#
# $Id: emerging-attack_response.rules $
#
# Emerging Threats attack response rules. 
#
# SID's are 2000000+ to avoid conflicts
#
# More information available at www.emergingthreats.net
#
# Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
#  Copyright (c) 2003-2010, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
#by Jaime Blasco
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HTTP 401 Unauthorized"; flow:from_server,established; content:"HTTP/1."; depth:7; content:" 401"; within:5; threshold: type both, count 1, seconds 300, track by_dst; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2009345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized; sid:2009345; rev:5;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack"; flow:from_server,established; content:"HTTP/1."; depth:7; content:" 401"; within:5; threshold:type both, track by_dst, count 30, seconds 60; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2009346; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized; sid:2009346; rev:5;)

#by David Wharton
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Request"; flow:established,from_server; content:"Thanks Snailsor,FuYu,BloodSword"; classtype:web-application-activity; reference:url,doc.emergingthreats.net/2009146; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_ASPXSpy; sid:2009146; rev:2;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Related Activity"; flow:established,from_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; nocase; classtype:web-application-activity; reference:url,doc.emergingthreats.net/2009147; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_ASPXSpy; sid:2009147; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Upload Attempt"; flow:established,to_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; nocase; classtype:web-application-activity; reference:url,doc.emergingthreats.net/2009149; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_ASPXSpy; sid:2009149; rev:2;)

#by Jaime Blasco
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET ATTACK_RESPONSE Cisco TclShell TFTP Read Request"; content:"|00 01 74 63 6C 73 68 2E 74 63 6C|"; classtype:bad-unknown; reference:url,wwww.irmplc.com/downloads/whitepapers/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf; reference:url,doc.emergingthreats.net/2009244; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Cisco_TCL_Shell; sid:2009244; rev:2;)
alert udp $EXTERNAL_NET 69 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Cisco TclShell TFTP Download"; content:"|54 63 6C 53 68 65 6C 6C|"; classtype:bad-unknown; reference:url,wwww.irmplc.com/downloads/whitepapers/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf; reference:url,doc.emergingthreats.net/2009245; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Cisco_TCL_Shell; sid:2009245; rev:2;)

#by Jaime Blasco
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Bindshell2 Decoder Shellcode"; flow:established; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009246; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009246; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Bindshell2 Decoder Shellcode (UDP)"; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009285; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009285; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Rothenburg Shellcode"; flow:established; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009247; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009247; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Rothenburg Shellcode (UDP)"; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009284; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009284; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Lindau (linkbot) xor Decoder Shellcode"; flow:established; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009248; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009248; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Lindau (linkbot) xor Decoder Shellcode (UDP)"; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009283; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009283; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Adenau Shellcode"; flow:established; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009249; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009249; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Adenau Shellcode (UDP)"; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009282; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009282; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Mainz/Bielefeld Shellcode"; flow:established; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009250; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009250; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Mainz/Bielefeld Shellcode (UDP)"; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009281; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009281; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Wuerzburg Shellcode"; flow:established; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009251; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009251; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Wuerzburg Shellcode (UDP)"; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009280; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009280; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Schauenburg Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009252; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009252; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Schauenburg Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009279; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009279; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Koeln Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009253; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009253; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Koeln Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009278; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009278; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Lichtenfels Shellcode"; flow:established; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009254; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009254; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Lichtenfels Shellcode (UDP)"; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009277; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009277; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Mannheim Shellcode"; flow:established; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009255; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009255; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Mannheim Shellcode (UDP)"; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009276; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Berlin Shellcode"; flow:established; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009256; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009256; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Berlin Shellcode (UDP)"; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009275; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009275; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Leimbach Shellcode"; flow:established; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009257; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009257; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Leimbach Shellcode (UDP)"; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009274; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009274; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Aachen Shellcode"; flow:established; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009258; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009258; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Aachen Shellcode (UDP)"; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009273; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009273; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Furth Shellcode"; flow:established; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009259; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009259; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Furth Shellcode (UDP)"; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009272; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009272; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Langenfeld Shellcode"; flow:established; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009260; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009260; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Langenfeld Shellcode (UDP)"; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009271; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009271; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Bonn Shellcode"; flow:established; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009261; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009261; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Bonn Shellcode (UDP)"; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009270; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009270; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Siegburg Shellcode"; flow:established; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009262; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009262; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Siegburg Shellcode (UDP)"; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009269; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009269; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Plain1 Shellcode"; flow:established; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009263; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009263; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Plain1 Shellcode (UDP)"; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009268; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009268; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Plain2 Shellcode"; flow:established; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009264; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009264; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Plain2 Shellcode (UDP)"; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009267; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009267; rev:2;)
alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Bindshell1 Decoder Shellcode"; flow:established; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009265; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009265; rev:3;)
alert udp any any -> any any (msg:"ET ATTACK_RESPONSE Bindshell1 Decoder Shellcode (UDP)"; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009266; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009266; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET ATTACK RESPONSE FTP CWD to windows system32 - Suspicious"; flow:established,to_server; content:"CWD C\:\\WINDOWS\\system32\\"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008556; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_FTP; sid:2008556; rev:4;)

#Submitted by Joseph Gama
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access COM1"; flow: established; content:"/COM1/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000499; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid: 2000499; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access COM2"; flow: established; content:"/COM2/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid: 2000500; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access COM3"; flow: established; content:"/COM3/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid: 2000501; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access COM4"; flow: established; content:"/COM4/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000502; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid: 2000502; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access LPT1"; flow: established; content:"/LPT1/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000503; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid: 2000503; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access LPT2"; flow: established; content:"/LPT2/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000504; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid: 2000504; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access LPT3"; flow: established; content:"/LPT3/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000505; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid: 2000505; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access LPT4"; flow: established; content:"/LPT4/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000506; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid: 2000506; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access AUX"; flow: established; content:"/AUX/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000507; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid: 2000507; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access NULL"; flow: established; content:"/NULL/"; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid: 2000508; rev:7; )

#by Matt Jonkman
# seeing some worms/trojans use an ftp server with all banners stripped out
# on off ports to download payload after the initial compromise.
# Just stats codes, no welcome, etc. Very unique
# something like:
#220
#USER a
#331
#PASS a
#230
#TYPE I
#200
#PORT 10,2,32,214,4,9
#200
#RETR msnnmaneger.exe
#150
#226
#QUIT
#221

#removing a few to simplify
alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK RESPONSE Off-Port FTP Without Banners - user"; flow:established,from_server; dsize:>7; content:"USER "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:noalert; flowbits:set,ET.strippedftpuser; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007715; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP; sid:2007715; rev:5;)
alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK RESPONSE Off-Port FTP Without Banners - pass"; flowbits:isset,ET.strippedftpuser; flow:established,from_server; dsize:>7; content:"PASS "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:set,ET.strippedftppass; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007717; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP; sid:2007717; rev:6;)
alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK RESPONSE Off-Port FTP Without Banners - retr"; flowbits:isset,ET.strippedftppass; flow:established,from_server; dsize:>7; content:"RETR "; depth:5; offset:0; tag:session,300,seconds; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007723; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP; sid:2007723; rev:7;)


#matt jonkman, info from qru
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.|0d 0a|#|0d 0a|# This file contains the mappings of IP addresses to host names."; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_LMHosts_Download; sid:2008559; rev:3;)

#Matt Jonkman, information from Stephen Gill at Cymru
alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd)"; flow:established,from_server; content:"220 StnyFtpd 0wns j0"; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002809; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2002809; rev:4;)
alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK RESPONSE Hostile FTP Server Banner (Reptile)"; flow:established,from_server; content:"220 Reptile welcomes you"; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002810; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2002810; rev:4;)
alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK RESPONSE Hostile FTP Server Banner (Bot Server)"; flow:established,from_server; content:"220 Bot Server (Win32)"; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002811; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2002811; rev:4;)
alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.warftp.org; reference:url,doc.emergingthreats.net/bin/view/Main/2003464; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2003464; rev:3;)
alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd)"; flow:established,from_server; content:"220 "; content:"--freeFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.freeftp.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003465; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2003465; rev:3;)

#Matt Jonkman, off port ftp banners
alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd)"; flow:established,from_server; dsize:<18; content:"220 WinFtpd"; depth:11; offset:0; nocase; classtype:trojan-activity; tag:session,300,seconds; reference:url,doc.emergingthreats.net/bin/view/Main/2007725; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2007725; rev:4;)
alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)"; flow:established,from_server; dsize:<30; content:"220 StnyFtpd"; depth:12; offset:0; nocase; classtype:trojan-activity; tag:session,300,seconds; reference:url,doc.emergingthreats.net/bin/view/Main/2007726; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2007726; rev:4;)

#by Jaime Blasco
alert tcp any [21,1024:] -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual FTP Server Banner (fuckFtpd)"; flow:established,from_server; dsize:<18; content:"220 fuckFtpd"; depth:12; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009210; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2009210; rev:2;)
alert tcp any [21,1024:] -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual FTP Server Banner (NzmxFtpd)"; flow:established,from_server; dsize:<18; content:"220 NzmxFtpd"; depth:12; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009211; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2009211; rev:2;)

#by josh smith
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Matahari client"; flow:to_server,established; content:"Accept|2d|Encoding|3a 20|identity|0d 0a|"; pcre:"/Content\x2dSalt\x3a\x20[0-9\.\-]+\x0d\x0a/iR"; content:"Next|2d|Polling"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010795; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Matahari; sid:2010795; rev:4;)

#by Kevin Ross
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File Download Detected"; flow:to_client,established; content:"stdapi_fs_stat"; depth:54; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009558; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009558; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Process List (ps) Command Detected"; flow:to_client,established; content:"stdapi_sys_process_get_processes"; depth:65; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009559; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Getuid Command Detected"; flow:to_client,established; content:"stdapi_sys_config_getuid"; depth:65; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009560; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009560; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Process Migration Detected"; flow:to_client,established; content:"core_migrate"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009561; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009561; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter ipconfig Command Detected"; flow:to_client,established; content:"stdapi_net_config_get_interfaces"; depth:65; threshold: type threshold, track by_src, count 2, seconds 4; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009562; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009562; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Sysinfo Command Detected"; flow:to_client,established; content:"stdapi_sys_config_sysinfo"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009563; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009563; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Route Command Detected"; flow:to_client,established; content:"stdapi_net_config_get_route"; depth:62; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009564; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009564; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Kill Process Command Detected"; flow:to_client,established; content:"stdapi_sys_process_kill"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009565; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009565; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Print Working Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_getwd"; depth:55; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009566; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009566; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter View Current Process ID Command Detected"; flow:to_client,established; content:"stdapi_sys_process_getpid"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009567; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Execute Command Detected"; flow:to_client,established; content:"stdapi_sys_process_execute"; depth:62; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009568; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009568; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter System Reboot/Shutdown Detected"; flow:to_client,established; content:"stdapi_sys_power_exitwindows"; depth:62; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009569; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009569; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter System Get Idle Time Command Detected"; flow:to_client,established; content:"stdapi_ui_get_idle_time"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009570; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009570; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Make Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_mkdir"; depth:55; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009571; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009571; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Remove Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_delete_dir"; depth:57; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009572; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009572; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Change Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_chdir"; depth:57; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009573; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009573; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter List (ls) Command Detected"; flow:to_client,established; content:"stdapi_fs_ls"; depth:52; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009574; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009574; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter rev2self Command Detected"; flow:to_client,established; content:"stdapi_sys_config_rev2self"; depth:52; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009575; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009575; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Enabling/Disabling of Keyboard Detected"; flow:to_client,established; content:"stdapi_ui_enable_keyboard"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009576; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009576; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Enabling/Disabling of Mouse Detected"; flow:to_client,established; content:"stdapi_ui_enable_mouse"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009577; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009577; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File/Memory Interaction Detected"; flow:to_client,established; content:"stdapi_fs_file_expand_path"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009578; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009578; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Registry Interation Detected"; flow:to_client,established; content:"stdapi_registry_create_key"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009579; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009579; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File Upload Detected"; flow:to_client,established; content:"core_channel_write"; depth:50;classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009580; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009580; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Channel Interaction Detected, Likely Interaction With Executable"; flow:to_client,established; content:"core_channel_interact"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009651; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009651; rev:3;)


#by shirkdog
alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host"; flow:established; content:"metsrv.dll|00|MZ"; depth:13; content:"!This program cannot be run in DOS mode."; distance:75; within:40; classtype:successful-admin; reference:url,doc.emergingthreats.net/2009581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009581; rev:3;)

#by Varga-Perke Balint
alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host"; flow:established; content:"|40 00 41 00 42 0043 00 44 00 6d 65 74 73 72 76 2e 64 6c 6c 00 49 6e 69 74 00 5f 52 65 66 6c 65 63 74 69 76 65 4c 6f 61|"; classtype:successful-admin; reference:url,doc.emergingthreats.net/2010454; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2010454; rev:3;)

#Submitted by Joel Esler
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK RESPONSE IRC - Nick change on non-std port"; flow: to_server,established; dsize: <64; content:"NICK "; nocase; offset: 0; depth: 5; tag: session,300,seconds; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid: 2000345; rev:7;)
alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg: "ET ATTACK RESPONSE IRC - Name response on non-std port"; flow: to_client,established; dsize: <128; content:"|3a|"; offset: 0; depth: 1; content:" 302 "; content:"=+"; content:"@"; tag: session,300,seconds; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000346; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid: 2000346; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK RESPONSE IRC - Private message on non-std port"; flow: to_server,established; dsize: <128; content:"PRIVMSG "; nocase; offset: 0; depth: 8; tag: session,300,seconds; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000347; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid: 2000347; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK RESPONSE IRC - Channel JOIN on non-std port"; flow: to_server,established; dsize: <64; content:"JOIN "; nocase; offset: 0; depth: 5; tag: session,300,seconds; pcre:"/&|#|\+|!/R"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid: 2000348; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK RESPONSE IRC - DCC file transfer request on non-std port"; flow: to_server,established; content:"PRIVMSG "; nocase; offset: 0; depth: 8; content:" |3a|.DCC SEND"; nocase; tag: session,300,seconds; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000349; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid: 2000349; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK RESPONSE IRC - DCC chat request on non-std port"; flow: to_server,established; content:"PRIVMSG "; nocase; offset: 0; depth: 8; content:" |3a|.DCC CHAT chat"; nocase; tag: session,300,seconds; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000350; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid: 2000350; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK RESPONSE IRC - channel join on non-std port"; flow: to_server,established; content:"JOIN |3a| #"; nocase; offset: 0; depth: 8; tag: session,300,seconds; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000351; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid: 2000351; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK RESPONSE IRC - dns request on non-std port"; flow: to_server,established; content:"USERHOST "; nocase; offset: 0; depth: 9; tag: session,300,seconds; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000352; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid: 2000352; rev:7;)
#Erik Fichtner
alert tcp $HOME_NET any -> any 6667 (msg: "ET ATTACK RESPONSE Likely Botnet Activity"; flowbits:isset,is_proto_irc; flow:to_server,established; content:"PRIVMSG"; nocase; tag: session,50,packets; pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|Total pacotes|Total bytes|M?dia de envio|portas? aberta)/i"; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2001620; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid: 2001620; rev:6;)

#By Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE Outbound PHP Connection"; flow: established,to_server; content:"From\: anon@anon.com"; nocase; offset: 0; depth: 19; content:"User-Agent\: PHP"; nocase; classtype: web-application-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001628; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Outbound_PHP_Fopen; sid: 2001628; rev:6;)

#by Cees Elzinga
#note: most effective with a deep flow depth, or 0
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE r57 phpshell footer detected"; flow:established,from_server; content:"r57shell - http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003535; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/*  (c)oded by 1dt.w0lf"; content:"/*  RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003536; rev:7;)

#by Ryan Macdonald of R-fx networks (www.rfxn.com)
#those commented out are more prone to false positives. They'll be more reliable in a web-only environment
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE x2300 phpshell detected"; flow:established,from_server; content:"x2300 Locus7Shell"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007651; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007651; rev:4;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE c99shell phpshell detected"; flow:established,from_server; content:"c99shell"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007652; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007652; rev:4;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE RFI Scanner detected"; flow:established,from_server; content:"RFI Scanner"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007653; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007653; rev:4;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE C99 Modified phpshell detected"; flow:established,from_server; content:"C99 Modified"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007654; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007654; rev:4;)
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE lila.jpg phpshell detected"; flow:established,from_server; content:"CMD PHP"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007655; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007655; rev:4;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE ALBANIA id.php detected"; flow:established,from_server; content:"UNITED ALBANIANS aka ALBOSS PARADISE"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007656; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007656; rev:4;)
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007657; rev:4;)

#by Adam Ellison
# Detects the old style weak and crackable windows auth in use. By default this should not be in
# active use, but can be forced by hostile parties by a number of methods
alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected"; flow:from_server; content:"|ff 53 4d 42|"; content:"|00 11 22 33 44 55 66 77 88|"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2006417; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Short_Lanman_Auth_Challenge; sid:2006417; rev:7;)

#for a windows cmd shell opened on a local box
alert tcp $HOME_NET any -> any any (msg:"ET ATTACK RESPONSE Possible MS CMD Shell opened on local system"; flow:established; dsize:<110; content:"Microsoft Windows "; depth:20; content:"Copyright 1985-20"; distance:0; content:"Microsoft Corp"; distance:0; content:"|0a 0a|C|3a 5c|WINDOWS|5c|"; distance:0; classtype:successful-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2008953; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Windows_Shell; sid:2008953; rev:7;)

#by Kevin Ross
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible Ipconfig Information Detected in HTTP Response"; flow:from_server,established; content:"Windows IP Configuration"; content:"Ethernet adapter Local Area Connection"; distance:8; within:40; classtype:successful-recon-limited; reference:url,en.wikipedia.org/wiki/Ipconfig; reference:url,doc.emergingthreats.net/2009675; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Windows_Shell; sid:2009675; rev:3;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ipconfig Response Detected"; flow:from_server,established; content:"Windows IP Configuration"; content:"Ethernet adapter Local Area Connection"; offset:35; distance:8; depth:55; classtype:successful-recon-limited; reference:url,en.wikipedia.org/wiki/Ipconfig; reference:url,doc.emergingthreats.net/2009676; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Windows_Shell; sid:2009676; rev:3;)

#By Erik Fichtner
alert tcp $HOME_NET any -> 213.219.122.11/32 $HTTP_PORTS (msg: "ET ATTACK RESPONSE Zone-H.org defacement notification"; flow: established,to_server; content:"notify_"; nocase; pcre:"/notify_(defacer|domain|hackmode|reason)=/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001616; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Zone-h_Defacement; sid: 2001616; rev:8;)

#by Matt Jonkman
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg: "ET ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style)"; flow:established,from_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; classtype:misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002034; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd; sid: 2002034; rev:7;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg: "ET ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style)"; flow:established,from_server; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; classtype:misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003071; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd; sid: 2003071; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "ET ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style)"; flow:established,from_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; classtype:misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003149; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd; sid: 2003149; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "ET ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style)"; flow:established,from_server; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; classtype:misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003150; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd; sid: 2003150; rev:3;)