s*?\{\s*?alert\s*?\(/Rsi"; content:"<audio"; nocase; distance:0; classtype:trojan-activity; sid:2022649; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/Dridex Binary Download Mar 23 2016"; flow:to_server,established; content:"GET"; http_method; content:"/dana/home.php"; http_uri; fast_pattern; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"MSIE 7.0"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/\/home\.php$/U"; reference:md5,2f32bf996e093d5a4107d6daa6c51ec4; classtype:trojan-activity; sid:2022650; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Flash Update Mar 23"; flow:established,to_client; file_data; content:"<title>Flash"; nocase; fast_pattern; content:"#prozor"; nocase; distance:0; content:"#dugme"; nocase; distance:0; content:"Latest version of Adobe"; nocase; distance:0; classtype:trojan-activity; sid:2022651; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil EXE download from WinHttpRequest non-exe extension"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.WinHttpRequest.no.exe.request; classtype:trojan-activity; sid:2022653; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; content:"WinHttp.WinHttpRequest."; http_header;  pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/Ui"; classtype:trojan-activity; sid:2022658; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Mar 27"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"Cookie|3a|"; content:!"[DYNAMIC]"; http_header; pcre:"/^\/(?=[a-z][a-z\x2f]*\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d)[a-z0-9\x2f]+\/$/U"; classtype:trojan-activity; sid:2022666; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Mar 27 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z][a-z\x2f]*-[a-z\x2f]+-)[a-z\x2f-]+\/$/U"; classtype:trojan-activity; sid:2022682; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Evil Macro EXE DL mar 28 2016"; flow:established,to_server; content:"HEAD"; http_method; content:"User-Agent|3a 20|Microsoft BITS/7.5|0d 0a|"; http_header; fast_pattern:12,20; content:".exe"; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20[^\r\n]+(?:xyz|pw)\r?$/Hmi"; reference:md5,d599a63fac0640c21272099f39020fac; classtype:trojan-activity; sid:2022686; rev:4;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 30 M1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"diskissue"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022690; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 30 M2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"avirus"; fast_pattern; distance:0; nocase; content:!"|07|spotify|03|com"; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022691; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Apr 1"; flow:established,to_client; file_data; content:"<title>SYSTEM ERROR WARNING"; fast_pattern; nocase; content:"function loadNumber"; nocase; distance:0; content:"campaign_key:"; nocase; distance:0; classtype:trojan-activity; sid:2022695; rev:2;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"callasap"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022696; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Apr 4"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"catchControlKeys"; fast_pattern; content:"// Ctrl+U"; nocase; distance:0; content:"// Ctrl+C"; nocase; distance:0; content:"// Ctrl+A"; nocase; distance:0; content:"//e.cancelBubble is supported by IE"; nocase; distance:0; content:"//e.stopPropagation works in Firefox"; nocase; distance:0; classtype:trojan-activity; sid:2022697; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK April 12 2016 M1"; flow:established,to_server; content:"/2016/less/ing/frame.html"; http_uri; classtype:trojan-activity; sid:2022724; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK April 12 2016 M2"; flow:established,from_server; file_data; content:"|3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 76 61 72 20 6c 3d 27 68 74 74 70 3a|"; content:"|3b 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 27 2b 27 73 63 72 69 70 74 20 74 79 70 65 3d 5c 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 5c 27 20 73 72 63 3d 5c 27 27 2b 6c 2b 27 5c 27 3e 3c 27 2b 27 2f 73 63 72 69 70 74 3e 27 29 3b 3c 2f 73 63 72 69 70 74 3e|"; distance:0; classtype:trojan-activity; sid:2022725; rev:2;)
+
+alert tcp any !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Open MGate Device"; flow:established,from_server; content:"Model name|20|"; pcre:"/^\x20+\x3a\x20MGate/R"; content:"|0d 00 0a|MAC address|20|"; distance:0; pcre:"/^\x20+\x3a\x20(?:[0-9A-F]{2}\x3a){5}[0-9A-F]{2}\x0d\x00\x0a/R"; classtype:successful-admin; sid:2022732; rev:2;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain M3 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yourcomputer"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022739; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"unusualactivity"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022740; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yoursystem"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022741; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"howcanwehelp"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022742; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"bluescreen"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022743; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M5"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"cloud-on"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022744; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M6"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"call-now"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022745; rev:1;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 20 2016"; flow:established,to_server; urilen:5; content:"/get2"; http_uri; content:"bc3ad="; http_cookie; classtype:trojan-activity; sid:2022751; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 21 2016 M2"; flow:established,to_server; content:"/idx.aspx?sid="; http_uri; content:"&bcOrigin="; http_uri; content:"&rnd="; http_uri; distance:0; classtype:trojan-activity; sid:2022752; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016 (fbset)"; flow:established,to_server; urilen:11<>57; content:".js"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{2,20}\/[a-z]{2,20}\/(?:(?:(?:featur|quot)e|ip)s|d(?:ropdown|etect)|co(?:mpiled|re)|header|jquery|lang|min|ga)\.js$/U"; flowbits:set,ET.WordJS; flowbits:noalert; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:trojan-activity; sid:2022770; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016"; flow:established,from_server; flowbits:isset,ET.WordJS; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; file_data; content:"<iframe"; within:7; fast_pattern; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:trojan-activity; sid:2022771; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 28 2016"; flow:established,from_server; file_data; content:"|3d 22 5c 78 32|"; content:"|3d 22 5c 78 36|"; content:"|3d 22 5c 78 37|"; fast_pattern:only; content:"</span>"; content:!"<span>"; distance:-500; within:500; pcre:"/^\s*?<script>\s*?(?:[A-Za-z][A-Za-z\d+]+\s*?\+?=\s*(?:[A-Za-z][A-Za-z\d]+|[\x22\x27]\\x[2-7][0-9a-fA-F](?:\\x[2-7][0-9a-fA-F]){0,4}[\x22\x27])\s*?\x3b){20}/Rs"; reference:url,researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/; classtype:trojan-activity; sid:2022772; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 29 2016"; flow:established,from_server; file_data; content:"|69 32 33 33 36 20 3d 3d 20 6e 75 6c 6c|"; nocase; fast_pattern:only; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 44 49 56 20 69 64 3d 63 68 65 63 6b 35 32 34 20 73 74 79 6c 65 3d 22 44 49 53 50 4c 41 59 3a 20 6e 6f 6e 65 22 3e|"; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d 22|"; classtype:trojan-activity; sid:2022774; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (delivered via e-mail)"; flow:established,from_server; file_data; content:"|3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 69 6e 6b 2d 70 72 6f 64 75 63 74 73 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 70 6c 65 61 73 65 2d 77 61 69 74 2e 67 69 66 22|"; nocase; fast_pattern:17,20; content:"|61 6c 74 3d 22 50 6c 65 61 73 65 20 77 61 69 74 2e 2e 2e 22 2f 3e|"; nocase; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d|"; nocase; classtype:trojan-activity; sid:2022779; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Fake Support Phone Scam May 10"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive Safety"; nocase; content:"myFunction()"; content:"Warning|3a| Internet Security Damaged"; content:"err.mp3"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2022802; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK May 13 2016"; flow:established,from_server; file_data; content:"|3c 74 69 74 6c 65 3e 53 65 61 72 63 68 3c 2f 74 69 74 6c 65 3e|"; content:"|23 6c 6c 6c 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d|"; fast_pattern; content:"|3c 64 69 76 20 69 64 3d 22 6c 6c 6c 22 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; classtype:trojan-activity; sid:2022805; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL EXE May 2016 (Mozilla compatible)"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; content:"Mozilla/4.0|20|(compatible|3b|)"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/Ui"; reference:md5,f29a3564b386e7899f45ed5155d16a96; classtype:trojan-activity; sid:2022830; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL BIN May 2016 (No UA)"; flow:established,to_server; content:"GET"; http_method; content:"/system/"; depth:8; http_uri; nocase; fast_pattern; pcre:"/^\/system\/(?:cache|logs)\/[^\x2f]+\.(?:exe|dll|doc|bin)$/Ui"; content:!"Referer|3a 20|"; http_header; reference:md5,c6747ca29d5c28f4349a5a8343d6b025; classtype:trojan-activity; sid:2022834; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ReactorBot .bin Download"; flow:established,to_server; content:"GET"; http_method; content:"/cgi/"; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2022841; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M4 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Official"; nocase; fast_pattern:2,20; content:"function stopNavigate"; nocase; distance:0; content:"<audio autoplay="; nocase; content:"autoplay"; nocase; distance:1; classtype:trojan-activity; sid:2022853; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M5 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"// escape function context"; nocase; content:"// necessary to prevent infinite loop"; nocase; distance:0; content:"// that kills your browser"; nocase; distance:0; fast_pattern:6,20; content:"// pressing leave will still leave, but the GET may be fired first anyway"; nocase; distance:0; classtype:trojan-activity; sid:2022854; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M3 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Error"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert\s*\([\x22\x27]\s*Warning/Rsi"; classtype:trojan-activity; sid:2022855; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script to pull the number yet"; nocase; content:"// alert the visitor"; fast_pattern; nocase; distance:0; content:"// repeat alert, whatever you want them to see"; nocase; distance:0; content:"// end function goodbye"; nocase; distance:0; classtype:trojan-activity; sid:2022856; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function countdown"; nocase; content:"function loadNumber"; nocase; distance:0; content:"function main_alert"; nocase; distance:0; fast_pattern; content:"function repeat_alert"; nocase; distance:0; content:"function goodbye"; nocase; distance:0; classtype:trojan-activity; sid:2022857; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign"; flow:to_server,established; content:"User-Agent|3a 20|Microsoft BITS/"; http_header; fast_pattern:6,20; content:".exe"; http_uri; nocase; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; classtype:misc-activity; sid:2022858; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 03 2016"; flow:established,to_server; content:"/wordpress/?"; http_uri; depth:12; pcre:"/^\/wordpress\/\?[A-Za-z0-9]{4}(?:&utm_source=le)?$/U"; classtype:trojan-activity; sid:2022859; rev:5;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 06 2016"; flow:established,from_server; file_data; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; fast_pattern:77,20; content:"name=|27|"; distance:0; content:"|27|"; distance:12; within:1;  content:"|20 77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; within:44; classtype:trojan-activity; sid:2022869; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS EXE Download from specific file share site (used in recent maldoc campaign)"; flow:to_server,established; content:".exe"; http_uri; content:"Host|3a 20|a.pomf.cat|0d 0a|"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; reference:md5,c321f38862a24dc8a72a251616b3afdf; classtype:trojan-activity; sid:2022884; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD IE Flash request to set non-standard filename (some overlap with 2021752)"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?\r?\n/Hmi"; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; content:!"sync-eu.exe.bid"; http_header; classtype:trojan-activity; sid:2022894; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Xbagger Macro Encrypted DL Jun 13 2016"; flow:established,to_server; content:".jpg?"; http_uri; fast_pattern:only; content:"MSIE 7.0|3b| Windows NT"; http_header; content:"Range"; http_header; pcre:"/^\/[a-z0-9_-]+\.jpg\?[A-Za-z0-9]{2,10}=\d{1,4}$/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022895; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016"; flow:established,to_server; content:".exe"; nocase; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?\r?\n/Hmi"; content:!"Referer|3a|"; http_header; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2022896; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 14 2016"; flow:established,from_server; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 64 69 76|"; within:20; pcre:"/^(?:\x20id=\x22\d+\x22)?\x20style=\x22(?=[^\x22\r\n]*top\x3a\x20-\d{3}px\x3b)(?=[^\x22\r\n]*left\x3a-\d{3}px\x3b)(?=[^\x22\r\n]*position\x3a\x20absolute\x3b)[^\x22\r\n]*\x22>\x20<iframe[^\r\n>]*><\x2f/R";content:"|69 27 2b 27 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 27 29 3b|"; within:19; fast_pattern; isdataat:!4,relative; classtype:trojan-activity; sid:2022898; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 15 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|bc3ad="; fast_pattern:only; content:"campaigns"; http_cookie; classtype:trojan-activity; sid:2022904; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Hidden Javascript Redirect - Possible Phishing Jun 17"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; file_data; content:"data_receiver_url"; fast_pattern; nocase; content:"redirect_url"; nocase; distance:0; content:"current_page"; nocase; distance:0; content:"cc_data"; nocase; distance:0; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*href\s*=\s*redirect_url/Rsi"; reference:url,myonlinesecurity.co.uk/very-unusual-paypal-phishing-attack/; classtype:trojan-activity; sid:2022905; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jun 22 2016 M1"; flow:established,to_server; content:"/js/analytic.php?id="; http_uri; fast_pattern:only; pcre:"/^\/js\/analytic\.php\?id=\d+&tz=\-?\d+&rs=\d+x\d+$/Ui"; classtype:trojan-activity; sid:2022909; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jun 22 2016 M2"; flow:established,from_server; file_data; content:"&tz=|27|+tzSignature()+|27|&rs=|27|+rsSignature()+"; fast_pattern:only; content:"document.write("; pcre:"/^[\x22\x27](?!<script)[\x22\x27+\s]*<[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[^\r\n]+\.php\?id=\d+&tz=\x27\+tzSignature\x28\x29\+\x27&rs=/R"; classtype:trojan-activity; sid:2022910; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Payload Jun 26 2016"; flow:established,from_server; file_data; content:"|2c 2d dd 4b 40 44 77 41|"; within:9; classtype:trojan-activity; sid:2022916; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M1"; flow:from_server,established; content:"401"; http_stat_code; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; http_header; content:"Alert!"; nocase; http_header; distance:0; fast_pattern; content:"has been blocked"; http_header; nocase; classtype:trojan-activity; sid:2022925; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx508"; fast_pattern; nocase; content:"Warning_0001"; nocase; distance:0; classtype:trojan-activity; sid:2022926; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M3"; flow:to_server,established; content:"GET"; http_method; content:"your-computer-is-locked-"; nocase; http_uri; fast_pattern; content:"your-computer-is-locked-"; http_uri; distance:0; nocase; classtype:trojan-activity; sid:2022927; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"Warning|3a 20|Internet Security"; nocase; distance:0; classtype:trojan-activity; sid:2022928; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Pony DLL Download"; flow:established,to_server; content:"/pm"; http_uri; content:".dll"; http_uri; fast_pattern:only; pcre:"/\/pm\d?\.dll$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022939; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"/~"; http_uri; depth:2;  content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/Ui"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r$/Hm"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (dll generic custom headers)"; flow:established,to_server; content:".dll"; http_uri; fast_pattern:only; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022941; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (exe generic custom headers)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022942; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Payload Jul 05 2016"; flow:established,from_server; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:trojan-activity; sid:2022949; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown/Xer EK Landing Jul 06 2016 M1"; flow:established,from_server; content:"X-Powered-By|3a 20|Yugoslavian Business Network"; http_header; fast_pattern:12,20; content:"Content-Type|3a 20|text/html|3b|"; http_header; content:"nginx"; http_header; flowbits:set,SunDown.EK; reference:url,blog.talosintel.com/2016/10/sundown-ek.html; classtype:trojan-activity; sid:2023480; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jul 7"; flow:to_server,established; content:"GET"; http_method; content:".dill/?ip="; fast_pattern; nocase; http_uri; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; classtype:trojan-activity; sid:2022954; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jul 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"default_number|3b|"; nocase; distance:0; content:"default_plain_number|3b|"; fast_pattern; nocase; distance:0; content:"plain_number|3b|"; nocase; distance:0; content:"loco_params|3b|"; nocase; distance:0; content:"loco|3b|"; nocase; distance:0; classtype:trojan-activity; sid:2022955; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 10 M2"; flow:established,from_server; file_data; content:"|76 61 72 20 66 72 61 67 6d 65 6e 74 20 3d 20 63 72 65 61 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70 3a|"; classtype:trojan-activity; sid:2022956; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Jul 10 M1"; flow:established,to_server; content:".js?chebstr=0."; http_uri; pcre:"/\.js\?chebstr=0\.\d+$/U"; classtype:trojan-activity; sid:2022957; rev:2;)
+
+alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 12 2016"; flow:established,from_server; file_data; content:"|3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 2d 31|"; pcre:"/^\d{3}px\x3b\swidth\x3a3\d{2}px\x3b\sheight\x3a3\d{2}px\x3b\x22>[^<>]*?<iframe src=[\x22\x27][^\x22\x27]+[\x22\x27]\swidth=[\x22\x27]2\d{2}[\x22\x27]\sheight=[\x22\x27]2\d{2}[\x22\x27]><\/iframe>[^<>]*?\n[^<>]*?<\/span>/Rsi"; classtype:trojan-activity; sid:2022962; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 13 2016 2"; flow:established,to_server; content:"POST"; http_method; content:".swf"; nocase; http_header; content:"|4d 61 6e 75 66 75 63 6b|"; nocase; http_client_body; content:"|4d 61 63 72 6f 77 69 6e|"; nocase; http_client_body; classtype:trojan-activity; sid:2022964; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Dropbox Phish Nov 20"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"mailtype="; depth:9; nocase; http_client_body; fast_pattern; content:"&Email"; distance:0; nocase; http_client_body; content:"&Passwd"; distance:0; nocase; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2022967; rev:2;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious SMTP Settings in XLS - Possible Phishing Document"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-type|3a 20|application/vnd.ms-excel"; http_header; file_data; content:"/configuration/sendusing"; nocase; fast_pattern; content:"/configuration/smtpserver"; nocase; distance:0; content:"/configuration/smtpauthenticate"; nocase; distance:0; content:"/configuration/sendusername"; nocase; distance:0; content:"/configuration/sendpassword"; nocase; distance:0; reference:md5,710ea2ed2c4aefe70bf082b06b82818a; reference:url,symantec.com/connect/blogs/malicious-macros-arrive-phishing-emails-steal-banking-information; classtype:trojan-activity; sid:2022974; rev:1;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bank of Oklahoma Phish Jul 21 M1"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"__RequestVerificationToken="; depth:27; http_client_body; content:"&forgotPassword="; nocase; distance:0; http_client_body; content:"&lat="; nocase; distance:0; http_client_body; content:"&userName="; nocase; distance:0; http_client_body; fast_pattern; content:"&password="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2022978; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bank of Oklahoma Phish Jul 21 M2"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"__RequestVerificationToken="; depth:27; http_client_body; content:"&bankId="; fast_pattern; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&q1="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2022979; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 21 M1"; flow:to_server,established; content:"GET"; http_method; content:"/your-computer-is-locked-call-us-at-tollfreenow"; fast_pattern:27,20; nocase; http_uri; content:"your-computer-is-locked-call-us-at-tollfreenow"; nocase; distance:0; http_uri; classtype:trojan-activity; sid:2022980; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 21 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Google Security"; nocase; fast_pattern; content:"beep.mp3"; nocase; distance:0; content:"function alertCall"; nocase; distance:0; content:"function alertTimed"; nocase; distance:0; content:"function alertLoop"; nocase; distance:0; classtype:trojan-activity; sid:2022981; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Windows Settings Phishing Landing Jul 22"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Windows Settings"; fast_pattern; nocase; distance:0; content:"Enter account password"; nocase; distance:0; classtype:trojan-activity; sid:2024098; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Maldoc Downloading EXE Jul 26 2016"; flow:established,to_server;content:!".exe"; http_uri; nocase; pcre:"/\/(?:[a-z0-9]+_){4,}[a-z0-9]+(?:\/[a-f0-9]+)*?\/[a-f0-9]+\.(?![Ee][Xx][Ee])[a-z0-9]+$/U"; content:"|3a 20|Microsoft BITS"; http_header; fast_pattern:only; content:!".microsoft.com|0d 0a|"; http_header; nocase; reference:md5,82fb5101847e734dd9b36f51f1fc73e3; classtype:trojan-activity; sid:2022983; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Mar 30 M3"; flow:established,to_client; file_data; content:"try "; content:"= new ActiveXObject"; distance:0; content:"catch"; distance:0; content:"=|20 22|Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi|22|,"; content:"=|20 22|Kaspersky.IeVirtualKeyboardPluginSm.JavascriptApi|22|,"; content:".location="; distance:0; classtype:trojan-activity; sid:2022984; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jul 28 2016"; flow:established,to_client; content:"Set-Cookie|3a 20|yatutuzebil=1|3b|"; fast_pattern; content:"yatutuzebil"; http_cookie; classtype:trojan-activity; sid:2022990; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M1"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx"; nocase; fast_pattern; content:"<audio autoplay"; nocase; distance:0; content:"setInterval"; nocase; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert/Ri"; classtype:trojan-activity; sid:2022991; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Google Security"; nocase; fast_pattern:2,20; content:"alertCall"; nocase; distance:0; content:"alertTimed"; nocase; distance:0; content:"alertLoop"; nocase; distance:0; classtype:trojan-activity; sid:2022992; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"// this script is so you can get fields our of the URL"; fast_pattern:34,20; nocase; content:"CHECKS FULL PARAMETER NAME BEGIN OF"; distance:0; content:"// Firefox NS_ERROR_NOT_AVAILABLE"; distance:0; content:"// if delta less than 50ms"; nocase; distance:0; content:"// thus we need redirect"; nocase; distance:0; classtype:trojan-activity; sid:2022993; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function loadNumber"; nocase; fast_pattern; content:"function doRedirect"; nocase; distance:0; content:"function randomString"; nocase; distance:0; content:"function leavebehind"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"function confirmExit"; nocase; distance:0; classtype:trojan-activity; sid:2022994; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Jul 30 M1"; flow:established,to_server; content:".js?chbstr=0."; http_uri; pcre:"/\.js\?chbstr=0\.\d+$/U"; classtype:trojan-activity; sid:2022995; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Aug1 2016"; flow:established,from_server; file_data; content:"|76 61 72 20 68 65 61 64 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 62 6f 64 79 27 29 5b 30 5d 3b 20 76 61 72 20 73 63 72 69 70 74 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 73 63 72 69 70 74 2e 73 72 63 3d 20 22 2f 2f|"; pcre:"/^[^\r\n\x22\?]+[&?][^=\r\n\x22]+=[a-f0-9]+[^\r\n\x22\?]*[&?][^=\r\n\x22]+=[a-f0-9]+\x22\s*\x3b\s*head\.appendChild\(\s*script\s*\)\x3b/R"; classtype:trojan-activity; sid:2022998; rev:2;)
+
+alert tcp $HOME_NET any -> [85.93.0.0/24,194.165.16.0/24,31.184.192.0/24] 80 (msg:"ET CURRENT_EVENTS EITest Flash Redirect Aug 09 2016"; flow:established,to_server; urilen:>20; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2023036; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M1"; flow:to_server,established; content:"GET"; http_method; content:"/please-fix-immediately-"; nocase; fast_pattern:4,20; http_uri; content:"/index.html"; nocase; distance:0; http_uri; pcre:"/[A-Za-z0-9]{10,20}_14[0-9]{8,}\/index\.html$/Ui"; classtype:trojan-activity; sid:2023037; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"<audio autoplay"; nocase; distance:0; content:"data|3a|image/png|3b|base64,"; nocase; classtype:trojan-activity; sid:2023038; rev:2;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SYSTEM ERROR"; fast_pattern; nocase; content:"getURLParameter"; distance:0; content:"decodeURI"; distance:0; content:"loadNumber"; distance:0; content:"confirmExit"; distance:0; classtype:trojan-activity; sid:2023039; rev:1;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M4"; flow:to_server,established; content:"GET"; http_method; content:".php?num="; fast_pattern; nocase; http_uri; content:"&country="; nocase; distance:0; http_uri; content:"&city="; nocase; distance:0; http_uri; content:"&os="; nocase; distance:0; http_uri; content:"&ip="; nocase; distance:0; http_uri; classtype:trojan-activity; sid:2023040; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M5"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Hacking Attack"; nocase; fast_pattern; content:"mozfullscreenerror"; nocase; distance:0; content:"toggleFullScreen"; distance:0; content:"addEventListener"; distance:0; content:"countdown"; nocase; classtype:trojan-activity; sid:2023041; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Suspended Account Phish Aug 9 M1"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"name-re="; nocase; depth:8; fast_pattern; http_client_body; content:"&dob"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; content:"&is_valid_email"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023042; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Suspended Account Phish Aug 9 M2"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"holdername="; nocase; depth:11; fast_pattern; http_client_body; content:"&numcard"; nocase; distance:0; http_client_body; content:"&ccv"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023043; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Suspended Account Phishing Landing Aug 9"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Log in to my account"; nocase; fast_pattern:7,20; content:"iCloud"; distance:0; nocase; content:"disabled for security reasons"; distance:0; nocase; content:"confirm your account information"; distance:0; nocase; content:"account has been frozen"; distance:0; nocase; classtype:trojan-activity; sid:2023044; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel Online Phishing Landing Aug 9"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Excel Online"; nocase; fast_pattern; content:"someone@example.com"; nocase; distance:0; content:"password"; nocase; distance:0; flowbits:set,ET.GenericPhish_Excel; classtype:trojan-activity; sid:2023045; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Generic Excel Online Phish Aug 9"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Excel; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023046; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Shared Document Phishing Landing Nov 19 2015"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"pagename=|22|login|22|"; nocase; content:"<title>Sign in - Adobe"; nocase; distance:0; fast_pattern:2,20; content:"password-revealer"; nocase; distance:0; flowbits:set,ET.GenericPhish_Adobe; reference:md5,ba42e59213f10f5c1bd70ce4813f25d1; classtype:trojan-activity; sid:2023047; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023048; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 12 M1"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script is so you can get fields our of the URL"; fast_pattern:26,20; nocase; content:"//Flag we have not run the script"; nocase; distance:0; content:"//The page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; classtype:trojan-activity; sid:2023051; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 12 M2"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"#foxboxmsg"; fast_pattern; nocase; content:"getURLParameter"; nocase; distance:0; content:"default_number"; nocase; distance:0; content:"default_plain_number"; nocase; distance:0; content:"loco_params"; nocase; distance:0; classtype:trojan-activity; sid:2023052; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing (err.mp3) Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"err.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:trojan-activity; sid:2023055; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing (msg.mp3) Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"msg.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:trojan-activity; sid:2023056; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Infect"; nocase; fast_pattern; content:"toggleFullScreen"; distance:0; content:"countdown"; distance:0; content:"twoDigits"; distance:0; classtype:trojan-activity; sid:2023057; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"vendorName"; nocase; content:"alertCall"; fast_pattern; nocase; distance:0; content:"alertTimed"; nocase; distance:0; content:"setInterval"; nocase; distance:0; content:"alertLoop"; nocase; distance:0; content:"onkeydown"; nocase; distance:0; content:"e.ctrlKey"; nocase; distance:0; content:"e.keyCode"; nocase; distance:0; content:"onbeforeunload"; nocase; distance:0; classtype:trojan-activity; sid:2023058; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Excel Phish Aug 15 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:".php?cmd=login_submit"; http_header; nocase; fast_pattern; content:"login="; depth:6; nocase; http_client_body; content:"&passwd="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023061; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Email Storage Upgrade Phishing Landing Aug 15 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<TITLE>Login Authorization"; fast_pattern; nocase; content:"STORAGE UPGRADE"; nocase; distance:0; content:"Global Internet Administration!"; nocase; distance:0; classtype:trojan-activity; sid:2023062; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Credit Agricole Phish Aug 15 2016 M1"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"ident="; fast_pattern; depth:6; nocase; http_client_body; content:"&ReadOut="; nocase; distance:0; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&nuum="; nocase; distance:0; http_client_body; content:"&xrypt="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023063; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Credit Agricole Phish Aug 15 2016 M2"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"nom="; depth:4; nocase; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pemail="; fast_pattern; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023064; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Square Enix Phishing Domain Aug 15 2016"; flow:to_server,established; content:"GET"; http_method; content:"square-enix.com"; http_header; fast_pattern; content:!"square-enix.com|0d 0a|"; http_header; pcre:!"/^Referer\x3a[^\r\n]+square-enix\.com/Hmi"; classtype:trojan-activity; sid:2023065; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Bank of America Phishing Domain Aug 15 2016"; flow:to_server,established; content:"GET"; http_method; content:"bankofamerica.com"; http_header; fast_pattern; content:!"bankofamerica.com|0d 0a|"; http_header; pcre:"/Host\x3a[^\r\n]+bankofamerica\.com[^\r\n]{10,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023066; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious HTTP Refresh to SMS Aug 16 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; within:8; pcre:"/^[^>]+url=sms\x3a/Rsi"; content:"url=sms|3a|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2023068; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SMS Fake Mobile Virus Scam Aug 16 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Protect your Computer"; nocase; fast_pattern; content:"Your Computer"; nocase; distance:0; content:"INFECTED"; distance:0; content:"Enter Your Number"; nocase; distance:0; content:"SCAN NOW</button>"; nocase; distance:0; classtype:trojan-activity; sid:2023069; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Netflix Phish Aug 17 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"firstName="; depth:10; nocase; fast_pattern; http_client_body; content:"&lastName="; nocase; http_client_body; distance:0; content:"&cardNumber="; nocase; http_client_body; distance:0; content:"&authURL="; nocase; http_client_body; distance:0; content:"&encryptedOaepLen="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023072; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netflix Phishing Landing Aug 17 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Netflix"; nocase; fast_pattern; content:"Update Your Payment Information"; nocase; distance:0; content:"Please update your payment information"; nocase; distance:0; content:"not be charged for the days you missed"; nocase; distance:0; classtype:trojan-activity; sid:2023073; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Aug 17 2016"; flow:established,to_client; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 69 66 27 2b 27 72 61 27 2b 27 6d 65 27 29 3b|"; nocase; fast_pattern:19,20; content:"|2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 20 3d 20 27 61 62 27 2b 27 73 6f 6c 27 2b 27 75 74 65 27 3b|"; distance:0; nocase; content:"setAttribute"; nocase; pcre:"/^\s*\(\s*[\x22\x27]id[\x22\x27]\s*,\s*?(?P<var>[^,\x29\s\x3b]+)\s*\x29.*?\.appendChild\s*\(\s*(?P=var)/Rsi"; classtype:trojan-activity; sid:2023074; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Mobile Virus Scam M1 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Virus Detected"; nocase; fast_pattern; content:"#loading-bar"; nocase; distance:0; content:"navigator.vibrate"; nocase; distance:0; content:"Download Now"; nocase; distance:0; content:"Download Now"; nocase; distance:0; classtype:trojan-activity; sid:2023079; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Mobile Virus Scam M2 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"navigator.vibrate"; fast_pattern:only; content:"getURLParameter"; content:"gotooffer"; nocase; distance:0; content:"brandmodel"; nocase; distance:0; content:"countDown"; nocase; distance:0; content:"PreventExitPop"; nocase; distance:0; classtype:trojan-activity; sid:2023080; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Google Drive Phishing Domain Aug 25 2016"; flow:to_server,established; content:"drive.google.com"; http_header; fast_pattern; content:!"drive.google.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+drive\.google\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023092; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious Proxifier DL (non-browser observed in maldoc campaigns)"; flow:established,to_server; content:"/distr/Proxifier"; http_uri; nocase; depth:16; fast_pattern; content:!"User-Agent|3a|"; http_header; nocase; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:!"Cookie|3a|"; content:"proxifier.com|0d 0a|"; http_header; nocase; reference:md5,2a0728a6edab6921520a93e10a86d4b2; classtype:trojan-activity; sid:2023138; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2014-6332 Sep 01 2016 (HFS Actor) M1"; flow:established,from_server; file_data; content:"|26 63 68 72 77 28 32 31 37 36 29 26 63 68 72 77 28 30 31 29 26|"; nocase; content:"|26 63 68 72 77 28 33 32 37 36 37 29|"; nocase; content:"|73 65 74 6e 6f 74 73 61 66 65 6d 6f 64 65 28 29|"; nocase; content:"|72 75 6e 73 68 65 6c 6c 63 6f 64 65 28 29|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023145; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2014-6332 Sep 01 2016 (HFS Actor) M2"; flow:established,from_server; content:"Server|3a 20|HFS|20|"; http_header; file_data; content:"|6f 62 6a 57 73 68 2e 72 75 6e 20 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 54 65 6d 70 5c 70 75 74 74 79 2e 65 78 65 22|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023146; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Sep 02 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z\d]+[+-][a-z\d]+[+-][a-z\d]+[+-])[a-z\d+-]*\/$/U"; classtype:trojan-activity; sid:2023150; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS iCloud Phishing Landing Sept 2 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>iCloud"; fast_pattern; nocase; content:"apple.com"; nocase; distance:0; content:"iCloud Settings"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:trojan-activity; sid:2024230; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M1"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 31 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 34 31 29|"; classtype:trojan-activity; sid:2023151; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M2"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 34 39 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29|"; classtype:trojan-activity; sid:2023152; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M3"; flow:established,to_client; file_data; content:"|43 68 72 28 33 32 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 30 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 39 37 29 20 26 20 43 68 72 28 31 30 32 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 30 30 29 20 26 20 43 68 72 28 31 30 31 29|"; classtype:trojan-activity; sid:2023153; rev:2;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Ebay Phishing Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|107sbtd9cbhsbtd5d80"; fast_pattern; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 30; classtype:trojan-activity; sid:2023180; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Ebay Phish Sept 8 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Host|3a 20|107SbTd9CBhSbT"; http_header; nocase; fast_pattern; content:"Referer|3a 20|http|3a 2f 2f|107sbtd9cbhsbt"; http_header; distance:0; content:"email"; nocase; http_client_body; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023181; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 12 2016 (Flash)"; flow:established,to_server; content:"/promo"; http_uri; nocase; depth:6; content:"/promo.swf?t="; http_uri; nocase; fast_pattern:only; pcre:"/^\/promo\d+(?:x\d+)?\/promo\.swf\?t=\d+$/Ui"; classtype:trojan-activity; sid:2023186; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 12 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|CAMPAIGNE.REFERER_COOKIE="; fast_pattern:12,20; content:"CAMPAIGNE.REFERER_COOKIE="; http_cookie; classtype:trojan-activity; sid:2023187; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|25 32 32 25 37 30 25 36 66 25 37 33 25 36 39 25 37 34 25 36 39 25 36 66 25 36 65 25 33 61 25 32 30 25 36 31 25 36 32 25 37 33 25 36 66 25 36 63 25 37 35 25 37 34 25 33 62|"; nocase; classtype:trojan-activity; sid:2023188; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) M2 Sep 12 2016"; flow:established,from_server; file_data; content:"|25 33 62 25 36 36 25 36 39 25 36 63 25 37 34 25 36 35 25 37 32 25 33 61 25 36 31 25 36 63 25 37 30 25 36 38 25 36 31 25 32 38 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 64 25 33 30 25 32 39 25 33 62 25 32 30 25 32 64 25 36 64 25 36 66 25 37 61 25 32 64 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 61 25 33 30 25 33 62 25 32 32 25 33 65|"; nocase; classtype:trojan-activity; sid:2023189; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b641)"; flow:established,from_server; file_data; content:"RnVuY3Rpb24gbGVha01lbS"; classtype:attempted-admin; sid:2023190; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b642)"; flow:established,from_server; file_data; content:"Z1bmN0aW9uIGxlYWtNZW0g"; classtype:attempted-admin; sid:2023191; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b643)"; flow:established,from_server; file_data; content:"GdW5jdGlvbiBsZWFrTWVtI"; classtype:attempted-admin; sid:2023192; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b644)"; flow:established,from_server; file_data; content:"cHJlZml4ICYgIiV1MDAxNiV1NDE0MSV1NDE0MSV1NDE0MSV1NDI0MiV1NDI0Mi"; classtype:attempted-admin; sid:2023193; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b645)"; flow:established,from_server; file_data; content:"ByZWZpeCAmICIldTAwMTYldTQxNDEldTQxNDEldTQxNDEldTQyNDIldTQyNDIi"; classtype:attempted-admin; sid:2023194; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b646)"; flow:established,from_server; file_data; content:"wcmVmaXggJiAiJXUwMDE2JXU0MTQxJXU0MTQxJXU0MTQxJXU0MjQyJXU0MjQyI"; classtype:attempted-admin; sid:2023195; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 12 2016 T2"; flow:established,from_server; file_data; content:".split"; nocase; pcre:"/^\s*\(\s*[\x22\x27][\x00-\x09\x80-\xff][\x22\x27]\s*\)\s*\x3b\s*[A-Za-z0-9]+\s*=\s*[\x22\x27]/Rsi"; content:"|01 2e 02 3c 03 3e 04 3d 05 5c 22 06 5c 27 07 29|"; fast_pattern; within:16; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023196; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b641)"; flow:established,from_server; file_data; content:"KyAnPHBhcmFtIG5hbWU9Rmxhc2hWYXJzIHZhbHVlPSJpZGRxZD";  flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023198; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b642)"; flow:established,from_server; file_data; content:"sgJzxwYXJhbSBuYW1lPUZsYXNoVmFycyB2YWx1ZT0iaWRkcWQ9";  flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023199; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b643)"; flow:established,from_server; file_data; content:"rICc8cGFyYW0gbmFtZT1GbGFzaFZhcnMgdmFsdWU9ImlkZHFkP";  flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023200; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Scam M1 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Download Security Essentials"; nocase; fast_pattern; content:"Malicious Software Removal"; nocase; distance:0; content:"<audio"; content:"autoplay="; nocase; distance:0; content:"autoplay"; distance:1; nocase; content:"audio/mpeg"; nocase; distance:0; content:"getURLParameter"; content:"setTimeout"; distance:0; classtype:trojan-activity; sid:2023235; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Scam M2 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Security Error"; nocase; fast_pattern; content:"+screen.availHeight"; nocase; distance:0; content:"screen.availWidth"; nocase; distance:0; content:"<audio"; content:"autoplay="; content:"autoplay"; distance:1; within:9; classtype:trojan-activity; sid:2023236; rev:2;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Sept 15 2016"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"issuefound"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00/Rsi"; classtype:trojan-activity; sid:2023237; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PC Support Tech Support Scam Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>PC Support"; nocase; fast_pattern; content:"getParameterByName"; nocase; distance:0; content:"decodeURIComponent"; nocase; distance:0; content:"FormattedNumber"; nocase; distance:0; content:"showRecurringPop"; nocase; distance:0; classtype:trojan-activity; sid:2023238; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Scam M3 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:".chrome-alert"; nocase; content:"<title>"; nocase; distance:0; content:"Microsoft Official Support"; fast_pattern; nocase; distance:0; within:40; classtype:trojan-activity; sid:2023239; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016"; flow:established,from_server; file_data; content:"|29 2b 22 2e 49 65 56 22 2b|"; fast_pattern; content:"|29 2b 22 58 4f 22 2b|"; content:"|6e 65 77 20 77 69 6e 64 6f 77 5b 22 41 22 2b|"; content:"|29 7b 72 65 74 75 72 6e|"; content:"|2e 74 6f 53 74 72 69 6e 67|"; classtype:trojan-activity; sid:2023248; rev:2;)
+
+alert http $HOME_NET any -> [31.184.192.0/19] 80 (msg:"ET CURRENT_EVENTS Possible EITest Flash Redirect Sep 19 2016"; flow:established,to_server; urilen:1; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2023249; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016 (EItest Inject)"; flow:established,from_server; file_data; content:"3a-20-61-62-73-6f-6c-75-74-65-3b-7a-2d-69-6e-64-65-78-3a-2d-31-3b"; nocase; classtype:trojan-activity; sid:2023250; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016 (EItest Inject) M2"; flow:established,from_server; file_data; content:"|32 32 2d 36 66 2d 37 30 2d 36 31 2d 37 31 2d 37 35 2d 36 35 2d 32 32 2d 32 66 2d 33 65 2d 33 63 2d 32 66 2d 36 66 2d 36 32 2d 36 61 2d 36 35 2d 36 33 2d 37 34 2d 33 65 2d 30 64 2d 30 61 2d 33 63 2d 32 66 2d 36 34 2d 36 39 2d 37 36 2d 33 65 22 2e 72 65 70 6c 61 63 65 28 2f 2d 2f 67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65|"; nocase; classtype:trojan-activity; sid:2023251; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 20 2016"; flow:established,from_server; file_data; content:"Base64.encode(rc4("; nocase; fast_pattern; content:"+|22 3a|timeDelta|2c 22|+"; nocase; content:"cfg.key|29 29|"; nocase; distance:0; pcre:"/^[\x3b\x2c]postRequest\x28cfg\.urlSoftDetectorCallback/Ri"; classtype:trojan-activity; sid:2023252; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SunDown EK Flash Exploit Sep 22 2016"; flow:established,to_server; content:".swf"; http_uri; content:"/index.php?"; http_header; pcre:"/^\/\d+\/\d+\.swf$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f[^\r\n\x2f]+\/index\.php\?[^\x3d&]+=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=)?\r\n/H"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023270; rev:4;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"LGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdIF";flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023271; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"pdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NVEX";flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023272; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGYUJ";flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023273; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"x7soyTdaNq94NWpdLGZ4NWpd";flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023274; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"MlADchNaR0LGZ4NWpdLGZ4N";flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023275; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"azTEhyWNbKGpdLGZ4NWpdLG";flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023276; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"wSNfF6IsxmIHAD8ewTEVACMiwT0d"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023277; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"IaOoM9BCQ9FnEgy6IoITEaz6Iex"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023278; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"9xb4GwTUbwUQoyD09AFIox7g9y6"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023279; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"yTEsz98oyHssxnxc"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023280; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"coBDgMAD9lBCQmN"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023281; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"hADUiGDEgPTUbAa"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023282; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"ATUazSM9vDcoOnUbxnU4Oncoynw9z"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023283; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"Isx7sawSohAH4sxmQsvH4hAD4mwT"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023284; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"pBCMlx6I4yTFfBCQbBCpfyTEfA6Il"; flowbits:set,SunDown.EK;  classtype:trojan-activity; sid:2023285; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Sep 26 2016"; flow:established,from_server; file_data; content:"document.write"; within:14; pcre:"/^\s*\x28\s*[\x22\x27]<div\s*style\s*=\s*[\x22\x27](?=[^\x22\x27\r\n]*position\x3aabsolute\x3b)(?=[^\x22\x27\r\n]*top\x3a\s\-\d+px\x3b)(?=[^\x22\x27\r\n]*left\x3a\s0px\x3b)[^\r\n]*?<iframe[^\r\n>]*\s><\/i[\x22\x27]\+[\x22\x27]frame>[^\r\n]*<\/div>[\x22\x27]\s*\x29\x3b$/R"; content:"|3c 2f 69 27 2b 27 66 72 61 6d 65 3e|"; fast_pattern:only; classtype:trojan-activity; sid:2023302; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 26 2016 T2"; flow:established,from_server; file_data; content:"|6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; pcre:"/^\s*\x27[^\x27]+\x27width=\x27250\x27\sheight=\x27250\x27>\s*<\/iframe>\s*<\/div>/R"; classtype:trojan-activity; sid:2023303; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data;  content:"|67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74|"; content:"3c"; nocase; distance:-242; within:200; pcre:"/^(?P<split>.{1,10})2f(?P=split)64(?P=split)69(?P=split)76(?P=split)3e(?P=split)?[^\x22\x27]*[\x22\x27]\.replace\s*\(\s*[\x22\x27]?\/(?P=split)\/g[\x22\x27]?\s*,\s*[\x22\x27]\x25[\x22\x27]\s*\x29\s*\x3b/Ri"; classtype:trojan-activity; sid:2023307; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (EITest Inject) Oct 03 2016"; flow:established,from_server; file_data; content:"|25 75 30 30 33 64 25 75 30 30 36 63 25 75 30 30 33 33 25 75 30 30 35 33|"; content:"|73 72 63 20 3d 20 75 6e 65 73 63 61 70 65|"; classtype:trojan-activity; sid:2023312; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Exploit Likely SunDown EK"; flow:established,from_server; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"9090909090909090909090909090909090909090EB"; classtype:trojan-activity; sid:2023313; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Landing Oct 03 2016"; flow:from_server,established; file_data; content:"|28 65 78 70 6c 6f 69 74 29|"; content:"|2e 65 78 65 63 28 69 6e 70 75 74 29 29 7b 72 65 74 75 72 6e 2d 31 7d 69 6e 70 75 74 3d 69 6e 70 75 74 2e 72 65 70 6c 61 63 65|"; content:"|6b 65 79 53 74 72|"; classtype:trojan-activity; sid:2023314; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky AlphaNum Downloader Oct 3 2016"; flow:to_server,established; urilen:5<>10; content:"GET"; http_method; pcre:"/^\/(?=[a-z]*[0-9][a-z-0-9]*$)(?=[0-9]*[a-z][a-z-0-9]*$)[a-z0-9]{5,8}$/U"; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; fast_pattern:37,20; content:"Accept|3a|"; http_header; content:"Accept-Encoding"; http_header; flowbits:set,ET.LockyDL; flowbits:noalert; classtype:trojan-activity; sid:2023315; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Locky AlphaNum Downloader Oct 3 2016"; flow:from_server,established; flowbits:isnotset,ET.http.binary; flowbits:isset,ET.LockyDL; content:"ETag|3a|"; http_header; content:!"Content-Disposition|3a|"; http_header; content:!"Cookie|3a|"; content:"Content-Length|3a 20|1"; http_header; fast_pattern:only; pcre:"/^Content-Length\x3a\x201[6-8]\d{4}\r?$/Hm"; file_data; content:!"MZ"; within:2; content:!"PK"; within:2; content:!"GIF"; within:3; content:!"|FF D8 FF|"; within:3; content:!"CWS"; within:3; content:!"ZWS"; within:3; pcre:"/^.{4}[\x0a-\x7f]{0,100}[\x00-x09\x80-\xff]/s"; classtype:trojan-activity; sid:2023316; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful WeTransfer Phish Oct 04 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?cmd="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&session="; nocase; http_uri; content:"provider="; depth:9; nocase; http_client_body; fast_pattern; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&phone="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023964; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful iCloud Phish Oct 10 2016"; flow:to_server,established; content:"POST"; http_method; content:"/save.asp"; nocase; http_uri; fast_pattern; content:"apple"; http_header; content:"u="; depth:2; nocase; http_client_body; content:"&p="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023592; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016"; flow:established,from_server; file_data; content:"=l3S"; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:"document.createElement|28 22|iframe|22 29 3b|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/\?[^=&\x22\x27]+=l3S/Ri"; classtype:trojan-activity; sid:2023343; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 19 2016"; flow:established,from_server; content:"nginx"; http_header; pcre:"/^Content-Length\x3a\x20\d{2,3}\r?$/Hmi"; file_data; content:"document.write|28|"; within:15; pcre:"/^(?=[^\n>]*position\x3aabsolute)(?=[^\n>]*top\x3a\x20-\d+px\x3b)[^\n]*<iframe(?=[^\n>]*width=\d{3})(?=[^\n>]*height=\d{3})[^\n>]*src=[\x22\x27]http[^\n>]+\s*>\s*/R"; content:"</|27|+|27|iframe>"; within:12; fast_pattern; pcre:"/^[^\n]*\x29\x3b$/R"; classtype:trojan-activity; sid:2023352; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 19 2016 T2"; flow:established,from_server; content:"Content-Type|3a 20|text/javascript|0d 0a|"; http_header; content:"nginx"; http_header; file_data; content:"var"; within:3; pcre:"/^\s*(?P<var>[^\r\n\s\x3d\x2c\x3b]+)\s*=[^\n]*<iframe(?=[^\n>]*top\x3a-\d+px\x3b)[^\n>]+src\s*=\s*\x5c?[\x22\x27]http[^\n>]+>\s*<\/iframe>\x22\x3bdocument\.write\((?P=var)\)\x3b\s*$/R"; content:"</iframe>|22 3b|document.write"; fast_pattern; classtype:trojan-activity; sid:2023353; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016  (RIG-v)"; flow:established,to_server; content:"/?"; http_uri; depth:2; content:"q="; http_uri; content:"oq="; http_uri; fast_pattern:only; pcre:"/^\/(?=.*?[&?][a-z]{2}_[a-z]{2}=\d+(?:&|$))(?=.*?[&?]q=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$))(?=.*?[&?]oq=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$)).*?[&?][a-z]{3}=[A-Za-z_]{3,20}(?=[a-z\d]*\x2e)(?=[a-z\x2e]*\d)[a-z\d\x2e]+(?:&|$)/U"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023401; rev:5;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Tor Module Download"; flow:established,to_server; content:"/tor/"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; pcre:"/\/tor\/[^\x2f\x2e]+(?:32|64)\.dll$/Ui"; reference:md5,dacbf4c26c5642c29e69e336e0f111f7; classtype:trojan-activity; sid:2023471; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Secondary Landing Oct 31 2016"; flow:established,from_server; file_data; content:".controlurl"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".schematype"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".csrf"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".port"; nocase; pcre:"/^[\s\x2c\x3b]/Rs";  content:"upnp"; nocase; content:" ip"; nocase; pcre:"/^\s*=\s*[\x22\x27]?(?:10|127|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\./R"; classtype:attempted-admin; sid:2023473; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Nov 01 2016"; flow:established,from_server; file_data; content:"|5c 78 35 63 5c 78 36 62 5c 78 36 31 5c 78 37 33 5c 78 35 66 5c 78 36 35 5c 78 36 65 5c 78 36 37 5c 78 36 39 5c 78 36 65 5c 78 36 35 5c 78 32 65 5c 78 36 34 5c 78 36 63 5c 78 36 63 5c 78 32 66 5c 78 32 33 5c 78 33 32 5c 78 33 34 5c 78 32 66 5c 78 33 32 5c 78 32 32 5c 78 37 64|"; nocase; classtype:trojan-activity; sid:2023474; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M2"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern:only; content:"<script type=|22|text/javascript|22|>"; pcre:"/^\s*var\s*(?P<var>[^\s=]+)\s*=\s*document.createElement\(\s*[\x22\x27]iframe[\x22\x27](?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:trojan-activity; sid:2023482; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish M1 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"username="; depth:9; nocase; http_client_body; content:"&login.x="; nocase; distance:0; http_client_body; content:"&login.y="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023487; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish M2 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"1="; depth:2; nocase; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&cvv1="; nocase; distance:0; http_client_body; content:"&mobile1="; nocase; distance:0; http_client_body; content:"&next"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023488; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Cartasi Phishing Domain Nov 8"; flow:to_server,established; content:"GET"; http_method; content:"cartasi"; http_header; fast_pattern; content:!"cartasi.it|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+cartasi[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023495; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Nov 15 2016"; flow:established,from_server; file_data; content:"<iframe src=|22|http|3a 2f 2f|"; pcre:"/^[a-z0-9_-]+\.(?=[0-9_-]*[A-Z])[A-Z0-9_-]+\.[^\x22]+\x22\s/R"; content:"|77 69 64 74 68 3d 22 31 22 20 68 65 69 67 68 74 3d 22 31 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d 31 70 78 3b 22 3e 3c 2f 69 66 72 61 6d 65 3e|"; within:67; fast_pattern:47,20; classtype:trojan-activity; sid:2023513; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M3"; flow:established,from_server; file_data; content:"oq="; fast_pattern:only; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/(?=[^\x22\x27]*?[?&]oq=[A-Za-z0-9+\x2f_-]+(?:[\x22\x27]|&))(?=[^\x22\x27]*?[&?][a-z]+_[a-z]+=\d+)(?=[^\x22\x27]*?[&?]q=)/Ri"; classtype:trojan-activity; sid:2023547; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious JS.Nemucod to PS Dropping PE Nov 14 M2"; flow:to_server,established; content:"GET"; http_method; content:".php?f="; http_uri; fast_pattern:only; content:!"Referer"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http_header; pcre:"/^\/\w+\.php\?f=[a-z]?\d{1,3}(?:\.(?:dat|gif))?$/U"; reference:md5,551c440d76be5ab9932d8f3e8f65726e; classtype:trojan-activity; sid:2023754; rev:6;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS XBOOMBER Paypal Phishing Landing Nov 28 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<form method=|22|post|22|"; nocase; content:"action=|22|websc"; nocase; within:150; content:".php?SessionID-xb="; fast_pattern; nocase; distance:0; within:50; classtype:trojan-activity; sid:2023557; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful XBOOMBER Paypal Phish Nov 28 2016"; flow:to_server,established; content:"POST"; http_method; content:"/websc-"; nocase; http_uri; content:".php?SessionID-xb="; nocase; http_uri; fast_pattern; within:40; classtype:trojan-activity; sid:2023558; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M1 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern:only; content:"/#24/"; pcre:"/^#?\d+/R"; content:".exe"; content:"|5c 5c|Progra"; nocase; classtype:trojan-activity; sid:2023586; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M2 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern:only; content:"/#16/"; pcre:"/^#?\d+/R"; content:".exe"; nocase; content:"|5c 5c|Progra"; nocase; classtype:trojan-activity; sid:2023587; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Linkedin Phishing Domain Dec 09 2016"; flow:to_server,established; content:"GET"; http_method; content:"linkedin.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"linkedin.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+linkedin\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023596; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Common Phishing Redirect Dec 13 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Page Redirection"; nocase; fast_pattern:3,20; content:"don't tell people to `click` the link"; nocase; distance:0; content:"just tell them that it is a link"; nocase; distance:0; content:!"location.hostname"; nocase; classtype:trojan-activity; sid:2023638; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Edge SmartScreen Page Spoof Attempt Dec 16 2016"; flow:from_server,established; file_data; content:"ms-appx-web|3a|//"; fast_pattern; nocase; content:"microsoftedge"; nocase; distance:0; content:"/assets/errorpages/"; nocase; distance:0; content:"BlockedDomain="; nocase; distance:0; reference:url,www.brokenbrowser.com/spoof-addressbar-malware/; classtype:trojan-activity; sid:2023657; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bradesco Bank Phish M1 Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"p="; depth:2; nocase; http_client_body; content:"&a2="; nocase; distance:0; http_client_body; content:"&agencia="; nocase; distance:0; http_client_body; content:"&a1="; nocase; distance:0; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; fast_pattern; content:"&aa="; nocase; distance:0; http_client_body; content:"&digito="; nocase; distance:0; http_client_body; content:"&age="; nocase; distance:0; http_client_body; content:"&ir="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023696; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bradesco Bank Phish M2 Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"agencia="; depth:8; nocase; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&digito="; nocase; distance:0; http_client_body; content:"&entrada_1="; nocase; distance:0; http_client_body; fast_pattern; content:"&entrada_2="; nocase; distance:0; http_client_body; content:"&entrada_3="; nocase; distance:0; http_client_body; content:"&entrada_4="; nocase; distance:0; http_client_body; content:"&looking1="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023697; rev:4;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful National Bank Phish Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"redirect="; depth:9; nocase; http_client_body; content:"&txtState="; nocase; distance:0; http_client_body; content:"&txtCount="; nocase; distance:0; http_client_body; content:"&txtOneTime="; nocase; distance:0; http_client_body; content:"&Account_ID="; nocase; distance:0; http_client_body; content:"&active_Password="; nocase; distance:0; http_client_body; fast_pattern; content:"&Submit="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023698; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing Jan 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"<meta name=|22|description|22 20|content=|22 78 50 61 79 50 61 6c 5f 32 30 31 37|"; content:"|43 61 5a 61 4e 6f 56 61 31 36 33|"; within:50; fast_pattern; classtype:trojan-activity; sid:2023712; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern:only; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]*type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]*name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]*value\s*=\s*[\x22\x27][A-Za-z0-9+/]+[\x22\x27]/Rsi";  content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2023742; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M1"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65 2e 77 65 62 73 74 6f 72 65|"; nocase; content:"|2e 6d 61 74 63 68 28 2f 3e 28 5c 77 3f 5c 73 3f 2e 2a 3f 29 3c 2f 67 29|"; nocase; fast_pattern:only; content:"|5b 69 5d 2e 72 65 70 6c 61 63 65 28 65 76 61 6c 28|"; content:"unescape"; nocase; pcre:"/^\s*\([^\x29]*(?:\%2F|\/)(?:\%5B|\[)(?:\%5E|^)(?=[^\x29]*(?:%3C|\<))(?=[^\x29]*(?:%3E|\>))(?=[^\x29]*(?:\%5C|\\)(?:\%6E|n))/Rsi"; classtype:trojan-activity; sid:2023743; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern:only; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]+type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]+name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]+value\s*=\s*[\x22\x27](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2023744; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Chrome_Font.exe"; http_header; nocase; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Chrome_Font\.exe/Hmi"; classtype:trojan-activity; sid:2023745; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M4"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern:only; content:"<script type=|22|text|2f|"; pcre:"/^(?:rocket|java)script\x22>\s*var\s*(?P<ifr>[^\s=]+)\s*=\s*[\x22\x27]iframe[\x22\x27].*?\s*var\s*(?P<var>[^\s=]+)\s*=\s*document\.createElement\(\s*(?P=ifr)(?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:trojan-activity; sid:2023748; rev:3;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jan 20 2017"; flow:from_server,established; content:"401"; http_stat_code; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; http_header; content:"Warning|3a|"; nocase; http_header; distance:0; fast_pattern; content:"Call Microsoft"; http_header; nocase; classtype:trojan-activity; sid:2023751; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jan 20 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; nocase; fast_pattern:3,20; content:"background-color|3a 20|#FF0000"; nocase; distance:0; classtype:trojan-activity; sid:2023752; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft RDP Client for Mac RCE"; flow:established,to_client; content:"rdp|3a 2f 2f|"; nocase; content:"drivestoredirect"; fast_pattern; nocase; distance:0; content:"rdp|3a 2f 2f|"; nocase; pcre:"/^\S+?drivestoredirect/Ri"; reference:url,www.wearesegment.com/research/Microsoft-Remote-Desktop-Client-for-Mac-Remote-Code-Execution; classtype:attempted-admin; sid:2023755; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Jan 24"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Windows Official Support"; fast_pattern; nocase; content:"This Is A Critical Warning"; nocase; distance:0; classtype:trojan-activity; sid:2023757; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple iCloud Phish Jan 23 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"usuario="; depth:8; nocase; http_client_body; content:"&contrasena="; nocase; distance:0; http_client_body; content:"&hdtxt="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023758; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Paypal Phish Jan 23 2016"; flow:to_server,established; content:"POST"; http_method; content:"/websrc"; http_uri; fast_pattern; content:"email"; nocase; http_client_body; content:"|25|40"; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\/websrc$/U"; classtype:trojan-activity; sid:2023759; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Jan 23 2017"; flow:to_server,established; content:"POST"; http_method; content:"locale.x="; depth:9; nocase; http_client_body; content:"&processSignin="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023760; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Broken/Filtered RIG EK Payload Download"; flow:established,from_server; content:"Content-Type|3a 20|application/x-msdownload|0d 0a|"; http_header; content:"Content-Length|3a 20|3|0d 0a|"; http_header; fast_pattern; file_data; content:"|3d 28 28|"; within:3; isdataat:!1,relative; classtype:trojan-activity; sid:2023768; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&ROLLOUT="; nocase; distance:0; http_client_body; content:"&user="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023770; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Wells Fargo Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"card_num="; depth:9; nocase; http_client_body; content:"&full_name="; nocase; distance:0; http_client_body; content:"&ssn_num="; nocase; distance:0; http_client_body; fast_pattern; content:"&j_password="; nocase; distance:0; http_client_body; content:"&userPrefs="; nocase; distance:0; http_client_body; content:"&jsenabled="; nocase; distance:0; http_client_body; content:"&origin="; nocase; distance:0; http_client_body; content:"&screenid="; nocase; distance:0; http_client_body; content:"&ndsid="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023771; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Find My iPhone Phish (SP) Jan 30 2017"; flow:from_server,established; file_data; content:"<title>Buscar iPhone"; fast_pattern; content:"<div class=|22|icloud"; nocase; distance:0; content:"Buscar iPhone"; nocase; distance:0; content:"<div class=|22|error"; nocase; distance:0; classtype:trojan-activity; sid:2023772; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M1 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"cusd="; depth:5; nocase; http_client_body; content:"&tbNickname="; nocase; distance:0; http_client_body; fast_pattern; content:"&ddCIF="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023773; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M2 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?SecureToken="; http_header; content:"&fill="; http_header; distance:0; content:"PIN="; depth:4; nocase; http_client_body; fast_pattern; content:"&Go="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023774; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Ebay Phishing Domain Jan 30 2017"; flow:to_server,established; content:"GET"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023775; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Ebay Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023776; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Font_Update.exe"; http_header; nocase; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Font_Update\.exe/Hmi"; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; reference:url,blog.brillantit.com/exposing-eitest-campaign; classtype:trojan-activity; sid:2023817; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Discover Phishing Domain Feb 02 2017"; flow:to_server,established; content:"GET"; http_method; content:"discover.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"discover.com|0d 0a|"; http_header; content:!"autodiscover"; http_header; pcre:"/^Host\x3a[^\r\n]+discover\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023819; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Chase Phish Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"chase.com"; http_header; fast_pattern; content:!"chase.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+chase\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023820; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Apple Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"apple.com"; http_header; fast_pattern; content:!"apple.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+apple\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023821; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful USAA Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"usaa.com"; http_header; fast_pattern; content:!"usaa.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+usaa\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023822; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Paypal Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"paypal.com"; http_header; fast_pattern; content:!"paypal.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+paypal\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023823; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Bank of America Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"bankofamerica.com"; http_header; fast_pattern; content:!"bankofamerica.com|0d 0a|"; http_header; pcre:"/Host\x3a[^\r\n]+bankofamerica\.com[^\r\n]{10,}\r\n/Hmi"; classtype:trojan-activity; sid:2023824; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Google Drive Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"drive.google.com"; http_header; fast_pattern; content:!"drive.google.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+drive\.google\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023825; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Cartasi Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"cartasi"; http_header; fast_pattern; content:!"cartasi.it|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+cartasi[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023826; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Linkedin Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"linkedin.com"; http_header; fast_pattern; content:!"linkedin.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+linkedin\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023827; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Ebay Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023828; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Discover Phish Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"discover.com"; http_header; fast_pattern; content:!"discover.com|0d 0a|"; http_header; content:!"autodiscover"; http_header; pcre:"/^Host\x3a[^\r\n]+discover\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023829; rev:3;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 01"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|account-google|08|serveftp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023833; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 02"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|aramex-shipping|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023834; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 03"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|device-activation|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023835; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 04"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|dropbox-service|08|serveftp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023836; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 05"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|dropbox-sign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023837; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 06"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|dropboxsupport|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023838; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 07"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|fedex-mail|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023839; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 08"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|fedex-shipping|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023840; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 09"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|fedex-sign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023841; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 10"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|googledriver-sign|04|ddns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023842; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 11"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|googledrive-sign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023843; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|google-maps|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023844; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 13"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|googlesecure-serv|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023845; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 14"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|googlesignin|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023846; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|googleverify-signin|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023847; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 16"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|mailgooglesign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023848; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 17"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|myaccount|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023849; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 18"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|secure-team|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023850; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 19"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|security-myaccount|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023851; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 20"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|verification-acc|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023852; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 21"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|dropbox-verfy|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023853; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 22"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|fedex-s|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023854; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 23"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|watchyoutube|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023855; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 24"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|verification-team|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023856; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 25"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|securityteam-notify|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023857; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 26"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|secure-alert|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023858; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 27"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|quota-notification|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023859; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 28"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|notification-team|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023860; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|fedex-notification|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023861; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 30"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|docs-mails|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023862; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 31"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|restricted-videos|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023863; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 32"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|dropboxnotification|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023864; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 33"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|moi-gov|08|serveftp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023865; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 34"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|activate-google|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023866; rev:1;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 35"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|googlemaps|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023867; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Feb 2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Microsoft Official Support <"; fast_pattern; nocase; content:"var stroka"; nocase; distance:0; content:"wM/8AAEQgADQCgAwEiAAIRAQMRAf/dAAQACv/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIE"; distance:0; classtype:trojan-activity; sid:2023869; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing M1 Feb 07 2016 M1"; flow:established,from_server; file_data; content:"value"; nocase; pcre:"/^\s*=\s*[\x27\x22](?:sh(?:ell(?:32)?)?|exec)=6wLrBej5\x2f\x2f/Rsi"; content:"6wLrBej5"; fast_pattern:only; classtype:trojan-activity; sid:2023878; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing M1 Feb 07 2016 M2"; flow:established,from_server; file_data; content:"EB02EB05E8F9FFFFFF"; nocase; fast_pattern:only; pcre:"/(?:value=[\x22\x27](?:sh(?:ell(?:32)?)?|exec)=|unescape\(EscapeHexString\(.)EB02EB05E8F9FFFFFF/si"; classtype:trojan-activity; sid:2023879; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"craigslist.org"; http_header; fast_pattern; content:!"craigslist.org|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+craigslist\.org[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023880; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"login="; depth:6; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submit=Sign+In&curl_version="; nocase; distance:0; http_client_body; fast_pattern:9,20; classtype:trojan-activity; sid:2023888; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Feb 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft Official Support"; nocase; fast_pattern:13,20; content:"<audio"; nocase; distance:0; content:"loop="; nocase; within:50; classtype:trojan-activity; sid:2023889; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish M1 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"iden="; depth:5; nocase; http_client_body; content:"&AG="; nocase; distance:0; http_client_body; content:"&CC="; nocase; distance:0; http_client_body; content:"&CCDIG="; nocase; distance:0; http_client_body; content:"&PASSNET="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023890; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish M2 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"DDD="; depth:4; nocase; http_client_body; content:"&CELLULAR="; nocase; distance:0; http_client_body; fast_pattern; content:"&SDESEIS="; nocase; distance:0; http_client_body; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023891; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Account Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"locked.php"; nocase; http_uri; content:"Account-Unlock"; nocase; distance:0; http_uri; fast_pattern; content:"user="; depth:5; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023999; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful iCloud (CN) Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"Host|3a 20 31 31 32 32 33 33 68 74 2e 70 77|"; fast_pattern:only; classtype:trojan-activity; sid:2024000; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful California Bank & Trust Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"AccountNo="; depth:10; nocase; http_client_body; fast_pattern; content:"&token="; nocase; distance:0; http_client_body; content:"&check=Login"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024001; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"&txtCelular="; nocase; http_client_body; content:"&txtSenhaCartao="; nocase; distance:0; http_client_body; fast_pattern; content:"btnLogIn"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024002; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Verified by Visa title over non SSL Feb 17 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; content:"Verified by Visa"; nocase; within:50; fast_pattern; classtype:trojan-activity; sid:2024003; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious JS Refresh - Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"self.location.replace("; within:100; fast_pattern:2,20; pcre:"/\s*(?P<var>[^)]+)\s*\).+window\s*\.\s*location\s*=\s*\(\s*(?P=var)/Rsi"; classtype:trojan-activity; sid:2024007; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; content:"location|3a 20|"; http_header; fast_pattern; content:"|2f 3f|"; distance:32; within:2; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; classtype:trojan-activity; sid:2024008; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Craigslist (RO) Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"step=confirmation"; depth:17; nocase; http_client_body; content:"&rt="; nocase; distance:0; http_client_body; content:"&rp="; nocase; distance:0; http_client_body; content:"&p="; nocase; distance:0; http_client_body; content:"&whichForm="; nocase; distance:0; http_client_body; content:"&Email="; nocase; distance:0; http_client_body; content:"&Parola="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024009; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Craigslist (RO) Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"NumarCard="; depth:10; nocase; http_client_body; fast_pattern; content:"&CVV="; nocase; distance:0; http_client_body; content:"&Luna="; nocase; distance:0; http_client_body; content:"&NumeCard="; nocase; distance:0; http_client_body; content:"&PrenumeCard="; nocase; distance:0; http_client_body; content:"&NumedeContact="; nocase; distance:0; http_client_body; content:"&NumardeTelefon="; nocase; distance:0; http_client_body; content:"&EmaildeContact="; nocase; distance:0; http_client_body; content:"&cryptedStepCheck="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024010; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&CHKCLICK="; nocase; distance:0; http_client_body; content:"&NNAME="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024011; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; content:"&cardSelected="; nocase; distance:0; http_client_body; content:"&rbcCardNumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&twoDigitIssueNumber="; nocase; distance:0; http_client_body; content:"&atmpin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024012; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M3 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&fullname="; nocase; distance:0; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&ssn="; nocase; distance:0; http_client_body; content:"&mmn="; nocase; distance:0; http_client_body; content:"&dl="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024013; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M4 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&sq1="; nocase; distance:0; http_client_body; content:"&sq1a="; nocase; distance:0; http_client_body; content:"&sq2="; nocase; distance:0; http_client_body; content:"&sq2a="; nocase; distance:0; http_client_body; content:"&sq3="; nocase; distance:0; http_client_body; content:"&sq3a="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024014; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Orderlink (IN) Phish Feb 24 2017"; flow:to_server,established; urilen:7; content:"POST"; http_method; content:"/signin"; content:"/signin|0d 0a|"; http_header; fast_pattern; content:"_token="; depth:7; nocase; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"|25|40"; nocase; distance:0; http_client_body; content:"&pass"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024015; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Redirect M1 Feb 24 2017"; flow:from_server,established; content:"302"; http_stat_code; content:"location|3a 20|"; nocase; http_header; content:".php?cmd=_update-information&account_bank="; nocase; http_header; fast_pattern:22,20; distance:0; content:"&dispatch="; distance:32; within:10; nocase; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; classtype:trojan-activity; sid:2024016; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Redirect M2 Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; file_data; content:"<meta http-equiv="; nocase; within:50; content:"refresh"; nocase; distance:1; within:7; content:"/webapps/"; nocase; distance:0; content:"/websrc"; distance:5; within:7; fast_pattern; classtype:trojan-activity; sid:2024017; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Common Paypal Phishing URI Feb 24 2017"; flow:to_server,established; content:"GET"; http_method; content:"/webapps/"; http_uri; content:"/websrc"; distance:5; within:7; http_uri; fast_pattern; pcre:"/\/webapps\/[a-f0-9]{5}\/websrc/Ui"; classtype:trojan-activity; sid:2024018; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing Feb 24 2017"; flow:from_server,established; file_data; content:"<title>"; nocase; fast_pattern; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG EK URI Struct Feb 26 2017"; flow:established,to_server; urilen:>90; content:"oq="; http_uri; fast_pattern:only; pcre:"/^\/\?o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+$/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024020; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Feb 26 2016"; flow:established,from_server; file_data; content:"|3d 20 28 2f 2a 67 66 2a 2f 22 73 5c 78 37 35 62 73 22 29 2b 2f 2a 67 66 2a 2f 22 74 72 22 3b|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024021; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Vanguard Phish Mar 06 2017"; flow:to_server,established; content:"POST"; http_method; content:"dmform-0="; depth:9; nocase; http_client_body; content:"&label-dmform-0=User+name"; nocase; distance:0; http_client_body; content:"&label-dmform-1=Password"; nocase; distance:0; http_client_body; content:"&label-dmform-8=Account+Email"; nocase; distance:0; http_client_body; content:"&label-dmform-9=Password"; nocase; distance:0; http_client_body; content:"&dmformsubject=Vang"; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024032; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Android Fake AV Download Landing Mar 06 2017"; flow:to_server,established; content:"GET"; http_method; content:".php?model="; nocase; http_uri; content:"&brand="; nocase; distance:0; http_uri; content:"&osversion="; nocase; distance:0; http_uri; content:"&ip="; nocase; distance:0; http_uri; content:"&voluumdata=BASE64"; nocase; distance:0; http_uri; fast_pattern; classtype:trojan-activity; sid:2024033; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK March 07 2017"; flow:established,from_server; file_data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 31 70 78 3b 20 68 65 69 67 68 74 3a 20 31 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; fast_pattern:70,20; pcre:"/^\s*\x27[^\x27\x3b\r\n]+\x27width=\x27250\x27\sheight=\x27250\x27\>/Ri"; classtype:trojan-activity; sid:2024037; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Fake Font DL March 09 2017"; flow:from_server,established; content:"Content-Disposition|3a|"; nocase; http_header; content:"|43 68 72 ce bf 6d 65|"; nocase; http_header; fast_pattern:only; content:"|66 ce bf 6e 74|"; nocase; http_header; content:"|2e 65 78 65|"; nocase; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2024040; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Mar 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"System Virus Alert"; nocase; fast_pattern:5,20; content:"|3a|-webkit-full-screen"; nocase; distance:0; classtype:trojan-activity; sid:2024042; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"yass_email="; depth:11; nocase; http_client_body; content:"&yass_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024046; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful National Bank Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"aliasDispatcher="; depth:16; nocase; http_client_body; content:"&indBNCFunds="; nocase; distance:0; http_client_body; content:"&accountNumber1="; nocase; distance:0; http_client_body; content:"&cardExpirDate="; nocase; distance:0; http_client_body; fast_pattern; content:"®istrationMode="; nocase; distance:0; http_client_body; content:"&cardActionTypeSelected="; nocase; distance:0; http_client_body; content:"&language="; nocase; distance:0; http_client_body; content:"&clientIpAdress="; nocase; distance:0; http_client_body; content:"&clientUserAgent="; nocase; distance:0; http_client_body; content:"&clientScreenResolution="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024047; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017"; flow:established,to_server; urilen:>90; content:"oq="; http_uri; fast_pattern:only; pcre:"/(?=.*?[?&]oq=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)).*?[?&]q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024048; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2"; flow:established,to_server; urilen:>90; content:"QMvXcJ"; http_uri; pcre:"/(?=.*?=[^&]{3,4}QMvXcJ).*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&.*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024049; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful ANZ Internet Banking Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"typ="; depth:4; nocase; http_client_body; content:"&cid="; nocase; distance:0; http_client_body; content:"&cpass="; nocase; distance:0; http_client_body; content:"&homepn="; nocase; distance:0; http_client_body; content:"&workpn="; nocase; distance:0; http_client_body; content:"&mobilepn="; nocase; distance:0; http_client_body; content:"&telepass="; nocase; distance:0; http_client_body; content:"&ccnumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&cvv="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024050; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Instagram Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"cek=login"; depth:9; nocase; http_client_body; fast_pattern; content:"&username="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024051; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"login_cmd="; depth:10; nocase; http_client_body; content:"&login_params="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024052; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download M1 Mar 14 2017"; flow:established,from_server; file_data; content:"|2e de 08 bb 99 8a 7b 6c|"; within:8; classtype:trojan-activity; sid:2024053; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download M2 Mar 14 2017"; flow:established,from_server; file_data; content:"|5e 5a a3 90 b9 31 7b 54|"; within:8; classtype:trojan-activity; sid:2024054; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload RC4 Key M1 Mar 14 2017"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"uylzJB3mWrFjellI9iDFGQjO"; fast_pattern:only; content:"("; pcre:"/^\s*[\x22\x27]\s*http[^\x22\x27]+\.php\s*[\x22\x27]\s*\x2c\s*[\x22\x27]\s*uylzJB3mWrFjellI9iDFGQjO/Rs"; classtype:trojan-activity; sid:2024055; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful iCloud Phish Mar 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv=|22|Content-Type|22|"; nocase; content:"alert"; content:"|41 70 70 6c 65 20 49 44|"; nocase; within:20; fast_pattern; content:"|68 69 73 74 6f 72 79 2e 62 61 63 6b|"; nocase; distance:0; classtype:trojan-activity; sid:2024059; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish M1 Mar 15 2017"; flow:to_server,established; content:"POST"; http_method; content:"appid="; depth:6; nocase; http_client_body; fast_pattern; content:"|25|40"; distance:0; http_client_body; content:"&pwd"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024060; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish M2 Mar 15 2017"; flow:to_server,established; content:"POST"; http_method; content:"fname="; depth:6; nocase; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&cchn="; nocase; distance:0; http_client_body; content:"&ccnum="; nocase; distance:0; http_client_body; fast_pattern; content:"&expdate="; nocase; distance:0; http_client_body; content:"&cvv2="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024061; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK March 15 2017"; flow:established,from_server; file_data; content:"iframe"; nocase; content:"src"; nocase; pcre:"/^\s*=\s*[\x22\x27][Hh][Tt][Tt][Pp][Ss]?\x3a\x2f\x2f[^\x2f]+\x2f(?=[^\x2f\x22\x27]+=[^\x2f\x22\x27&]{0,5}QMvXcJ)[^\x2f\x22\x27]{90}/Rs"; content:"QMvXcJ"; fast_pattern:only; classtype:trojan-activity; sid:2024092; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK March 15 2017 M2"; flow:established,from_server; file_data; content:"<iframe"; within:7; pcre:"/^(?:\s+style=\x27hidden\x27)?\s+src=\x27https?\x3a[^>\x22\x27]+[\x22\x27]\s*width=\x270\x27\s+/Ri";content:"|68 65 69 67 68 74 3d 27 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c|"; within:34; isdataat:100; classtype:trojan-activity; sid:2024093; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 22 2017"; flow:to_server,established; content:"POST"; http_method; content:"identif="; depth:8; nocase; http_client_body; content:"&elserr="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024100; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024101; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M1 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"act="; depth:4; nocase; http_client_body; content:"&command="; nocase; distance:16; within:9; http_client_body; fast_pattern; content:"&PIN="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024102; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M2 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"account="; depth:8; nocase; http_client_body; content:"&pin"; nocase; distance:16; within:4; http_client_body; content:"&command="; nocase; distance:0; http_client_body; content:"&PrimaryApplicant="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024103; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL BIN March 2017"; flow:established,to_server; content:"GET"; http_method; content:"?showforum="; http_uri; fast_pattern:only; pcre:"/\?showforum=$/Ui"; content:!".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; reference:md5,ad575f6795526f2ee5e730f76a3b5346; classtype:trojan-activity; sid:2024109; rev:3;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MalDoc Retrieving Payload March 30 2017"; flow:to_server,established; content:"GET"; http_method; content:"/mang.bbk"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/mang\.bbk$/Ui"; reference:md5,33018afc5ef9818eee0f3833d1f738b0; classtype:trojan-activity; sid:2024122; rev:2;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M1"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|wide.singldays.top"; distance:1; within:19; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024124; rev:2;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M2"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|wine.industrialzz.top"; distance:1; within:22; fast_pattern:2,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024125; rev:2;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M3"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|one.industrialzz.top"; distance:1; within:21; fast_pattern:1,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024126; rev:2;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M4"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|13|web.machinerysc.top"; distance:1; within:20; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024127; rev:2;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M5"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|sub.contentedy.top"; distance:1; within:19; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024128; rev:2;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M6"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|check-work-18799.top"; distance:1; within:21; fast_pattern:1,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024129; rev:2;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M7"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|asp.refreshmentnu.top"; distance:1; within:22; fast_pattern:2,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024130; rev:2;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M8"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|get.resemblanceao.bid"; distance:1; within:22; fast_pattern:2,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024131; rev:2;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M9"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|sip.discoveredzp.bid"; distance:1; within:21; fast_pattern:1,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024132; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M1"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|0"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024133; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M2"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|1"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024134; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M3"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|2"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024135; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M4"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|3"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024136; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M5"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|4"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024137; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M6"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|5"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024138; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M7"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|6"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024139; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M8"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|7"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024140; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M9"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|8"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024141; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M10"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|9"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024142; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Mail.ru Phish Apr 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"new_auth_form="; depth:14; nocase; http_client_body; fast_pattern; content:"&page="; nocase; distance:0; http_client_body; content:"&back="; nocase; distance:0; http_client_body; content:"&FromAccount="; nocase; distance:0; http_client_body; content:"&Login="; nocase; distance:0; http_client_body; content:"&selector="; nocase; distance:0; http_client_body; content:"&Username="; nocase; distance:0; http_client_body; content:"&Password="; nocase; distance:0; http_client_body; content:"&saveauth="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024167; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"dllcode"; nocase; fast_pattern:only; content:"|28 26 68 34 64 2c 26 68 35 61 2c 26 68 38 30 2c 30 2c 31 2c 30 2c 30 2c 30|"; nocase; content:"GetSpecialFolder"; nocase; reference:cve,2016-0189; classtype:trojan-activity; sid:2024168; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2016-0189 Exploit M2"; flow:established,from_server; file_data; content:"|73 74 72 54 6f 49 6e 74 28 4d 69 64 28 6d 65 6d 2c 20 31 2c 20 32 29 29|"; content:"|2b 20 26 48 31 37 34|"; reference:cve,2016-0189; classtype:trojan-activity; sid:2024169; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2015-2419 Exploit"; flow:established,from_server; file_data; content:"EB125831C966B9"; nocase; content:"05498034088485C975F7FFE0E8E9FFFFFFD10D61074028D7D5D3B544E0"; distance:2; within:58; nocase; reference:cve,2016-0189; classtype:trojan-activity; sid:2024170; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download"; flow:established,to_server; content:"e=cve"; http_uri; fast_pattern:only; pcre:"/[&?]e=cve\d{8}(?:&|$)/U"; pcre:"/=[a-f0-9]{32,}(?:&|$)/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2024180; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful HM Revenue & Customs Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"gender="; depth:7; nocase; http_client_body; fast_pattern; content:"&name1="; nocase; distance:0; http_client_body; content:"&name2="; nocase; distance:0; http_client_body; content:"&day="; nocase; distance:0; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submitForm="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024184; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful HM Revenue & Customs Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cnumber="; depth:8; nocase; http_client_body; fast_pattern; content:"&expm="; nocase; distance:0; http_client_body; content:"&expy="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&cname="; nocase; distance:0; http_client_body; content:"&submitForm="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024185; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Santander Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cpf="; depth:4; nocase; http_client_body; fast_pattern; content:"&next_pag="; nocase; distance:0; http_client_body; content:"&entrar="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024186; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Santander Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_net="; depth:8; nocase; http_client_body; fast_pattern; content:"&cpf="; nocase; distance:0; http_client_body; content:"&continuar_acess="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024187; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Santander Phish M3 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_4="; depth:6; nocase; http_client_body; fast_pattern; content:"&psw_net="; nocase; distance:0; http_client_body; content:"&cpf="; nocase; distance:0; http_client_body; content:"&proseguir="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024188; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in RTF 0-day )"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|application/hta|0d 0a|"; http_header; fast_pattern:9,20; nocase;  classtype:trojan-activity; sid:2024197; rev:2;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Payload DL"; flow:established,from_server; content:"|3b 20 66 69 6c 65 6e 61 6d 65 3d 43 68 72 ce bf 6d d0 b5 20 66 ce bf 6e e1 b9 ab 2e 65 78 65|"; http_header; nocase; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2024198; rev:1;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Inject M2"; flow:established,from_server; file_data; content:"|69 64 3d 22 70 70 68 68 22 20 3e 54 68 65 20 22 48 6f 65 66 6c 65 72 54 65 78 74 22 20 66 6f 6e 74 20 77 61 73 6e 27 74 20 66 6f 75 6e 64 2e|"; classtype:trojan-activity; sid:2024199; rev:1;)
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Inject M3"; flow:established,from_server; file_data; content:"|69 64 3d 22 62 62 62 31 22 3e 43 6c 69 63 6b 20 6f 6e 20 74 68 65 20 43 68 72 6f 6d 65 5f 46 6f 6e 74 2e 65 78 65|"; classtype:trojan-activity; sid:2024200; rev:1;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Malicious Expires Header Seen In Malicious JavaScript Downloader Campaign"; flow:established,to_client; content:"Expires|3A| Tue, 08 Jan 1935 00|3A|00|3A|00 GMT"; http_header; fast_pattern:9,20; classtype:trojan-activity; sid:2024229; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful iCloud Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"ip="; depth:3; nocase; http_client_body; content:"&city="; nocase; distance:0; http_client_body; content:"&country="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; fast_pattern; content:"&sbBtn="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024231; rev:2;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Alitalia Airline Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"carta="; depth:6; nocase; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&imageField"; nocase; distance:0; http_client_body; content:"&nome="; nocase; distance:0; http_client_body; content:"&VBV="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024232; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ElTest Exploit Kit Redirection Script"; flow:established,to_client; file_data; content:"<script"; nocase; content:"text/javascript"; within:50; nocase; content:"|22|iframe|22|"; within:100; nocase; content:".style.border= |22|0px|22|"; within:200; fast_pattern; nocase; content:"frameborder"; within:100; nocase; content:".setAttribute("; within:50; nocase; content:"document.body.appendChild("; within:100; nocase; content:"= |22|http"; within:100; nocase; content:".src="; distance:0; nocase; content:"<|2F|script>"; within:50; nocase; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-campaign-evolution-eitest-october-december-2016/; classtype:trojan-activity; sid:2024237; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HoeflerText Chrome Popup DriveBy Download Attempt"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font wasn't found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"Click on the Chrome_Font.exe"; distance:0; nocase; content:"Latest version"; distance:0; nocase; content:"href=|22|http"; distance:0; nocase; content:"window.chrome"; distance:0; nocase; reference:url,www.bleepingcomputer.com/virus-removal/hoeflertext-font-wasnt-found-and-chrome-font-pack-guide; classtype:trojan-activity; sid:2024238; rev:2;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Google App Oauth Phish M1 Mar 3 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Alert"; fast_pattern:7,20; nocase; content:"