[***] Results from Oinkmaster started Tue Feb  1 20:00:02 2005 [***]

[+++]          Added rules:          [+++]

-> Added to bleeding-malware.rules (16):
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Mal
ware Search Relevancy Spyware"; uricontent:"/SearchRelevancy/SearchRelevancy
.dll"; nocase; flow:established,to_server; sid:2001696; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Mal
ware Flingstone Spyware Install"; uricontent:"/softwares/cxtpls_loader_ff.ex
e"; nocase; flow:established,to_server; sid:2001710; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Mal
ware Windupdates.com Spyware Install"; uricontent:"/cab/CDTInc/ie/"; nocase;
 uricontent:".cab"; nocase; flow:established,to_server; sid:2001700; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Mal
ware Shop at Home Select Spyware Config Download"; uricontent:"/agentprefs.s
ah" nocase; flow:established,to_server; sid:2001709; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Mal
ware Shop at Home Select Spyware Heartbeat"; uricontent:"/s.dll?MfcISAPIComm
and=heartbeat¶m=" nocase; flow:established,to_server; sid:2001708; rev:2
;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Mal
ware Context Plus Spyware Install"; uricontent:"/AproposClientInstaller.exe"
; nocase; flow:established,to_server; sid:2001704; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Mal
ware Context Plus Spyware Activity"; content:"User-Agent\: AproposClient Aut
oLoader"; nocase; flow:established,to_server; sid:2001703; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware YourSi
teBar Activity"; classtype:trojan-activity; reference:url,www.ysbweb.com; co
ntent:"User-Agent\: istsvc"; nocase; flow:to_server,established; sid:2001699
; rev:1;
)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Mal
ware Shop at Home Select Spyware Activity"; content:"User-Agent\: SAH Agent"
 nocase; flow:established,to_server; sid:2001707; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware YourSi
teBar Data Submision"; classtype:trojan-activity; reference:url,[url]www.ysbweb.com;[/u
rl] uricontent:"/ist/scripts/istsvc_ads_data.php?version="; nocase; flow:to_
server,e
stablished; sid:2001698; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Mal
ware Shop at Home Select Spyware Activity"; content:"User-Agent\: Bundle" no
case; flow:established,to_server; sid:2001702; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware ISearc
hTech.com XXXPornToolbar Data Submission"; classtype:trojan-activity; reference:url,[ur
l]www.isearchtech.com;[/url] uricontent:"/ist/scripts/istsvc_ads_data.php?version=
";
nocase; flow:to_server,established; sid:2001697; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE Malw
are Likely Spambot Web-based Control Traffic"; content:"User-Agent\: Godzill
a"; nocase; classtype:trojan-activity; flow:to_server,established; sid:20017
11; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Mal
ware Flingstone Spyware Install"; uricontent:"/softwares/SportsInteraction.e
xe"; nocase; flow:established,to_server; sid:2001705; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Mal
ware Context Plus Spyware Activity"; uricontent:"User-Agent\: EnvoloAutoUpda
ter AutoLoader"; nocase; flow:established,to_server; sid:2001706; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Mal
ware Windupdates.com Spyware Loggin Data"; uricontent:"/logging.php?p="; noc
ase; content:"Host\: public.windupdates.com"; nocase; flow:established,to_se
rver; sid:2001701;
rev:2;)

-> Added to bleeding-virus.rules (1):
alert TCP $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Bagle.BJ [ali
as .AY, .BC] - download attempt"; content:"GET /error.jpg"; nocase; referenc
e:url,secunia.com/virus_information/14877/; classtype:trojan-activity; flow:
established; sid: 20016
95; rev:1;)

[///]     Modified active rules:     [///]

-> Modified active in bleeding-dos.rules (2):
old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E DOS squ1rt Apache DoS"; flow: to_server,established; flowbits: isset,http.
get; dsize: 1448; content:"|20202020|"; depth: 4; content: "|20202020|"; off
set: 1436; depth: 4
; sid:2001636; rev:1;)
new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E DOS squ1rt Apache DoS"; flow: to_server,established; flowbits: isset,http.
get; dsize: 1448; content:"|20202020|"; depth: 4; content: "|20202020|"; off
set: 1436; depth: 4
; classtype:attempted-dos; sid:2001636; rev:2;)
old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E DOS HTTP GET with newline appended"; content:"GET / HTTP/1.0|0a|"; flow:to
_server,established; flowbits:set,http.get; flowbits:noalert; sid:2001635; r
ev:1;)
new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E DOS HTTP GET with newline appended"; content:"GET / HTTP/1.0|0a|"; flow:to
_server,established; flowbits:set,http.get; flowbits:noalert; classtype:atte
mpted-dos; sid:2001
635; rev:2;)

-> Modified active in bleeding-exploit.rules (16):
old: alert tcp any $HTTP_PORTS -> any any ( msg:"BLEEDING-EDGE EXPLOIT IE IF
RAME Exploit"; pcre:"/(EMBED|FRAME|SRC)\s*=\s*["']*?(file|http)\://\w

23;578}|/W{578}/im"; pcre:"/(EMBED|FRAME|SRC|NAME)\s*=\s*["']\w
3;2086}|\W{2086}/im"; flow:from_server,est
ablished; sid:2001401; rev:10;)
new: alert tcp any $HTTP_PORTS -> any any ( msg:"BLEEDING-EDGE EXPLOIT IE IF
RAME Exploit"; pcre:"/(EMBED|FRAME|SRC)\s*=\s*["']*?(file|http)\://\w

23;578}|/W{578}/im"; pcre:"/(EMBED|FRAME|SRC|NAME)\s*=\s*["']\w
3;2086}|\W{2086}/im"; flow:from_server,est
ablished; classtype:misc-attack; sid:2001401; rev:11;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Exploit Blahot Worm Infection Reporting in"; uricontent:"/scr2/command.php
?IP="; nocase; uricontent:"Port1="; nocase; flow:to_server,established; sid:
2001667; rev:3;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Exploit Blahot Worm Infection Reporting in"; uricontent:"/scr2/command.php
?IP="; nocase; uricontent:"Port1="; nocase; flow:to_server,established; clas
stype:trojan-activi
ty; sid:2001667; rev:4;)
old: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT NTDump S
ession Established Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 00 57
 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; flow:to_s
erver,established;
sid:2001543; rev:3;)
new: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT NTDump S
ession Established Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 00 57
 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; flow:to_s
erver,established;
classtype:misc-activity; sid:2001543; rev:4;)
old: alert tcp any any -> any 139 (msg:"BLEEDING-EDGE Pwdump3e Session Estab
lished Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52
 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; flow:t
o_server,establishe
d; sid:2000565; rev:2;)
new: alert tcp any any -> any 139 (msg:"BLEEDING-EDGE Pwdump3e Session Estab
lished Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52
 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; flow:t
o_server,establishe
d; classtype:suspicious-login; sid:2000565; rev:3;)
old: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE MS04011 Lsasrv.dll RPC
 exploit (WinXP)";content:"|95 14 40 00 03 00 00 00 7C 70 40 00 01|"; conten
t:"|78 85 13 00 AB5B A6 E9 31 31|"; flow:to_server,established; sid:2000033;
 rev:2;)
new: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE MS04011 Lsasrv.dll RPC
 exploit (WinXP)";content:"|95 14 40 00 03 00 00 00 7C 70 40 00 01|"; conten
t:"|78 85 13 00 AB5B A6 E9 31 31|"; flow:to_server,established; classtype:mi
sc-activity; sid:20
00033; rev:3;)
old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-ED
GE MS04-032 Bad EMF file"; content: "|01 00 00 00|"; depth: 4; content: "|20
 45 4d 46|"; depth: 44; offset: 40; byte_test: 4, >, 256, 60, little; flow:f
rom_server,establis
hed; sid:2001374; rev:2;)
new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-ED
GE MS04-032 Bad EMF file"; content: "|01 00 00 00|"; depth: 4; content: "|20
 45 4d 46|"; depth: 44; offset: 40; byte_test: 4, >, 256, 60, little; flow:f
rom_server,establis
hed; classtype:misc-activity; sid:2001374; rev:3;)
old: alert tcp $HOME_NET 139 -> any any (msg:"BLEEDING-EDGE Pwdump3e Passwor
d Hash Retrieval port 139"; content:"\:|00|5|00|0|00|0"; flow:from_server,es
tablished; sid:2000568; rev:3;)
new: alert tcp $HOME_NET 139 -> any any (msg:"BLEEDING-EDGE Pwdump3e Passwor
d Hash Retrieval port 139"; content:"\:|00|5|00|0|00|0"; flow:from_server,es
tablished; classtype:misc-attack; sid:2000568; rev:4;)
old: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT NTDump.e
xe Service Started port 445"; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 
53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; flow:to_server,established; sid
:2001544; rev:3;)
new: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT NTDump.e
xe Service Started port 445"; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 
53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; flow:to_server,established; cla
sstype:misc-activit
y; sid:2001544; rev:4;)
old: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE EXPLOIT NTDump S
ession Established Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 00 57
 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; flow:to_s
erver,established;
sid:2001052; rev:3;)
new: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE EXPLOIT NTDump S
ession Established Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 00 57
 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; flow:to_s
erver,established;
classtype:misc-activity; sid:2001052; rev:5;)
old: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE MS04011 Lsasrv.dll RPC
 exploit (Win2k)";content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|
"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; flow:to_serve
r,established; sid:
2000046; rev:2;)
new: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE MS04011 Lsasrv.dll RPC
 exploit (Win2k)";content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|
"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; flow:to_serve
r,established; clas
stype:misc-activity; sid:2000046; rev:3;)
old: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE Pwdump3e pwservi
ce.exe Access port 139"; content:" p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|
e|
00|.|00|e|00|x|00|e"; flow:to_server,established; sid:2000567; rev:3;)
new: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE Pwdump3e pwservi
ce.exe Access port 139"; content:" p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|
e|
00|.|00|e|00|x|00|e"; flow:to_server,established; classtype:misc-attack; sid
:2000567; rev:4;)
old: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE Pwdump3e Session Estab
lished Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52
 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; flow:t
o_server,establishe
d; sid:2000566; rev:2;)
new: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE Pwdump3e Session Estab
lished Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52
 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; flow:t
o_server,establishe
d; classtype:suspicious-login; sid:2000566; rev:3;)
old: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE EXPLOIT NTDump.e
xe Service Started port 139"; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 
53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; flow:to_server,established; sid
:2001053; rev:3;)
new: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE EXPLOIT NTDump.e
xe Service Started port 139"; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 
53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; flow:to_server,established; cla
sstype:misc-activit
y; sid:2001053; rev:4;)
old: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE Pwdump3e pwservi
ce.exe Access port 445"; content:" p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|
e|
00|.|00|e|00|x|00|e"; flow:to_server,established; sid:2000564; rev:4;)
new: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE Pwdump3e pwservi
ce.exe Access port 445"; content:" p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|
e|
00|.|00|e|00|x|00|e"; flow:to_server,established; classtype:misc-attack; sid
:2000564; rev:5;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit B
lahot Worm Infection Reporting in (to blahot.com)"; uricontent:"/scr2/command.php?IP=";
 nocase; uricontent:"Port1="; nocase; content:"Host\: www.blahot.com"; no
case; flow:to_server,established; sid:2001671; rev:3;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit B
lahot Worm Infection Reporting in (to blahot.com)"; uricontent:"/scr2/command.php?IP=";
 nocase; uricontent:"Port1="; nocase; content:"Host\: www.blahot.com"; no
case; flow:to_server,established; classtype:trojan-activity; sid:2001671; re
v:4;)
old: alert tcp $HOME_NET 445 -> any any (msg:"BLEEDING-EDGE Pwdump3e Passwor
d Hash Retrieval port 445"; content:"\:|00|5|00|0|00|0"; flow:from_server,es
tablished; sid:2000563; rev:4;)
new: alert tcp $HOME_NET 445 -> any any (msg:"BLEEDING-EDGE Pwdump3e Passwor
d Hash Retrieval port 445"; content:"\:|00|5|00|0|00|0"; flow:from_server,es
tablished; classtype:misc-attack; sid:2000563; rev:5;)

-> Modified active in bleeding-inappropriate.rules (10):
old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-ED
GE Inappropriate Sextracker Tracking Code Detected"; content:"BEGIN SEXLIST 
REFERRER-STATS CODE"; nocase; flow:from_server,established; sid:2001392; rev
:2;)
new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-ED
GE Inappropriate Sextracker Tracking Code Detected"; content:"BEGIN SEXLIST 
REFERRER-STATS CODE"; nocase; flow:from_server,established; classtype:kickas
s-porn; sid:2001392
; rev:3;)
old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDG
E Kiddy Porn early teen"; content:"early teen"; nocase; threshold: type thre
shold, track by_dst,count 5, seconds 360; flow:from_server,established; sid:
2001348; rev:2;)
new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDG
E Kiddy Porn early teen"; content:"early teen"; nocase; threshold: type thre
shold, track by_dst,count 5, seconds 360; flow:from_server,established; clas
stype:policy-violat
ion; sid:2001348; rev:3;)
old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-ED
GE INAPPROPRIATE Kiddy Porn zeps"; content:" zeps "; nocase; flow:from_serve
r,established; sid:2001387; rev:2;)
new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-ED
GE INAPPROPRIATE Kiddy Porn zeps"; content:" zeps "; nocase; flow:from_serve
r,established; classtype:policy-violation; sid:2001387; rev:3;)
old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDG
E Inappropriate Likely Porn"; pcre:"/ (FREE XXX|dildo|masturbat|oral sex|eja
culat|up skirt|tits|bondage|lolita|clitoris|cock suck|hardcore (teen|anal|se
x|porn)|raw sex|((f
uck|sex|porn|xxx) (movies|dvd))|((naked|nude) (celeb|lesbian)))\b/i"; classt
ype:kickass-porn; sid:2001608; rev:1;)
new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDG
E Inappropriate Likely Porn"; pcre:"/ (FREE XXX|dildo|masturbat|oral sex|eja
culat|up skirt|tits|bondage|lolita|clitoris|cock suck|hardcore (teen|anal|se
x|porn)|raw sex|((f
uck|sex|porn|xxx) (movies|dvd))|((naked|nude) (celeb|lesbian)))\b/i"; flow:e
stablished,from_server; classtype:kickass-porn; sid:2001608; rev:2;)
old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-ED
GE INAPPROPRIATE Kiddy Porn childlover"; content:" childlover "; nocase; flo
w:from_server,established; sid:2001389; rev:2;)
new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-ED
GE INAPPROPRIATE Kiddy Porn childlover"; content:" childlover "; nocase; flo
w:from_server,established; classtype:policy-violation; sid:2001389; rev:3;)
old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-ED
GE INAPPROPRIATE Kiddy Porn pthc"; content:" pthc "; nocase; flow:from_serve
r,established; sid:2001386; rev:2;)
new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-ED
GE INAPPROPRIATE Kiddy Porn pthc"; content:" pthc "; nocase; flow:from_serve
r,established; classtype:policy-violation; sid:2001386; rev:3;)
old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-ED
GE INAPPROPRIATE Kiddy Porn r@ygold"; content:" r@ygold "; nocase; flow:from
_server,established; sid:2001388; rev:2;)
new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-ED
GE INAPPROPRIATE Kiddy Porn r@ygold"; content:" r@ygold "; nocase; flow:from
_server,established; classtype:policy-violation; sid:2001388; rev:3;)
old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDG
E Kiddy Porn pre-teen"; content:"pre-teen"; nocase; threshold: type threshol
d, track by_dst,count 5, seconds 360; flow:from_server,established; sid:2001
347; rev:2;)
new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDG
E Kiddy Porn pre-teen"; content:"pre-teen"; nocase; threshold: type threshol
d, track by_dst,count 5, seconds 360; flow:from_server,established; classtyp
e:policy-violation;
sid:2001347; rev:3;)
old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-ED
GE Inappropriate Sextracker Tracking Code Detected"; content:"BEGIN SEXTRACK
ER CODE"; nocase; flow:from_server,established; sid:2001393; rev:2;)
new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-ED
GE Inappropriate Sextracker Tracking Code Detected"; content:"BEGIN SEXTRACK
ER CODE"; nocase; flow:from_server,established; classtype:kickass-porn; sid:
2001393; rev:3;)
old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDG
E Kiddy Porn preteen"; content:"preteen"; nocase; threshold: type threshold,
 track by_dst,count 5, seconds 360; flow:from_server,established; sid:200134
6; rev:2;)
new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDG
E Kiddy Porn preteen"; content:"preteen"; nocase; threshold: type threshold,
 track by_dst,count 5, seconds 360; flow:from_server,established; classtype:
policy-violation; s
id:2001346; rev:3;)

-> Modified active in bleeding-malware.rules (86):
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Oenji.com Install"; uricontent:"/Bundled/OemjiInstall"; nocase; cl
asstype:trojan-activity; flow:to_server,established; sid:2001538; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Oenji.com Install"; uricontent:"/Bundled/OemjiInstall"; nocase; fl
ow:to_server,established; classtype:trojan-activity; sid:2001538; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware SurfAssistant.com Spyware Activity"; content:"User-Agent\: ML"; fl
ow:to_server,established; sid:2001515; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware SurfAssistant.com Spyware Activity"; content:"User-Agent\: ML"; fl
ow:to_server,established; classtype:trojan-activity; sid:2001515; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Install"; uricontent:"/dkprogs/mstasks3.txt"; n
ocase; flow:to_server,established; sid:2001483; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Install"; uricontent:"/dkprogs/mstasks3.txt"; n
ocase; flow:to_server,established; classtype:trojan-activity; sid:2001483; r
ev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Casalemedia Access, Likely Spyware"; pcre:"/Host\: \w*.ak-networks
.com/im"; flow:to_server,established; sid:2001529; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Casalemedia Access, Likely Spyware"; pcre:"/Host\: \w*.ak-networks
.com/im"; flow:to_server,established; classtype:trojan-activity; sid:2001529
; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Install"; uricontent:"/dkprogs/dktibs.php"; noc
ase; flow:to_server,established; sid:2001474; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Install"; uricontent:"/dkprogs/dktibs.php"; noc
ase; flow:to_server,established; classtype:trojan-activity; sid:2001474; rev
:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Affiliate install"; uricontent:"http\://pizdato
.biz/gamma-test.htm"; nocase; flow:to_server,established; sid:2001476; rev:2
;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Affiliate install"; uricontent:"http\://pizdato
.biz/gamma-test.htm"; nocase; flow:to_server,established; classtype:trojan-a
ctivity; sid:200147
6; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Install"; uricontent:"/x30/d.exe"; nocase; flow
:to_server,established; sid:2001484; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Install"; uricontent:"/x30/d.exe"; nocase; flow
:to_server,established; classtype:trojan-activity; sid:2001484; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Coolsearch Spyware Install"; content:"http\://coolsearch.biz/unite
d.htm"; nocase; flow:to_server,established; sid:2001479; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Coolsearch Spyware Install"; content:"http\://coolsearch.biz/unite
d.htm"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2
001479; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Spyspotter.com Access, Likely Spyware"; pcre:"/Host\: \w*\.spyspot
ter.com/im"; flow:to_server,established; sid:2001537; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Spyspotter.com Access, Likely Spyware"; pcre:"/Host\: \w*\.spyspot
ter.com/im"; flow:to_server,established; classtype:trojan-activity; sid:2001
537; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware E2give Related Reporting"; uricontent:"/count/count.php?&mm2cpr"; 
nocase; flow:to_server,established; sid:2001423; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware E2give Related Reporting"; uricontent:"/count/count.php?&mm2cpr"; 
nocase; flow:to_server,established; classtype:trojan-activity; sid:2001423; 
rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Smartpops.com Spyware Update"; uricontent:"/data/spv15.dat?v="; no
case; flow:to_server,established; sid:2001513; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Smartpops.com Spyware Update"; uricontent:"/data/spv15.dat?v="; no
case; flow:to_server,established; classtype:trojan-activity; sid:2001513; re
v:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware S
earchmiracle.com Spyware Install"; uricontent:"/silent_install.exe"; content:"Host\: in
stall.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; no
case; flow:to_server,established; sid:2001534; rev:3;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware S
earchmiracle.com Spyware Install"; uricontent:"/silent_install.exe"; content:"Host\: in
stall.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; no
case; flow:to_server,established; classtype:trojan-activity; sid:2001534; re
v:4;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware E2give Related Downloading IeBHOs.dll"; uricontent:"/downloads/IeB
HOs.dll"; nocase; flow:to_server,established; sid:2001415; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware E2give Related Downloading IeBHOs.dll"; uricontent:"/downloads/IeB
HOs.dll"; nocase; flow:to_server,established; classtype:trojan-activity; sid
:2001415; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware ak-networks.com Access, Likely Spyware"; content:"Host\: app.deskt
op.ak-networks.com"; nocase; flow:to_server,established; sid:2001528; rev:2;
)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware ak-networks.com Access, Likely Spyware"; content:"Host\: app.deskt
op.ak-networks.com"; nocase; flow:to_server,established; classtype:trojan-ac
tivity; sid:2001528
; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Install Report"; pcre:"//user\d+/counter.htm/im"; flow:
to_server,established; sid:2001541; rev:3;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Install Report"; pcre:"//user\d+/counter.htm/im"; flow:
to_server,established; classtype:trojan-activity; sid:2001541; rev:4;)
old: alert tcp $HOME_NET any -> any any (msg:"BLEEDING_EDGE Malware JoltID A
gent P2P via Proxy Server"; content:"POST http\://"; nocase; content:"\:3531
/.pkt"; within:20; nocase; flow:to_server,established; sid:2001679; rev:3;)
new: alert tcp $HOME_NET any -> any any (msg:"BLEEDING_EDGE Malware JoltID A
gent P2P via Proxy Server"; content:"POST http\://"; nocase; content:"\:3531
/.pkt"; within:20; nocase; classtype:trojan-activity; flow:to_server,establi
shed; sid:2001679;
rev:4;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Medialoads.com Spyware Activity"; uricontent:"User-Agent\: NSISDL"
; nocase; content:"medialoads.com"; nocase; flow:to_server,established; sid:
2001504; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Medialoads.com Spyware Activity"; uricontent:"User-Agent\: NSISDL"
; nocase; content:"medialoads.com"; nocase; flow:to_server,established; clas
stype:trojan-activi
ty; sid:2001504; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Comet Systems Spyware Traffic"; uricontent:"/context/1/up_context_
1.xml"; nocase; flow:to_server,established; sid:2001655; rev:1;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Comet Systems Spyware Traffic"; uricontent:"/context/1/up_context_
1.xml"; nocase; flow:to_server,established; classtype:policy-violation; sid:
2001655; rev:2;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Look2me Spyware Activity"; content:"Referer\: Look2Me"; nocase; fl
ow:to_server,established; sid:2001499; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Look2me Spyware Activity"; content:"Referer\: Look2Me"; nocase; fl
ow:to_server,established; classtype:trojan-activity; sid:2001499; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware C
asino on Net Install"; reference:url,www.888casino.net; uricontent:"/newdown
load/newsetup/"; nocase; content:"casinone"; nocase; flow:to_server,establis
hed; sid
:2001041; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware C
asino on Net Install"; reference:url,www.888casino.net; uricontent:"/newdown
load/newsetup/"; nocase; content:"casinone"; nocase; flow:to_server,establis
hed; cla
sstype:trojan-activity; sid:2001041; rev:3;)
old: alert tcp $HOME_NET any -> 216.151.85.195 $HTTP_PORTS (msg:"BLEEDING-ED
GE Malware Unknown Suspicious PrintMe Suspected Spyware"; content:"PrintMe";
 classtype:bad-unknown; sid:2001665; rev:1;)
new: alert tcp $HOME_NET any -> 216.151.85.195 $HTTP_PORTS (msg:"BLEEDING-ED
GE Malware Unknown Suspicious PrintMe Suspected Spyware"; content:"PrintMe";
 classtype:bad-unknown; flow:established; sid:2001665; rev:2;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware I
CQ-Update.biz Reporting Install"; uricontent:"log.php?IP="; nocase; content:"&Port1="; 
nocase; content:"Host\: www.icq-update.biz"; nocase; flow:to_server,estab
lished; sid:2001490; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware I
CQ-Update.biz Reporting Install"; uricontent:"log.php?IP="; nocase; content:"&Port1="; 
nocase; content:"Host\: www.icq-update.biz"; nocase; flow:to_server,estab
lished; classtype:trojan-activity; sid:2001490; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmiracle.com Access, Likely Spyware"; pcre:"/Host\: \w*.searc
hmiracle.com/im"; flow:to_server,established; sid:2001532; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmiracle.com Access, Likely Spyware"; pcre:"/Host\: \w*.searc
hmiracle.com/im"; flow:to_server,established; classtype:trojan-activity; sid
:2001532; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Media-Motor Related Downloading MediaMotor25.exe"; uricontent:"/so
ft/MediaMotor25.exe"; nocase; flow:to_server,established; sid:2001414; rev:2
;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Media-Motor Related Downloading MediaMotor25.exe"; uricontent:"/so
ft/MediaMotor25.exe"; nocase; flow:to_server,established; classtype:trojan-a
ctivity; sid:200141
4; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Tibsystems Spyware Activity"; uricontent:"/d4.fcgi?v="; nocase; fl
ow:to_server,established; sid:2001488; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Tibsystems Spyware Activity"; uricontent:"/d4.fcgi?v="; nocase; fl
ow:to_server,established; classtype:trojan-activity; sid:2001488; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Receiving Commands"; uricontent:"/xpsystem/comm
ands.ini"; nocase; flow:to_server,established; sid:2001475; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Receiving Commands"; uricontent:"/xpsystem/comm
ands.ini"; nocase; flow:to_server,established; classtype:trojan-activity; si
d:2001475; rev:3;)

old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Spyspotter.com Install"; uricontent:"/SpySpotterInstall.cab"; noca
se; classtype:trojan-activity; flow:to_server,established; sid:2001536; rev:
2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Spyspotter.com Install"; uricontent:"/SpySpotterInstall.cab"; noca
se; flow:to_server,established; classtype:trojan-activity; sid:2001536; rev:
3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  (msg:"BLEEDING-ED
GE Malware Mastermind Related Downloading Daily Executable"; content:"/soft/
loads/"; nocase; within:5; content:".exe"; nocase; flow:to_server,establishe
d; sid:2001412; rev
:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  (msg:"BLEEDING-ED
GE Malware Mastermind Related Downloading Daily Executable"; content:"/soft/
loads/"; nocase; within:5; content:".exe"; nocase; flow:to_server,establishe
d; classtype:trojan
-activity; sid:2001412; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware C
asino on Net Reporting Data"; reference:url,www.888casino.net; uricontent:"/
logs.asp?MSGID=100"; nocase; flow:to_server,established; sid:2001031; rev:2;
)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware C
asino on Net Reporting Data"; reference:url,www.888casino.net; uricontent:"/
logs.asp?MSGID=100"; nocase; flow:to_server,established; classtype:trojan-ac
tivity;
sid:2001031; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs"; uricontent:"/fa/xpl3.htm"; 
nocase; flow:to_server,established; sid:2001470; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs"; uricontent:"/fa/xpl3.htm"; 
nocase; flow:to_server,established; classtype:trojan-activity; sid:2001470; 
rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Install"; uricontent:"/dkprogs/toolbar.txt"; no
case; flow:to_server,established; sid:2001473; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Install"; uricontent:"/dkprogs/toolbar.txt"; no
case; flow:to_server,established; classtype:trojan-activity; sid:2001473; re
v:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware SurfAssistant.com Spyware Install"; uricontent:"/distribution/ques
tmod-1.dll"; nocase; flow:to_server,established; sid:2001510; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware SurfAssistant.com Spyware Install"; uricontent:"/distribution/ques
tmod-1.dll"; nocase; flow:to_server,established; classtype:trojan-activity; 
sid:2001510; rev:3;
)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware C
asino on Net Ping Hit"; reference:url,www.888casino.net; uricontent:"/Ping/P
ing.txt"; nocase; flow:to_server,established; sid:2001032; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware C
asino on Net Ping Hit"; reference:url,www.888casino.net; uricontent:"/Ping/P
ing.txt"; nocase; flow:to_server,established; classtype:trojan-activity; sid
:2001032
; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"BLEEDING-EDGE Malwa
re Mastermind Related Reporting 8081"; content:"/a?l=PeAyF1sgrZYw&i="; nocas
e; flow:to_server,established; sid:2001410; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"BLEEDING-EDGE Malwa
re Mastermind Related Reporting 8081"; content:"/a?l=PeAyF1sgrZYw&i="; nocas
e; flow:to_server,established; classtype:trojan-activity; sid:2001410; rev:3
;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Medialoads.com Spyware Config"; uricontent:"/dw/cgi/download.cgi?s
n=&pid="; nocase; content:"Host\:config.medialoads.com"; nocase; flow:to_ser
ver,established; si
d:2001503; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Medialoads.com Spyware Config"; uricontent:"/dw/cgi/download.cgi?s
n=&pid="; nocase; content:"Host\:config.medialoads.com"; nocase; flow:to_ser
ver,established; cl
asstype:trojan-activity; sid:2001503; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Spyware Install Reporting"; uricontent:"/xpsystem/repor
t.php?user_id="; nocase; uricontent:"&status=0&country_id="; nocase; flow:to
_server,established
; sid:2001472; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Spyware Install Reporting"; uricontent:"/xpsystem/repor
t.php?user_id="; nocase; uricontent:"&status=0&country_id="; nocase; flow:to
_server,established
; classtype:trojan-activity; sid:2001472; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Medialoads.com Spyware Reporting"; uricontent:"/dw/cgi/download.cg
i?sn="; nocase; content:"Host\:config.medialoads.com"; nocase; flow:to_serve
r,established; sid:
2001508; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Medialoads.com Spyware Reporting"; uricontent:"/dw/cgi/download.cg
i?sn="; nocase; content:"Host\:config.medialoads.com"; nocase; flow:to_serve
r,established; clas
stype:trojan-activity; sid:2001508; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware S
pyware Stormer Reporting Data"; uricontent:"/showme.aspx?keyword="; nocase; content:"ec
omdata1="; nocase; reference:url,www.spywarestormer.com; flow:established
,to_server; sid:2001570; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware S
pyware Stormer Reporting Data"; uricontent:"/showme.aspx?keyword="; nocase; content:"ec
omdata1="; nocase; reference:url,www.spywarestormer.com; flow:established
,to_server; classtype:trojan-activity; sid:2001570; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Spygalaxy.ws Activity"; uricontent:"/install.php?id="; nocase; con
tent:"Host\: spygalaxy.ws"; nocase; flow:to_server,established; sid:2001489;
 rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Spygalaxy.ws Activity"; uricontent:"/install.php?id="; nocase; con
tent:"Host\: spygalaxy.ws"; nocase; flow:to_server,established; classtype:tr
ojan-activity; sid:
2001489; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Medialoads.com Spyware Reporting"; uricontent:"/dw/cgi/register.cg
i?v="; nocase; content:"Host\:config.medialoads.com"; nocase; flow:to_server
,established; sid:2
001509; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Medialoads.com Spyware Reporting"; uricontent:"/dw/cgi/register.cg
i?v="; nocase; content:"Host\:config.medialoads.com"; nocase; flow:to_server
,established; class
type:trojan-activity; sid:2001509; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware E2give Related Reporting Install"; uricontent:"/count/count.php?&m
m"; nocase; flow:to_server,established; sid:2001416; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware E2give Related Reporting Install"; uricontent:"/count/count.php?&m
m"; nocase; flow:to_server,established; classtype:trojan-activity; sid:20014
16; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware ak-networks.com Spyware Code Download"; uricontent:"/SyncAkSoft.da
_"; nocase; flow:to_server,established; sid:2001530; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware ak-networks.com Spyware Code Download"; uricontent:"/SyncAkSoft.da
_"; nocase; flow:to_server,established; classtype:trojan-activity; sid:20015
30; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs"; uricontent:"/dl/adv121/x.ch
m"; nocase; flow:to_server,established; sid:2001467; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs"; uricontent:"/dl/adv121/x.ch
m"; nocase; flow:to_server,established; classtype:trojan-activity; sid:20014
67; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware S
earchmiracle.com Spyware Install"; uricontent:"/protector.exe"; content:"Host\: install
.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; nocase;
flow:to_server,established; sid:2001535; rev:3;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware S
earchmiracle.com Spyware Install"; uricontent:"/protector.exe"; content:"Host\: install
.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; nocase;
flow:to_server,established; classtype:trojan-activity; sid:2001535; rev:4;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Spywaremover Activity"; uricontent:"/spywareremovers.php?"; conten
t:"Host\: topantispyware.com"; nocase; flow:to_server,established; sid:20015
20; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Spywaremover Activity"; uricontent:"/spywareremovers.php?"; conten
t:"Host\: topantispyware.com"; nocase; flow:to_server,established; classtype
:trojan-activity; s
id:2001520; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Avres.net Downloading cpr_mm2.exe"; uricontent:"/tt/cpr_mm2.exe"; 
nocase; flow:to_server,established; sid:2001419; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Avres.net Downloading cpr_mm2.exe"; uricontent:"/tt/cpr_mm2.exe"; 
nocase; flow:to_server,established; classtype:trojan-activity; sid:2001419; 
rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs CHM Exploit"; uricontent:"/fa
/ied_s7m.chm"; nocase; flow:to_server,established; sid:2001468; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs CHM Exploit"; uricontent:"/fa
/ied_s7m.chm"; nocase; flow:to_server,established; classtype:trojan-activity
; sid:2001468; rev:
3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Overpro Spyware Games"; uricontent:"/blocks/blasterblocks"; nocase
; flow:to_server,established; sid:2001459; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Overpro Spyware Games"; uricontent:"/blocks/blasterblocks"; nocase
; flow:to_server,established; classtype:trojan-activity; sid:2001459; rev:3;
)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Install Code Download"; uricontent:"/install.gz"; nocas
e; content:"Host\: xpire.info"; nocase; flow:to_server,established; sid:2001
491; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Install Code Download"; uricontent:"/install.gz"; nocas
e; content:"Host\: xpire.info"; nocase; flow:to_server,established; classtyp
e:trojan-activity;
sid:2001491; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs"; content:"src=http\://xpire.
info/i.exe"; nocase; flow:to_server,established; sid:2001463; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs"; content:"src=http\://xpire.
info/i.exe"; nocase; flow:to_server,established; classtype:trojan-activity; 
sid:2001463; rev:3;
)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs"; uricontent:"/dl/adv121.php"
; nocase; flow:to_server,established; sid:2001466; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs"; uricontent:"/dl/adv121.php"
; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001466
; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Tibsystems Spyware Activity"; content:"User-Agent\: TIBS Loader"; 
nocase; flow:to_server,established; sid:2001487; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Tibsystems Spyware Activity"; content:"User-Agent\: TIBS Loader"; 
nocase; flow:to_server,established; classtype:trojan-activity; sid:2001487; 
rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Spywaremover Activity"; uricontent:"/download/cabs/THNALL1L/thnall
1l.exe"; content:"Host\: static.callinghome.biz"; nocase; flow:to_server,est
ablished; sid:20015
21; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Spywaremover Activity"; uricontent:"/download/cabs/THNALL1L/thnall
1l.exe"; content:"Host\: static.callinghome.biz"; nocase; flow:to_server,est
ablished; classtype
:trojan-activity; sid:2001521; rev:3;)
old: alert tcp any !20 -> $HOME_NET !25 (msg:"BLEEDING-EDGE Malware Possible
 Windows executable sent when remote host claims to send an image"; content:
 "Content-Type\: image"; content: "MZ"; within:12; flow: established; sid:20
01685; rev:1;)
new: alert tcp any !20 -> $HOME_NET !25 (msg:"BLEEDING-EDGE Malware Possible
 Windows executable sent when remote host claims to send an image"; content:
 "Content-Type\: image"; content: "MZ"; within:12; flow: established; classt
ype:trojan-activity
; sid:2001685; rev:2;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Install"; uricontent:"/dkprogs/systime.txt"; no
case; flow:to_server,established; sid:2001480; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Install"; uricontent:"/dkprogs/systime.txt"; no
case; flow:to_server,established; classtype:trojan-activity; sid:2001480; re
v:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Mastermind Related Downloading mm20.ocx"; uricontent:"/soft/mm20.o
cx"; nocase; flow:to_server,established; sid:2001411; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Mastermind Related Downloading mm20.ocx"; uricontent:"/soft/mm20.o
cx"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001
411; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware ICQ-Update.biz Reporting Install"; uricontent:"/update.exe"; nocas
e; content:"Host\: update.icq-update.biz"; nocase; flow:to_server,establishe
d; sid:2001519; rev
:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware ICQ-Update.biz Reporting Install"; uricontent:"/update.exe"; nocas
e; content:"Host\: update.icq-update.biz"; nocase; flow:to_server,establishe
d; classtype:trojan
-activity; sid:2001519; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Avres.net Downloading ab1.exe"; uricontent:"/tt/ab1.exe"; nocase; 
flow:to_server,established; sid:2001420; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Avres.net Downloading ab1.exe"; uricontent:"/tt/ab1.exe"; nocase; 
flow:to_server,established; classtype:trojan-activity; sid:2001420; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Spyware Exploit"; uricontent:"/2DimensionOfExploitsEnc.
php"; nocase; flow:to_server,established; sid:2001471; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Spyware Exploit"; uricontent:"/2DimensionOfExploitsEnc.
php"; nocase; flow:to_server,established; classtype:trojan-activity; sid:200
1471; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware E2give Related Downloading Code"; uricontent:"/soft/unstall.exe"; 
nocase; flow:to_server,established; sid:2001418; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware E2give Related Downloading Code"; uricontent:"/soft/unstall.exe"; 
nocase; flow:to_server,established; classtype:trojan-activity; sid:2001418; 
rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware L
ook2me Spyware Activity"; uricontent:"/cgi-bin/BW.exe"; content:"Host\: www.look2m
e.com"; nocase; flow:to_server,established; sid:2001502; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware L
ook2me Spyware Activity"; uricontent:"/cgi-bin/BW.exe"; content:"Host\: www.look2m
e.com"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2
00
1502; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs Occuring"; uricontent:"/fa/?d
=get"; nocase; flow:to_server,established; sid:2001462; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs Occuring"; uricontent:"/fa/?d
=get"; nocase; flow:to_server,established; classtype:trojan-activity; sid:20
01462; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  (msg:"BLEEDING-ED
GE Malware Medis-Motor Related Downloading ast_4_mm.exe"; uricontent:"/dist/
ast_4_mm.exe"; nocase; flow:to_server,established; sid:2001413; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  (msg:"BLEEDING-ED
GE Malware Medis-Motor Related Downloading ast_4_mm.exe"; uricontent:"/dist/
ast_4_mm.exe"; nocase; flow:to_server,established; classtype:trojan-activity
; sid:2001413; rev:
3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware C
asino on Net Data Download"; reference:url,www.888casino.net; uricontent:"/s
dl/casinov"; nocase; flow:to_server,established; sid:2001033; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware C
asino on Net Data Download"; reference:url,www.888casino.net; uricontent:"/s
dl/casinov"; nocase; flow:to_server,established; classtype:trojan-activity; 
sid:2001
033; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware SurfAssistant.com Spyware Reporting"; uricontent:"/sa/?a="; nocase
; content:"Host\: sa-001.com"; nocase; flow:to_server,established; sid:20015
14; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware SurfAssistant.com Spyware Reporting"; uricontent:"/sa/?a="; nocase
; content:"Host\: sa-001.com"; nocase; flow:to_server,established; classtype
:trojan-activity; s
id:2001514; rev:3;)
old: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware 
Windows executable sent when remote host claims to send image, Win32"; conte
nt: "Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: "T
his program must be
run under Win32"; flow: established; sid:2001684; rev:3;)
new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware 
Windows executable sent when remote host claims to send image, Win32"; conte
nt: "Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: "T
his program must be
run under Win32"; flow: established; classtype:trojan-activity; sid:2001684;
 rev:4;)
old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDG
E Malware Searchmiracle.com Spyware Installer silent.exe Download"; content:
"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63
 68 61|"; reference
:url,www.searchmiracle.com/silent.exe; nocase; flow:from_server,established;
 sid:2001533; rev:3;)
new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDG
E Malware Searchmiracle.com Spyware Installer silent.exe Download"; content:
"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63
 68 61|"; reference
:url,www.searchmiracle.com/silent.exe; nocase; flow:from_server,established;
 classtype:trojan-activity; sid:2001533; rev:4;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Smartpops.com Spyware Install"; uricontent:"/install/RH/rh.exe"; n
ocase; flow:to_server,established; sid:2001505; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Smartpops.com Spyware Install"; uricontent:"/install/RH/rh.exe"; n
ocase; flow:to_server,established; classtype:trojan-activity; sid:2001505; r
ev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Avres.net Downloading tvm_bundle.exe"; uricontent:"/tt/tvm_bundle.
exe"; nocase; flow:to_server,established; sid:2001421; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Avres.net Downloading tvm_bundle.exe"; uricontent:"/tt/tvm_bundle.
exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:200
1421; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Spyspotter.com Access, Likely Spyware"; pcre:"/Host\: \w*\.oemji.c
om/im"; flow:to_server,established; sid:2001539; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Spyspotter.com Access, Likely Spyware"; pcre:"/Host\: \w*\.oemji.c
om/im"; flow:to_server,established; classtype:trojan-activity; sid:2001539; 
rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Sexmaniack Install Tracking"; uricontent:"/counted.php?ref="; noca
se; content:"Host\: counter.sexmaniack.com"; nocase; flow:to_server,establis
hed; sid:2001460; r
ev:3;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Sexmaniack Install Tracking"; uricontent:"/counted.php?ref="; noca
se; content:"Host\: counter.sexmaniack.com"; nocase; flow:to_server,establis
hed; classtype:troj
an-activity; sid:2001460; rev:4;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware C4tdoanload.com Access, Likely Spyware"; pcre:"/Host\: \w*\.c4tdow
nload.com/im"; flow:to_server,established; sid:2001531; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware C4tdoanload.com Access, Likely Spyware"; pcre:"/Host\: \w*\.c4tdow
nload.com/im"; flow:to_server,established; classtype:trojan-activity; sid:20
01531; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Smartpops.com Spyware Activity"; uricontent:"User-Agent\: NSISDL";
 nocase; content:"Host\:download.smartpops.com"; nocase; flow:to_server,esta
blished; sid:200150
6; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Smartpops.com Spyware Activity"; uricontent:"User-Agent\: NSISDL";
 nocase; content:"Host\:download.smartpops.com"; nocase; flow:to_server,esta
blished; classtype:
trojan-activity; sid:2001506; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs"; uricontent:"/fa/x.chm"; noc
ase; flow:to_server,established; sid:2001469; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs"; uricontent:"/fa/x.chm"; noc
ase; flow:to_server,established; classtype:trojan-activity; sid:2001469; rev
:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware O
verpro Spyware Bundle Install"; content:"GET /WildApp.cab"; offset:0; depth:16; nocase;
 content:"Host\: download.overpro.com"; nocase; reference:url,www.wildarc
ade.com; classtype:trojan-activity; flow:to_server,established; sid:2001444;
 rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware O
verpro Spyware Bundle Install"; content:"GET /WildApp.cab"; offset:0; depth:16; nocase;
 content:"Host\: download.overpro.com"; nocase; reference:url,www.wildarc
ade.com; flow:to_server,established; classtype:trojan-activity; sid:2001444;
 rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs"; uricontent:"/i.exe"; nocase
; content:"xpire.info"; nocase; flow:to_server,established; sid:2001464; rev
:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs"; uricontent:"/i.exe"; nocase
; content:"xpire.info"; nocase; flow:to_server,established; classtype:trojan
-activity; sid:2001
464; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware S
pyware Stormer/Error Guard Activity"; uricontent:"/sell.cgi?errorguard/1/errorguard"; n
ocase; reference:url,www.spywarestormer.com; flow:established,to_server;
sid:2001571; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware S
pyware Stormer/Error Guard Activity"; uricontent:"/sell.cgi?errorguard/1/errorguard"; n
ocase; reference:url,www.spywarestormer.com; flow:established,to_server;
classtype:trojan-activity; sid:2001571; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware E2give Related Receiving Config"; uricontent:"/config/?v=5&n=mm2&i
="; nocase; flow:to_server,established; sid:2001417; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware E2give Related Receiving Config"; uricontent:"/config/?v=5&n=mm2&i
="; nocase; flow:to_server,established; classtype:trojan-activity; sid:20014
17; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Affiliate install"; uricontent:"http\://newifra
me.biz/ysb.exe.eeexe.exe"; nocase; flow:to_server,established; sid:2001478; 
rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Affiliate install"; uricontent:"http\://newifra
me.biz/ysb.exe.eeexe.exe"; nocase; flow:to_server,established; classtype:tro
jan-activity; sid:2
001478; rev:3;)
old: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware 
Windows executable sent when remote host claims to send an image"; content: 
"Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: "This 
program cannot be r
un in DOS mode"; flow: established; sid:2001683; rev:3;)
new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware 
Windows executable sent when remote host claims to send an image"; content: 
"Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: "This 
program cannot be r
un in DOS mode"; flow: established; classtype:trojan-activity; sid:2001683; 
rev:4;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs"; uricontent:"/fa/evil.html";
 nocase; sid:2001461; flow:to_server,established; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Xpire.info Multiple Spyware Installs"; uricontent:"/fa/evil.html";
 nocase; classtype:trojan-activity; sid:2001461; flow:to_server,established;
 rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Medialoads.com Spyware Identifying Country of Origin"; uricontent:
"/dw/cgi/country.cgi"; nocase; content:"User-Agent\: NSISDL"; nocase; flow:t
o_server,establishe
d; sid:2001507; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Medialoads.com Spyware Identifying Country of Origin"; uricontent:
"/dw/cgi/country.cgi"; nocase; content:"User-Agent\: NSISDL"; nocase; flow:t
o_server,establishe
d; classtype:trojan-activity; sid:2001507; rev:3;)
old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDG
E Malware Mastermind Related Reporting"; uricontent:"/bundle.php?aff="; noca
se; flow:to_server,established; sid:2001409; rev:2;)
new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDG
E Malware Mastermind Related Reporting"; uricontent:"/bundle.php?aff="; noca
se; flow:to_server,established; classtype:trojan-activity; sid:2001409; rev:
3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Affiliate install"; uricontent:"http\://www.coo
lsearch.biz/c.htm"; nocase; flow:to_server,established; sid:2001477; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Searchmeup Spyware Affiliate install"; uricontent:"http\://www.coo
lsearch.biz/c.htm"; nocase; flow:to_server,established; classtype:trojan-act
ivity; sid:2001477;
rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Smartpops.com Spyware Install"; uricontent:"/install/SE/sed.exe"; 
nocase; flow:to_server,established; sid:2001516; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Smartpops.com Spyware Install"; uricontent:"/install/SE/sed.exe"; 
nocase; flow:to_server,established; classtype:trojan-activity; sid:2001516; 
rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Avres.net Reporting Data"; uricontent:"/log3.php?c={"; nocase
; uricontent:"what="; nocase; uricontent:"avatar="; nocase; flow:to_server,e
stablished; sid:2001422;
rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Malware Avres.net Reporting Data"; uricontent:"/log3.php?c={"; nocase
; uricontent:"what="; nocase; uricontent:"avatar="; nocase; flow:to_server,e
stablished; classtype:tr
ojan-activity; sid:2001422; rev:3;)

-> Modified active in bleeding-p2p.rules (6):
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE P2P Morph
eus Install"; reference:url,www.morpheus.com; uricontent:"/morpheus/morpheus
.exe"; nocase; flow:to_server,established; sid:2001035; rev:2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE P2P Morph
eus Install"; reference:url,www.morpheus.com; uricontent:"/morpheus/morpheus
.exe"; nocase; flow:to_server,established; classtype:policy-violation; sid:2
001035;
rev:3;)
old: alert tcp $HOME_NET any -> 38.115.131.0/24 5534 (msg:"BLEEDING-EDGE P2P
 Soulseek traffic"; classtype:policy-violation; sid:2001186; rev:2;)
new: alert tcp $HOME_NET any -> 38.115.131.0/24 5534 (msg:"BLEEDING-EDGE P2P
 Soulseek traffic"; flow:established; classtype:policy-violation; sid:200118
6; rev:3;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE P2P Morph
eus Update Request"; reference:url,www.morpheus.com; uricontent:"/gwebcache/
gcache.asg?hostfile="; nocase; flow:to_server,established; sid:2001037; rev:
2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE P2P Morph
eus Update Request"; reference:url,www.morpheus.com; uricontent:"/gwebcache/
gcache.asg?hostfile="; nocase; flow:to_server,established; classtype:policy-
violatio
n; sid:2001037; rev:3;)
old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDG
E P2P Soulseek"; content:"slsknet"; classtype:policy-violation; sid:2001188;
 rev:2;)
new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDG
E P2P Soulseek"; content:"slsknet"; flow:established; classtype:policy-viola
tion; sid:2001188; rev:2;)
old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE P2P Morph
eus Install ini Download"; reference:url,www.morpheus.com; uricontent:"/morp
heus/morpheus_sm.ini"; nocase; flow:to_server,established; sid:2001036; rev:
2;)
new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE P2P Morph
eus Install ini Download"; reference:url,www.morpheus.com; uricontent:"/morp
heus/morpheus_sm.ini"; nocase; flow:to_server,established; classtype:policy-
violatio
n; sid:2001036; rev:3;)
old: alert tcp $HOME_NET any -> 38.115.131.0/24 2234 (msg:"BLEEDING-EDGE P2P
 Soulseek traffic"; classtype:policy-violation; sid:2001185; rev:2;)
new: alert tcp $HOME_NET any -> 38.115.131.0/24 2234 (msg:"BLEEDING-EDGE P2P
 Soulseek traffic"; flow:established; classtype:policy-violation; sid:200118
5; rev:3;)

-> Modified active in bleeding-policy.rules (1):
old: alert tcp $HOME_NET any -> 66.151.158.177 any (msg:"BLEEDING-EDGE GotoM
yPC Polling Client"; threshold: type limit, track by_src, count 1, seconds 3
60; sid:2000309; rev:4;)
new: alert tcp $HOME_NET any -> 66.151.158.177 any (msg:"BLEEDING-EDGE GotoM
yPC Polling Client"; threshold: type limit, track by_src, count 1, seconds 3
60; flow:established; classtype:policy-violation; sid:2000309; rev:5;)

-> Modified active in bleeding-scan.rules (2):
old: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potenti
al SSH Scan"; flags:S; threshold:type threshold, track by_src, count 5, seco
nds 120; flowbits:set,ssh.brute.attempt; classtype:attempted-dos; sid:200121
9; rev:8;)
new: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potenti
al SSH Scan"; flags:S; threshold:type threshold, track by_src, count 5, seco
nds 120; flowbits:set,ssh.brute.attempt; classtype:suspicious-login; sid:200
1219; rev:9;)
old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"BLEEDING-EDGE Sc
an Possible SSL Brute Force attack or Site Crawl"; flags:S; flow:established
; threshold: type threshold, track by_src, count 100, seconds 60; sid:200155
3; rev:3;)
new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"BLEEDING-EDGE Sc
an Possible SSL Brute Force attack or Site Crawl"; flags:S; flow:established
; threshold: type threshold, track by_src, count 100, seconds 60; classtype:
attempted-dos; sid:
2001553; rev:4;)

-> Modified active in bleeding-virus.rules (5):
old: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagle.AY wo
rm [.cpl extension] - OUTBOUND"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2
 ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaG
p5"; nocase; flow:established; refer
ence:url,secunia.com/vi
rus_information/14902/; classtype:misc-activity; sid:2001693; rev:1;)
new: alert TCP $HOME_NET any -> any 25 (msg:"Bagle.BJ [alias .AY, .BC] w
orm [.cpl extension] - outbound"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ
 2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtna
Gp5"; nocase; flow:established; refe
rence:url,secunia.com/virus
_information/14902/; classtype:trojan-activity; sid:2001693; rev:2;)
old: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagle.AY wo
rm [.com extension] - OUTBOUND"; content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZG
 NkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaG
hn"; nocase; flow:established; refer
ence:url,secunia.com/vi
rus_information/14902/; classtype:misc-activity; sid:2001691; rev:1;)
new: alert TCP $HOME_NET any -> any 25 (msg:"Bagle.BJ [alias .AY, .BC] w
orm [.com, exe extensions] - outbound"; content:"a2dndGtiYmpiZw0KbGhoZ2d
 qZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamh
nDQpsaGhn"; nocase; flow:established
; reference:url,secunia.com
/virus_information/14902/; classtype:trojan-activity; sid:2001691; rev:3;)
old: alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus B
agle.AY worm [.cpl extension] - inbound"; content:"amdoamh5dXRnamtoZnVrd
 Gl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpnd
HVpdGtnaGp5"; nocase; flow:establish
ed; reference:url,secun
ia.com/virus_information/14902/; classtype:misc-activity; sid:2001694; rev:1
;)
new: alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Bagle.BJ [alias .
AY, .BC] worm [.cpl extension] - incoming"; content:"amdoamh5dXRnamtoZnV
 rdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmp
ndHVpdGtnaGp5"; nocase; flow:establi
shed; reference:url,secunia
.com/virus_information/14902/; classtype:trojan-activity; sid:2001694; rev:2
;)
old: alert tcp $HOME_NET any -> any 25 (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDM
QWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE VIRUS Netsky base64 port 25"; cla
sstype:trojan-activity; sid:2001283; rev:3;)
new: alert tcp $HOME_NET any -> any 25 (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDM
QWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE VIRUS Netsky base64 port 25"; cla
sstype:trojan-activity; flow:established,to_server; sid:2001283; rev:4;)
old: alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus B
agle.AY worm [.com extension] - inbound"; content:"a2dndGtiYmpiZw0KbGhoZ
 2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoa
mhnDQpsaGhn"; nocase; flow:establish
ed; reference:url,secun
ia.com/virus_information/14902/; classtype:misc-activity; sid:2001692; rev:1
;)
new: alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Bagle.BJ [alias .
AY, .BC] worm [.com, .exe extensions] - incoming"; content:"a2dndGtiYmpi
 Zw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhq
aGZmaGpoamhnDQpsaGhn"; nocase; flow:
established; reference:url,
secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001692
; rev:3;)

-> Modified active in bleeding-web.rules (8):
old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Exploit phpBB Highlighting SQL Injection"; flow:to_server,established; uri
content:"/viewtopic.php?"; nocase; uricontent:"&highlight='.mysql_query("; n
ocase; reference:ur
l,www.securiteam.com/unixfocus/6Z00R2ABPY.html; sid:2001557; rev:3;)
new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Exploit phpBB Highlighting SQL Injection"; flow:to_server,established; uri
content:"/viewtopic.php?"; nocase; uricontent:"&highlight='.mysql_query("; n
ocase; reference:ur
l,www.securiteam.com/unixfocus/6Z00R2ABPY.html; classtype:web-application-at
tack; sid:2001557; rev:4;)
old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"BLEEDING-EDGE WEB
-MISC LINK Method"; content:"LINK "; offset:0; depth:5; flow:to_server,estab
lished; tag:host,10,packets; sid:2001546; rev:1;)
new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"BLEEDING-EDGE WEB
-MISC LINK Method"; content:"LINK "; offset:0; depth:5; flow:to_server,estab
lished; tag:host,10,packets; classtype:web-application-activity; sid:2001546
; rev:2;)
old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Exploit 
phpBB Highlight Exploit Attempt"; content:"&highlight=%2527%252Esystem("; nocase; flow:
to_server,established; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=
14&t=240513; sid:2001605; rev:2;)
new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Exploit 
phpBB Highlight Exploit Attempt"; content:"&highlight=%2527%252Esystem("; nocase; flow:
to_server,established; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=
14&t=240513; classtype:web-application-attack; sid:2001605; rev:3;)
old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING
-EDGE WEB-MISC Alternate Data Stream source view attempt"; uricontent:"|3A 3
A 24|$DATA"; flow:to_server,established; reference:url,support.microsoft.com
/kb/q188806/; refer
ence:cve,1999-0278; sid:2001365; rev:2;)
new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING
-EDGE WEB-MISC Alternate Data Stream source view attempt"; uricontent:"|3A 3
A 24|$DATA"; flow:to_server,established; reference:url,support.microsoft.com
/kb/q188806/; refer
ence:cve,1999-0278; classtype:web-application-activity; sid:2001365; rev:3;)
old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING
-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization"; flow:to_server,establ
ished; content:"GET"; nocase; content:"|5C|"; nocase; depth:100; content:"as
px"; distance:100;
nocase; sid:2001342; rev:11;)
new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING
-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization"; flow:to_server,establ
ished; content:"GET"; nocase; content:"|5C|"; nocase; depth:100; content:"as
px"; distance:100;
nocase; classtype:web-application-attack; sid:2001342; rev:12;)
old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Exploit phpBB Highlighting Code Execution - Santy.A Worm"; flow:to_server,
established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.
fwrite(fopen("; noc
ase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001
604; rev:4;)
new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDG
E Exploit phpBB Highlighting Code Execution - Santy.A Worm"; flow:to_server,
established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.
fwrite(fopen("; noc
ase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; classtyp
e:web-application-attack; sid:2001604; rev:5;)
old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING
-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization % 5 C"; flow:to_server,
established; content:"GET"; nocase; content:"%5C"; depth:100; content:"aspx"
; distance:100; sid
:2001343; rev:10;)
new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING
-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization % 5 C"; flow:to_server,
established; content:"GET"; nocase; content:"%5C"; depth:100; content:"aspx"
; distance:100; cla
sstype:web-application-attack; sid:2001343; rev:11;)
old: alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"BLEEDING-EDGE THCIISLame IIS SS
L Exploit Attempt"; reference:url,www.thc.org/exploits/THCIISSLame.c; refere
nce:url,isc.sans.org/diary.php?date=2004-07-17; content:"THCOWNZIIS!"; flow:
to_serve
r,established; sid:2000559; rev:5;)
new: alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"BLEEDING-EDGE THCIISLame IIS SS
L Exploit Attempt"; reference:url,www.thc.org/exploits/THCIISSLame.c; refere
nce:url,isc.sans.org/diary.php?date=2004-07-17; content:"THCOWNZIIS!"; flow:
to_serve
r,established; classtype:web-application-attack; sid:2000559; rev:6;)

[///]    Modified inactive rules:    [///]

-> Modified inactive in bleeding-custom.rules (6):
old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE Behav
ioral Unusual Port 139 traffic, Potential Scan or Infection"; flags:S; thres
hold: type limit, track by_src, count 50 , seconds 60; sid:2001579; rev:2;)
new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE Behav
ioral Unusual Port 139 traffic, Potential Scan or Infection"; flags:S; thres
hold: type limit, track by_src, count 50 , seconds 60; classtype:misc-activi
ty; sid:2001579; re
v:3;)
old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE Beha
vioral Unusual Port 1433 traffic, Potential Scan or Infection"; flags:S; thr
eshold: type limit, track by_src, count 50 , seconds 60; sid:2001583; rev:2;
)
new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE Beha
vioral Unusual Port 1433 traffic, Potential Scan or Infection"; flags:S; thr
eshold: type limit, track by_src, count 50 , seconds 60; classtype:misc-acti
vity; sid:2001583;
rev:3;)
old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE Behav
ioral Unusual Port 137 traffic, Potential Scan or Infection"; flags:S; thres
hold: type limit, track by_src, count 50 , seconds 60; sid:2001580; rev:2;)
new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE Behav
ioral Unusual Port 137 traffic, Potential Scan or Infection"; flags:S; thres
hold: type limit, track by_src, count 50 , seconds 60; classtype:misc-activi
ty; sid:2001580; re
v:3;)
old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE Behav
ioral Unusual Port 445 traffic, Potential Scan or Infection"; flags:S; thres
hold: type limit, track by_src, count 50 , seconds 60; sid:2001569; rev:2;)
new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE Behav
ioral Unusual Port 445 traffic, Potential Scan or Infection"; flags:S; thres
hold: type limit, track by_src, count 50 , seconds 60; classtype:misc-activi
ty; sid:2001569; re
v:3;)
old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE Beha
vioral Unusual Port 1434 traffic, Potential Scan or Infection"; flags:S; thr
eshold: type limit, track by_src, count 50 , seconds 60; sid:2001582; rev:2;
)
new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE Beha
vioral Unusual Port 1434 traffic, Potential Scan or Infection"; flags:S; thr
eshold: type limit, track by_src, count 50 , seconds 60; classtype:misc-acti
vity; sid:2001582;
rev:3;)
old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE Behav
ioral Unusual Port 135 traffic, Potential Scan or Infection"; flags:S; thres
hold: type limit, track by_src, count 50 , seconds 60; sid:2001581; rev:2;)
new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE Behav
ioral Unusual Port 135 traffic, Potential Scan or Infection"; flags:S; thres
hold: type limit, track by_src, count 50 , seconds 60; classtype:misc-activi
ty; sid:2001581; re
v:3;)

-> Modified inactive in bleeding-virus.rules (1):
old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg:"BLEEDING-EDGE Virus 
Possible Sober.j Outbound"; reference:url,vil.mcafeesecurity.com/vil/content
/v_130130.htm; classtype:trojan-activity; sid:2001542; rev:2;)
new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg:"BLEEDING-EDGE Virus 
Possible Sober.j Outbound"; reference:url,vil.mcafeesecurity.com/vil/content
/v_130130.htm; classtype:trojan-activity; flow:established; sid:2001542; rev
:3;)

[---]         Removed rules:         [---]

-> Removed from bleeding-malware.rules (3):
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Search
miracle.com Spyware Install"; uricontent:"/cab/v3cab.cab"; reference:url,www.searc
hmiracle.com; nocase; flow:to_server,established; sid:2001540; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Mal
ware pool.Westpop.com Spyware Install"; uricontent:"/vcgi/magh/update.cgi?ma
gic="; nocase; flow:to_server,established; sid:2001512; rev:2;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Ma
lware Casalemedia Access, Likely Spyware"; pcre:"/Host\: \w*\.casalemedia.co
m/im"; flow:to_server,established; sid:2001527; rev:2;)

-> Removed from bleeding-web.rules (1):
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exp
loit phpBB Highlighting Code Execution Attempt"; flow:to_server,established;
 uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.system("; no
case; reference:url
,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001457; rev:7;)

[+++]      Added non-rule lines:     [+++]

-> Added to bleeding-inappropriate.rules (1):
# Info for these sigs from Gary Kalbfleisch

-> Added to bleeding-malware.rules (4):
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Ma
lware Casalemedia Access, Likely Spyware"; pcre:"/Host\: \w*\.casalemedia.co
m/im"; flow:to_server,established; classtype:trojan-activity; id:2001527; re
v:3;)
#matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Search
miracle.com Spyware Install"; uricontent:"/cab/v3cab.cab"; reference:url,www.searc
hmiracle.com; nocase; flow:to_server,established; classtype:trojan-activity;
 i
d:2001540; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Mal
ware pool.Westpop.com Spyware Install"; uricontent:"/vcgi/magh/update.cgi?ma
gic="; nocase; flow:to_server,established; classtype:trojan-activity; id:200
1512; rev:3;)

-> Added to bleeding-sid-msg.map (21):
2001691 || Bagle.BJ [alias .AY, .BC] worm [.com, exe extensions] - o
utbound || url,secunia.com/virus_information/14902/
2001692 || Bagle.BJ [alias .AY, .BC] worm [.com, .exe extensions] - 
incoming || url,secunia.com/virus_information/14902/
2001693 || Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - outboun
d || url,secunia.com/virus_information/14902/
2001694 || Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - incomin
g || url,secunia.com/virus_information/14902/
2001695 || Bagle.BJ [alias .AY, .BC] - download attempt || url,secunia.c
om/virus_information/14877/
2001696 || BLEEDING-EDGE Malware Search Relevancy Spyware
2001697 || BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Data Submission || url,
www.isearchtech.com
2001698 || BLEEDING-EDGE Malware YourSiteBar Data Submision || url,www.ysbweb.com[
/url]
...]www.ysbweb.com
2001700 || BLEEDING-EDGE Malware Windupdates.com Spyware Install
2001701 || BLEEDING-EDGE Malware Windupdates.com Spyware Loggin Data
2001702 || BLEEDING-EDGE Malware Shop at Home Select Spyware Activity
2001703 || BLEEDING-EDGE Malware Context Plus Spyware Activity
2001704 || BLEEDING-EDGE Malware Context Plus Spyware Install
2001705 || BLEEDING-EDGE Malware Flingstone Spyware Install
2001706 || BLEEDING-EDGE Malware Context Plus Spyware Activity
2001707 || BLEEDING-EDGE Malware Shop at Home Select Spyware Activity
2001708 || BLEEDING-EDGE Malware Shop at Home Select Spyware Heartbeat
2001709 || BLEEDING-EDGE Malware Shop at Home Select Spyware Config Download
2001710 || BLEEDING-EDGE Malware Flingstone Spyware Install
2001711 || BLEEDING-EDGE Malware Likely Spambot Web-based Control Traffic

-> Added to bleeding-virus.rules (1):
#added by Mark Scott 01/27/2005 - Bagle.AY, .BJ - Updated 1/31/2005

-> Added to bleeding-web.rules (1):
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exp
loit phpBB Highlighting Code Execution Attempt"; flow:to_server,established;
 uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.system("; no
case; reference:url
,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; classtype:web-application-
attack; id:2001457; rev:8;)

[---]     Removed non-rule lines:    [---]

-> Removed from bleeding-inappropriate.rules (1):
#Info for these sigs from Gary Kalbfleisch

-> Removed from bleeding-sid-msg.map (8):
2001457 || BLEEDING-EDGE Exploit phpBB Highlighting Code Execution Attempt || url,
www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
2001512 || BLEEDING-EDGE Malware pool.Westpop.com Spyware Install
2001527 || BLEEDING-EDGE Malware Casalemedia Access, Likely Spyware
2001540 || BLEEDING-EDGE Malware Searchmiracle.com Spyware Install || url,www.sear
chmiracle.com
2001691 || BLEEDING-EDGE Virus Bagle.AY worm [.com extension] - OUTBOUND
 || url,secunia.com/virus_information/14902/
2001692 || BLEEDING-EDGE Virus Bagle.AY worm [.com extension] - inbound 
|| url,secunia.com/virus_information/14902/
2001693 || BLEEDING-EDGE Virus Bagle.AY worm [.cpl extension] - OUTBOUND
 || url,secunia.com/virus_information/14902/
2001694 || BLEEDING-EDGE Virus Bagle.AY worm [.cpl extension] - inbound 
|| url,secunia.com/virus_information/14902/

-> Removed from bleeding-virus.rules (1):
#added by Mark Scott 01/27/2005 - Bagle.AY

[*] Added files: [*]
None.



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for Open Source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
 ________________________________________
_______
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[ Post a follow-up to this message ]