#
# Emerging Threats Botnet Command and Control drop rules. 
#
# These are generated from the EXCELLENT work done by the Shadowserver team and
# the CZ Honeynet project.
#
#  http://www.shadowserver.org
#  http://www.honeynet.cz
#
#
# SID's are 2410000+ to avoid conflicts
#
# More information available at www.emergingthreats.net
#
# Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
#  Copyright (c) 2003-2010, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
alert tcp $HOME_NET any -> [109.169.18.23,109.174.60.6,109.74.195.116,109.74.196.127,109.74.205.10,110.44.26.158,112.121.181.107,115.165.178.40,115.84.182.180,118.129.166.50,118.42.105.155,119.110.82.239,12.31.165.81,12.31.165.82,122.183.243.42,122.183.243.46,124.158.128.129,124.217.249.73,124.217.254.198,124.40.3.92,125.160.17.71,125.160.17.72,128.121.20.113,128.194.112.48,128.237.157.136,128.241.54.188,128.39.2.28,130.237.188.200,130.237.188.216,130.239.18.157,130.240.22.201,137.194.15.141,139.175.160.252,139.91.102.101,140.211.166.64,141.213.238.252,145.89.150.59,145.97.193.206,147.127.160.120,147.32.127.200,149.9.1.16,157.159.40.167,158.38.8.251,163.178.205.7,163.19.14.2,173.203.213.197,173.203.226.224,173.204.56.229,173.208.34.249,173.208.34.253,173.208.34.9,173.212.192.139,173.212.192.164,173.212.192.167,173.212.197.70,173.224.209.153,173.45.244.47,174.120.175.68,174.120.220.201,174.121.0.81] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 1) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405000; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [109.169.18.23,109.174.60.6,109.74.195.116,109.74.196.127,109.74.205.10,110.44.26.158,112.121.181.107,115.165.178.40,115.84.182.180,118.129.166.50,118.42.105.155,119.110.82.239,12.31.165.81,12.31.165.82,122.183.243.42,122.183.243.46,124.158.128.129,124.217.249.73,124.217.254.198,124.40.3.92,125.160.17.71,125.160.17.72,128.121.20.113,128.194.112.48,128.237.157.136,128.241.54.188,128.39.2.28,130.237.188.200,130.237.188.216,130.239.18.157,130.240.22.201,137.194.15.141,139.175.160.252,139.91.102.101,140.211.166.64,141.213.238.252,145.89.150.59,145.97.193.206,147.127.160.120,147.32.127.200,149.9.1.16,157.159.40.167,158.38.8.251,163.178.205.7,163.19.14.2,173.203.213.197,173.203.226.224,173.204.56.229,173.208.34.249,173.208.34.253,173.208.34.9,173.212.192.139,173.212.192.164,173.212.192.167,173.212.197.70,173.224.209.153,173.45.244.47,174.120.175.68,174.120.220.201,174.121.0.81] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 1) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405001; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [174.123.126.150,174.123.126.153,174.129.231.136,174.133.173.90,174.133.57.54,174.133.63.91,174.137.55.10,174.139.16.131,174.139.16.132,174.143.153.165,174.143.170.208,174.143.208.107,174.143.215.13,174.34.173.51,174.34.174.106,174.34.174.204,174.34.187.36,174.34.187.37,174.34.187.44,174.34.187.46,174.36.194.109,180.150.248.129,184.73.241.230,187.45.225.204,188.165.164.16,188.165.19.147,188.165.33.83,188.20.193.78,188.241.114.100,188.241.114.53,188.40.203.40,188.40.22.173,188.48.217.93,188.65.49.11,188.72.200.26,188.72.200.28,188.72.200.58,188.72.203.204,188.72.203.210,188.72.203.211,188.72.203.212,188.72.203.217,188.72.203.218,188.72.203.219,188.72.203.231,188.72.205.52,188.72.212.42,188.72.216.146,188.72.216.99,188.72.226.31,189.19.68.201,190.120.228.216,190.120.230.28,190.120.238.90,190.144.142.230,190.3.183.13,190.5.6.196,192.116.231.44,192.188.242.12,192.219.30.200] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 2) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405002; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [174.123.126.150,174.123.126.153,174.129.231.136,174.133.173.90,174.133.57.54,174.133.63.91,174.137.55.10,174.139.16.131,174.139.16.132,174.143.153.165,174.143.170.208,174.143.208.107,174.143.215.13,174.34.173.51,174.34.174.106,174.34.174.204,174.34.187.36,174.34.187.37,174.34.187.44,174.34.187.46,174.36.194.109,180.150.248.129,184.73.241.230,187.45.225.204,188.165.164.16,188.165.19.147,188.165.33.83,188.20.193.78,188.241.114.100,188.241.114.53,188.40.203.40,188.40.22.173,188.48.217.93,188.65.49.11,188.72.200.26,188.72.200.28,188.72.200.58,188.72.203.204,188.72.203.210,188.72.203.211,188.72.203.212,188.72.203.217,188.72.203.218,188.72.203.219,188.72.203.231,188.72.205.52,188.72.212.42,188.72.216.146,188.72.216.99,188.72.226.31,189.19.68.201,190.120.228.216,190.120.230.28,190.120.238.90,190.144.142.230,190.3.183.13,190.5.6.196,192.116.231.44,192.188.242.12,192.219.30.200] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 2) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405003; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [193.104.35.224,193.108.43.213,193.109.122.77,193.120.201.111,193.136.119.33,193.136.216.101,193.138.229.18,193.163.220.3,193.188.71.66,193.19.210.1,193.200.193.4,193.218.154.34,193.27.229.245,193.33.179.4,193.33.186.129,193.37.152.18,193.37.152.19,193.68.150.140,193.71.199.6,193.85.232.219,193.88.14.99,194.106.15.145,194.109.129.220,194.109.129.222,194.109.20.90,194.109.206.106,194.109.206.107,194.109.64.131,194.117.246.5,194.124.229.58,194.124.229.59,194.126.217.2,194.135.22.24,194.14.236.50,194.146.132.68,194.149.73.154,194.149.73.161,194.149.73.55,194.149.73.80,194.199.165.9,194.204.14.151,194.247.192.44,194.68.45.50,194.9.28.201,195.13.58.57,195.137.213.67,195.140.202.142,195.144.12.5,195.149.74.67,195.169.138.124,195.178.184.75,195.188.16.5,195.19.225.237,195.2.117.33,195.20.204.114,195.222.70.238,195.225.204.134,195.225.204.21,195.225.204.22,195.225.204.227] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 3) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405004; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [193.104.35.224,193.108.43.213,193.109.122.77,193.120.201.111,193.136.119.33,193.136.216.101,193.138.229.18,193.163.220.3,193.188.71.66,193.19.210.1,193.200.193.4,193.218.154.34,193.27.229.245,193.33.179.4,193.33.186.129,193.37.152.18,193.37.152.19,193.68.150.140,193.71.199.6,193.85.232.219,193.88.14.99,194.106.15.145,194.109.129.220,194.109.129.222,194.109.20.90,194.109.206.106,194.109.206.107,194.109.64.131,194.117.246.5,194.124.229.58,194.124.229.59,194.126.217.2,194.135.22.24,194.14.236.50,194.146.132.68,194.149.73.154,194.149.73.161,194.149.73.55,194.149.73.80,194.199.165.9,194.204.14.151,194.247.192.44,194.68.45.50,194.9.28.201,195.13.58.57,195.137.213.67,195.140.202.142,195.144.12.5,195.149.74.67,195.169.138.124,195.178.184.75,195.188.16.5,195.19.225.237,195.2.117.33,195.20.204.114,195.222.70.238,195.225.204.134,195.225.204.21,195.225.204.22,195.225.204.227] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 3) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405005; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [195.23.131.68,195.244.8.140,195.244.8.141,195.244.8.142,195.244.8.143,195.244.8.144,195.244.8.145,195.244.8.146,195.244.8.147,195.244.8.148,195.244.8.149,195.244.8.150,195.244.8.151,195.244.8.152,195.244.8.153,195.244.8.154,195.244.8.155,195.244.8.156,195.244.8.158,195.244.8.160,195.244.8.161,195.244.8.162,195.244.8.163,195.244.8.164,195.244.8.165,195.244.8.166,195.244.8.167,195.244.8.168,195.244.8.169,195.244.8.170,195.244.8.171,195.244.8.172,195.244.8.173,195.244.8.174,195.244.8.175,195.244.8.176,195.244.8.177,195.244.8.178,195.244.8.179,195.244.8.180,195.244.8.181,195.244.8.182,195.244.8.183,195.244.8.184,195.244.8.185,195.244.8.186,195.244.8.191,195.244.9.20,195.251.235.111,195.28.165.168,195.28.165.201,195.43.138.206,195.5.110.32,195.50.191.12,195.50.191.14,195.54.159.109,195.54.16.65,195.68.206.250,195.70.51.164,195.8.251.35] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 4) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405006; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [195.23.131.68,195.244.8.140,195.244.8.141,195.244.8.142,195.244.8.143,195.244.8.144,195.244.8.145,195.244.8.146,195.244.8.147,195.244.8.148,195.244.8.149,195.244.8.150,195.244.8.151,195.244.8.152,195.244.8.153,195.244.8.154,195.244.8.155,195.244.8.156,195.244.8.158,195.244.8.160,195.244.8.161,195.244.8.162,195.244.8.163,195.244.8.164,195.244.8.165,195.244.8.166,195.244.8.167,195.244.8.168,195.244.8.169,195.244.8.170,195.244.8.171,195.244.8.172,195.244.8.173,195.244.8.174,195.244.8.175,195.244.8.176,195.244.8.177,195.244.8.178,195.244.8.179,195.244.8.180,195.244.8.181,195.244.8.182,195.244.8.183,195.244.8.184,195.244.8.185,195.244.8.186,195.244.8.191,195.244.9.20,195.251.235.111,195.28.165.168,195.28.165.201,195.43.138.206,195.5.110.32,195.50.191.12,195.50.191.14,195.54.159.109,195.54.16.65,195.68.206.250,195.70.51.164,195.8.251.35] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 4) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405007; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [195.85.200.10,195.85.200.11,195.85.200.12,195.85.200.13,195.85.200.14,195.85.200.15,195.85.200.16,195.88.242.3,195.93.153.31,195.93.153.39,195.93.153.46,196.2.17.10,196.21.193.11,196.44.3.56,198.252.144.2,198.252.195.2,198.3.160.3,199.71.212.153,199.71.213.173,200.174.131.226,200.175.44.161,200.198.144.35,200.23.149.144,200.29.0.66,200.30.73.220,200.35.147.227,200.35.150.156,200.38.236.3,200.42.96.36,200.45.0.67,200.49.145.197,200.73.6.154,200.83.0.116,200.85.60.190,200.95.144.26,201.116.64.5,201.218.128.67,201.238.195.158,202.155.205.27,202.158.3.23,202.169.224.12,202.216.136.130,202.222.18.88,202.229.187.118,202.64.21.28,202.65.113.227,202.67.15.173,202.68.188.30,202.91.34.9,202.91.37.40,203.113.137.164,203.116.63.82,203.116.63.89,203.142.24.180,203.146.127.52,203.150.2.225,203.171.240.78,203.26.195.6,203.94.228.49,204.124.183.85] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 5) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405008; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [195.85.200.10,195.85.200.11,195.85.200.12,195.85.200.13,195.85.200.14,195.85.200.15,195.85.200.16,195.88.242.3,195.93.153.31,195.93.153.39,195.93.153.46,196.2.17.10,196.21.193.11,196.44.3.56,198.252.144.2,198.252.195.2,198.3.160.3,199.71.212.153,199.71.213.173,200.174.131.226,200.175.44.161,200.198.144.35,200.23.149.144,200.29.0.66,200.30.73.220,200.35.147.227,200.35.150.156,200.38.236.3,200.42.96.36,200.45.0.67,200.49.145.197,200.73.6.154,200.83.0.116,200.85.60.190,200.95.144.26,201.116.64.5,201.218.128.67,201.238.195.158,202.155.205.27,202.158.3.23,202.169.224.12,202.216.136.130,202.222.18.88,202.229.187.118,202.64.21.28,202.65.113.227,202.67.15.173,202.68.188.30,202.91.34.9,202.91.37.40,203.113.137.164,203.116.63.82,203.116.63.89,203.142.24.180,203.146.127.52,203.150.2.225,203.171.240.78,203.26.195.6,203.94.228.49,204.124.183.85] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 5) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405009; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [204.152.222.95,204.16.200.180,204.188.201.150,204.45.13.154,204.45.60.36,204.74.211.92,204.74.215.250,204.8.223.157,204.8.34.130,205.134.185.250,205.188.234.121,205.210.145.2,205.210.145.3,205.234.138.152,205.234.222.37,205.234.236.8,206.12.19.242,206.124.14.169,206.125.175.82,206.126.142.60,206.212.249.20,206.217.199.3,206.217.203.217,206.40.205.124,206.41.116.100,206.41.117.22,206.41.117.23,206.41.117.68,206.41.117.9,206.53.60.129,206.53.60.50,206.53.60.70,206.59.139.195,207.114.175.51,207.126.115.205,207.126.115.219,207.145.6.5,207.182.240.68,207.192.72.43,207.192.72.99,207.210.208.16,207.218.230.154,207.44.138.203,207.44.152.199,207.44.180.227,207.44.212.40,207.45.69.69,208.100.11.120,208.100.20.83,208.100.20.90,208.100.23.100,208.111.34.13,208.111.39.43,208.115.36.180,208.124.255.30,208.146.35.105,208.167.236.6,208.167.237.120,208.185.80.72,208.185.80.73] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 6) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405010; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [204.152.222.95,204.16.200.180,204.188.201.150,204.45.13.154,204.45.60.36,204.74.211.92,204.74.215.250,204.8.223.157,204.8.34.130,205.134.185.250,205.188.234.121,205.210.145.2,205.210.145.3,205.234.138.152,205.234.222.37,205.234.236.8,206.12.19.242,206.124.14.169,206.125.175.82,206.126.142.60,206.212.249.20,206.217.199.3,206.217.203.217,206.40.205.124,206.41.116.100,206.41.117.22,206.41.117.23,206.41.117.68,206.41.117.9,206.53.60.129,206.53.60.50,206.53.60.70,206.59.139.195,207.114.175.51,207.126.115.205,207.126.115.219,207.145.6.5,207.182.240.68,207.192.72.43,207.192.72.99,207.210.208.16,207.218.230.154,207.44.138.203,207.44.152.199,207.44.180.227,207.44.212.40,207.45.69.69,208.100.11.120,208.100.20.83,208.100.20.90,208.100.23.100,208.111.34.13,208.111.39.43,208.115.36.180,208.124.255.30,208.146.35.105,208.167.236.6,208.167.237.120,208.185.80.72,208.185.80.73] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 6) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405011; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [208.185.80.74,208.185.80.85,208.185.80.87,208.185.81.205,208.185.81.207,208.185.92.26,208.185.92.31,208.27.69.193,208.49.56.226,208.51.40.10,208.51.40.12,208.51.40.13,208.51.40.14,208.51.40.2,208.53.163.194,208.53.169.245,208.53.172.67,208.53.175.90,208.53.175.92,208.53.181.134,208.53.181.161,208.53.181.82,208.53.181.86,208.53.183.106,208.64.121.45,208.67.249.244,208.68.18.181,208.68.94.12,208.68.94.62,208.72.157.63,208.77.191.41,208.78.96.118,208.78.98.214,208.82.117.117,208.83.221.58,208.98.11.131,208.98.11.132,208.98.11.133,208.98.11.134,208.98.11.135,208.98.11.136,208.98.11.137,208.98.11.138,208.98.11.139,208.98.11.140,208.98.11.141,208.98.11.144,208.98.11.148,208.98.11.150,208.98.22.100,208.98.22.202,208.98.22.243,208.98.22.97,208.98.26.140,208.98.28.203,208.98.28.208,208.98.28.209,208.98.3.12,208.98.3.15,208.98.30.250] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 7) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405012; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [208.185.80.74,208.185.80.85,208.185.80.87,208.185.81.205,208.185.81.207,208.185.92.26,208.185.92.31,208.27.69.193,208.49.56.226,208.51.40.10,208.51.40.12,208.51.40.13,208.51.40.14,208.51.40.2,208.53.163.194,208.53.169.245,208.53.172.67,208.53.175.90,208.53.175.92,208.53.181.134,208.53.181.161,208.53.181.82,208.53.181.86,208.53.183.106,208.64.121.45,208.67.249.244,208.68.18.181,208.68.94.12,208.68.94.62,208.72.157.63,208.77.191.41,208.78.96.118,208.78.98.214,208.82.117.117,208.83.221.58,208.98.11.131,208.98.11.132,208.98.11.133,208.98.11.134,208.98.11.135,208.98.11.136,208.98.11.137,208.98.11.138,208.98.11.139,208.98.11.140,208.98.11.141,208.98.11.144,208.98.11.148,208.98.11.150,208.98.22.100,208.98.22.202,208.98.22.243,208.98.22.97,208.98.26.140,208.98.28.203,208.98.28.208,208.98.28.209,208.98.3.12,208.98.3.15,208.98.30.250] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 7) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405013; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [208.98.31.223,208.98.34.138,208.98.34.139,208.98.34.149,208.98.34.153,208.98.36.235,208.98.36.237,208.98.37.199,208.98.37.200,208.98.42.67,208.98.42.81,208.98.49.44,208.98.51.10,208.98.52.199,208.98.58.131,208.98.58.134,208.98.61.29,208.98.61.38,208.98.61.40,208.98.61.44,208.98.61.78,208.98.62.222,208.98.62.245,208.98.9.208,208.99.193.130,208.99.193.134,208.99.199.218,208.99.89.224,208.99.89.231,209.104.195.111,209.11.244.82,209.133.11.157,209.133.11.179,209.133.11.184,209.133.11.197,209.133.11.209,209.133.11.212,209.133.8.83,209.133.8.84,209.133.8.97,209.133.9.43,209.133.9.56,209.133.9.76,209.144.21.66,209.160.20.95,209.17.191.222,209.20.75.209,209.20.76.155,209.234.102.231,209.249.249.126,209.251.184.237,209.40.205.189,209.9.228.99,210.123.250.168,210.127.253.90,210.135.96.98,210.162.89.245,210.166.210.73,210.166.211.4,210.166.220.197] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 8) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405014; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [208.98.31.223,208.98.34.138,208.98.34.139,208.98.34.149,208.98.34.153,208.98.36.235,208.98.36.237,208.98.37.199,208.98.37.200,208.98.42.67,208.98.42.81,208.98.49.44,208.98.51.10,208.98.52.199,208.98.58.131,208.98.58.134,208.98.61.29,208.98.61.38,208.98.61.40,208.98.61.44,208.98.61.78,208.98.62.222,208.98.62.245,208.98.9.208,208.99.193.130,208.99.193.134,208.99.199.218,208.99.89.224,208.99.89.231,209.104.195.111,209.11.244.82,209.133.11.157,209.133.11.179,209.133.11.184,209.133.11.197,209.133.11.209,209.133.11.212,209.133.8.83,209.133.8.84,209.133.8.97,209.133.9.43,209.133.9.56,209.133.9.76,209.144.21.66,209.160.20.95,209.17.191.222,209.20.75.209,209.20.76.155,209.234.102.231,209.249.249.126,209.251.184.237,209.40.205.189,209.9.228.99,210.123.250.168,210.127.253.90,210.135.96.98,210.162.89.245,210.166.210.73,210.166.211.4,210.166.220.197] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 8) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405015; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [210.166.220.222,210.166.223.51,210.18.59.30,210.196.166.233,210.212.214.48,210.221.154.111,210.224.190.7,211.108.60.156,211.215.19.248,212.0.147.123,212.100.132.202,212.101.125.10,212.101.125.11,212.101.125.12,212.101.125.4,212.101.125.5,212.101.125.6,212.101.125.7,212.101.125.8,212.101.125.9,212.110.128.80,212.117.162.68,212.117.163.190,212.117.164.63,212.117.179.188,212.13.194.124,212.146.145.91,212.150.184.227,212.150.184.228,212.175.122.118,212.181.140.107,212.182.63.110,212.24.104.227,212.27.60.46,212.34.134.31,212.40.5.191,212.48.121.72,212.59.199.130,212.59.199.131,212.6.106.76,212.61.143.244,212.61.65.101,212.62.248.142,212.71.19.100,212.71.19.106,212.73.209.227,212.79.239.14,212.79.239.54,212.79.239.60,212.9.74.97,212.91.140.54,212.91.161.18,212.95.38.66,212.95.38.67,212.95.46.147,212.98.160.166,213.131.156.50,213.131.156.51,213.145.209.132,213.161.196.11] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 9) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405016; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [210.166.220.222,210.166.223.51,210.18.59.30,210.196.166.233,210.212.214.48,210.221.154.111,210.224.190.7,211.108.60.156,211.215.19.248,212.0.147.123,212.100.132.202,212.101.125.10,212.101.125.11,212.101.125.12,212.101.125.4,212.101.125.5,212.101.125.6,212.101.125.7,212.101.125.8,212.101.125.9,212.110.128.80,212.117.162.68,212.117.163.190,212.117.164.63,212.117.179.188,212.13.194.124,212.146.145.91,212.150.184.227,212.150.184.228,212.175.122.118,212.181.140.107,212.182.63.110,212.24.104.227,212.27.60.46,212.34.134.31,212.40.5.191,212.48.121.72,212.59.199.130,212.59.199.131,212.6.106.76,212.61.143.244,212.61.65.101,212.62.248.142,212.71.19.100,212.71.19.106,212.73.209.227,212.79.239.14,212.79.239.54,212.79.239.60,212.9.74.97,212.91.140.54,212.91.161.18,212.95.38.66,212.95.38.67,212.95.46.147,212.98.160.166,213.131.156.50,213.131.156.51,213.145.209.132,213.161.196.11] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 9) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405017; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [213.17.153.11,213.171.57.168,213.173.80.8,213.179.58.83,213.202.224.142,213.202.229.14,213.202.245.12,213.208.244.195,213.215.31.19,213.228.128.112,213.229.71.146,213.229.82.141,213.229.82.142,213.229.82.143,213.232.93.3,213.239.131.28,213.248.60.142,213.251.185.27,213.48.150.3,213.48.150.5,213.53.107.38,213.73.255.147,216.139.241.100,216.152.78.163,216.152.78.164,216.152.78.165,216.152.78.166,216.152.78.167,216.155.147.189,216.16.120.99,216.167.221.54,216.18.20.147,216.18.227.250,216.18.228.174,216.18.228.34,216.18.228.38,216.19.178.155,216.193.223.223,216.206.108.79,216.218.163.69,216.25.44.118,216.25.44.119,216.25.44.121,216.25.44.122,216.25.44.16,216.25.44.2,216.25.44.3,216.25.44.9,216.66.78.116,216.71.225.62,216.75.53.150,216.8.177.23,216.8.177.28,216.82.127.45,216.82.127.46,216.82.127.91,216.87.78.181,216.93.247.117,217.11.227.38,217.11.53.165] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 10) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405018; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [213.17.153.11,213.171.57.168,213.173.80.8,213.179.58.83,213.202.224.142,213.202.229.14,213.202.245.12,213.208.244.195,213.215.31.19,213.228.128.112,213.229.71.146,213.229.82.141,213.229.82.142,213.229.82.143,213.232.93.3,213.239.131.28,213.248.60.142,213.251.185.27,213.48.150.3,213.48.150.5,213.53.107.38,213.73.255.147,216.139.241.100,216.152.78.163,216.152.78.164,216.152.78.165,216.152.78.166,216.152.78.167,216.155.147.189,216.16.120.99,216.167.221.54,216.18.20.147,216.18.227.250,216.18.228.174,216.18.228.34,216.18.228.38,216.19.178.155,216.193.223.223,216.206.108.79,216.218.163.69,216.25.44.118,216.25.44.119,216.25.44.121,216.25.44.122,216.25.44.16,216.25.44.2,216.25.44.3,216.25.44.9,216.66.78.116,216.71.225.62,216.75.53.150,216.8.177.23,216.8.177.28,216.82.127.45,216.82.127.46,216.82.127.91,216.87.78.181,216.93.247.117,217.11.227.38,217.11.53.165] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 10) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405019; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [217.146.74.25,217.146.84.157,217.17.33.10,217.172.33.20,217.174.199.222,217.18.70.70,217.195.122.131,217.195.203.78,217.23.14.177,217.23.3.91,217.23.4.120,217.23.4.160,217.23.7.121,217.29.87.254,217.41.54.219,217.65.2.158,217.67.230.218,217.69.165.160,217.75.128.2,217.75.128.65,217.75.128.66,218.108.0.83,218.201.201.6,218.44.249.117,218.94.142.102,219.166.12.212,219.90.201.229,220.194.57.11,220.198.235.212,220.81.202.67,221.186.119.130,24.101.207.190,24.108.94.92,24.166.48.221,24.172.204.242,24.216.117.193,24.240.168.165,38.229.70.20,4.53.50.37,41.223.6.204,58.68.93.166,60.190.222.139,60.199.200.163,61.0.164.21,61.121.247.163,61.195.154.6,61.7.241.69,61.86.5.250,62.109.15.169,62.133.211.174,62.141.48.112,62.141.49.112,62.181.89.111,62.181.89.18,62.193.248.158,62.193.249.122,62.211.73.232,62.212.67.68,62.216.3.195,62.3.99.91] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 11) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405020; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [217.146.74.25,217.146.84.157,217.17.33.10,217.172.33.20,217.174.199.222,217.18.70.70,217.195.122.131,217.195.203.78,217.23.14.177,217.23.3.91,217.23.4.120,217.23.4.160,217.23.7.121,217.29.87.254,217.41.54.219,217.65.2.158,217.67.230.218,217.69.165.160,217.75.128.2,217.75.128.65,217.75.128.66,218.108.0.83,218.201.201.6,218.44.249.117,218.94.142.102,219.166.12.212,219.90.201.229,220.194.57.11,220.198.235.212,220.81.202.67,221.186.119.130,24.101.207.190,24.108.94.92,24.166.48.221,24.172.204.242,24.216.117.193,24.240.168.165,38.229.70.20,4.53.50.37,41.223.6.204,58.68.93.166,60.190.222.139,60.199.200.163,61.0.164.21,61.121.247.163,61.195.154.6,61.7.241.69,61.86.5.250,62.109.15.169,62.133.211.174,62.141.48.112,62.141.49.112,62.181.89.111,62.181.89.18,62.193.248.158,62.193.249.122,62.211.73.232,62.212.67.68,62.216.3.195,62.3.99.91] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 11) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405021; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [62.75.143.63,62.75.202.25,62.75.243.185,63.245.208.159,63.245.212.23,64.105.39.51,64.113.1.99,64.12.165.56,64.122.31.116,64.124.180.114,64.125.185.222,64.127.102.249,64.141.8.30,64.15.77.71,64.150.180.13,64.150.181.198,64.150.183.52,64.150.183.53,64.16.210.102,64.18.134.201,64.18.139.76,64.18.139.82,64.18.139.84,64.186.131.59,64.186.133.108,64.191.113.69,64.235.252.145,64.236.64.132,64.32.1.33,64.32.10.120,64.32.10.70,64.32.10.79,64.32.10.80,64.32.10.88,64.32.10.98,64.32.11.152,64.32.12.118,64.32.12.184,64.32.12.203,64.32.13.130,64.32.13.131,64.32.13.135,64.32.13.136,64.32.13.137,64.32.13.143,64.32.13.144,64.32.13.163,64.32.13.170,64.32.14.171,64.32.14.185,64.32.14.20,64.32.19.10,64.32.19.27,64.32.19.46,64.32.19.55,64.32.19.58,64.32.2.200,64.32.2.213,64.32.2.214,64.32.2.219] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 12) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405022; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [62.75.143.63,62.75.202.25,62.75.243.185,63.245.208.159,63.245.212.23,64.105.39.51,64.113.1.99,64.12.165.56,64.122.31.116,64.124.180.114,64.125.185.222,64.127.102.249,64.141.8.30,64.15.77.71,64.150.180.13,64.150.181.198,64.150.183.52,64.150.183.53,64.16.210.102,64.18.134.201,64.18.139.76,64.18.139.82,64.18.139.84,64.186.131.59,64.186.133.108,64.191.113.69,64.235.252.145,64.236.64.132,64.32.1.33,64.32.10.120,64.32.10.70,64.32.10.79,64.32.10.80,64.32.10.88,64.32.10.98,64.32.11.152,64.32.12.118,64.32.12.184,64.32.12.203,64.32.13.130,64.32.13.131,64.32.13.135,64.32.13.136,64.32.13.137,64.32.13.143,64.32.13.144,64.32.13.163,64.32.13.170,64.32.14.171,64.32.14.185,64.32.14.20,64.32.19.10,64.32.19.27,64.32.19.46,64.32.19.55,64.32.19.58,64.32.2.200,64.32.2.213,64.32.2.214,64.32.2.219] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 12) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405023; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [64.32.20.127,64.32.20.166,64.32.27.135,64.32.27.146,64.32.29.220,64.34.164.81,64.34.174.189,64.62.134.30,64.62.190.245,64.62.190.36,64.62.190.73,64.79.194.120,64.79.197.75,64.85.160.108,64.85.160.30,64.85.162.200,64.85.162.206,64.85.163.113,64.85.163.127,64.85.164.73,64.85.165.21,64.85.172.198,65.110.41.130,65.110.58.110,65.110.62.181,65.110.62.93,65.19.178.15,65.23.153.98,65.23.156.37,65.23.157.127,65.23.158.132,65.243.184.93,65.38.34.254,65.39.182.49,66.101.48.254,66.104.45.230,66.111.35.104,66.111.36.61,66.154.121.11,66.154.121.200,66.154.121.201,66.154.99.150,66.16.33.220,66.160.135.21,66.165.177.88,66.184.117.12,66.197.186.85,66.197.194.185,66.197.199.228,66.197.220.230,66.198.80.67,66.205.65.100,66.207.164.29,66.207.212.113,66.220.1.185,66.220.1.44,66.220.1.59,66.225.200.20,66.225.200.30,66.225.200.46] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 13) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405024; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [64.32.20.127,64.32.20.166,64.32.27.135,64.32.27.146,64.32.29.220,64.34.164.81,64.34.174.189,64.62.134.30,64.62.190.245,64.62.190.36,64.62.190.73,64.79.194.120,64.79.197.75,64.85.160.108,64.85.160.30,64.85.162.200,64.85.162.206,64.85.163.113,64.85.163.127,64.85.164.73,64.85.165.21,64.85.172.198,65.110.41.130,65.110.58.110,65.110.62.181,65.110.62.93,65.19.178.15,65.23.153.98,65.23.156.37,65.23.157.127,65.23.158.132,65.243.184.93,65.38.34.254,65.39.182.49,66.101.48.254,66.104.45.230,66.111.35.104,66.111.36.61,66.154.121.11,66.154.121.200,66.154.121.201,66.154.99.150,66.16.33.220,66.160.135.21,66.165.177.88,66.184.117.12,66.197.186.85,66.197.194.185,66.197.199.228,66.197.220.230,66.198.80.67,66.205.65.100,66.207.164.29,66.207.212.113,66.220.1.185,66.220.1.44,66.220.1.59,66.225.200.20,66.225.200.30,66.225.200.46] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 13) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405025; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [66.225.200.52,66.225.200.62,66.225.200.66,66.225.200.69,66.225.223.105,66.225.223.109,66.225.223.112,66.225.223.115,66.225.223.16,66.225.223.26,66.225.223.52,66.225.223.61,66.225.223.66,66.225.223.70,66.225.223.91,66.225.225.225,66.225.225.66,66.235.184.37,66.246.149.4,66.246.76.24,66.249.128.230,66.252.1.110,66.252.1.203,66.252.1.210,66.252.1.216,66.252.1.218,66.252.1.219,66.252.1.222,66.252.1.28,66.252.10.203,66.252.10.205,66.252.10.206,66.252.10.210,66.252.10.213,66.252.10.217,66.252.10.219,66.252.10.234,66.252.10.235,66.252.10.237,66.252.10.238,66.252.11.11,66.252.11.130,66.252.11.131,66.252.11.132,66.252.11.134,66.252.11.15,66.252.11.230,66.252.11.244,66.252.11.41,66.252.11.5,66.252.11.69,66.252.11.73,66.252.11.76,66.252.11.9,66.252.13.132,66.252.13.134,66.252.13.153,66.252.13.155,66.252.13.156,66.252.13.157] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 14) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405026; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [66.225.200.52,66.225.200.62,66.225.200.66,66.225.200.69,66.225.223.105,66.225.223.109,66.225.223.112,66.225.223.115,66.225.223.16,66.225.223.26,66.225.223.52,66.225.223.61,66.225.223.66,66.225.223.70,66.225.223.91,66.225.225.225,66.225.225.66,66.235.184.37,66.246.149.4,66.246.76.24,66.249.128.230,66.252.1.110,66.252.1.203,66.252.1.210,66.252.1.216,66.252.1.218,66.252.1.219,66.252.1.222,66.252.1.28,66.252.10.203,66.252.10.205,66.252.10.206,66.252.10.210,66.252.10.213,66.252.10.217,66.252.10.219,66.252.10.234,66.252.10.235,66.252.10.237,66.252.10.238,66.252.11.11,66.252.11.130,66.252.11.131,66.252.11.132,66.252.11.134,66.252.11.15,66.252.11.230,66.252.11.244,66.252.11.41,66.252.11.5,66.252.11.69,66.252.11.73,66.252.11.76,66.252.11.9,66.252.13.132,66.252.13.134,66.252.13.153,66.252.13.155,66.252.13.156,66.252.13.157] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 14) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405027; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [66.252.13.166,66.252.13.188,66.252.13.26,66.252.13.27,66.252.13.31,66.252.13.8,66.252.16.151,66.252.16.206,66.252.16.233,66.252.19.10,66.252.19.34,66.252.19.41,66.252.21.77,66.252.21.78,66.252.24.167,66.252.24.53,66.252.27.212,66.252.28.117,66.252.28.119,66.252.28.120,66.252.28.205,66.252.29.238,66.252.29.252,66.252.29.33,66.252.30.110,66.252.30.122,66.252.30.123,66.252.30.168,66.252.30.205,66.252.30.242,66.252.31.210,66.252.31.212,66.252.6.105,66.252.6.106,66.252.6.107,66.252.6.108,66.252.6.109,66.252.6.85,66.252.6.92,66.252.7.130,66.252.7.148,66.252.7.149,66.252.7.71,66.252.8.11,66.252.8.12,66.252.8.13,66.252.8.14,66.252.8.15,66.252.8.16,66.252.8.17,66.252.8.19,66.252.8.2,66.252.8.21,66.252.8.23,66.252.8.24,66.252.8.28,66.252.8.29,66.252.8.3,66.252.8.4,66.252.8.6] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 15) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405028; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [66.252.13.166,66.252.13.188,66.252.13.26,66.252.13.27,66.252.13.31,66.252.13.8,66.252.16.151,66.252.16.206,66.252.16.233,66.252.19.10,66.252.19.34,66.252.19.41,66.252.21.77,66.252.21.78,66.252.24.167,66.252.24.53,66.252.27.212,66.252.28.117,66.252.28.119,66.252.28.120,66.252.28.205,66.252.29.238,66.252.29.252,66.252.29.33,66.252.30.110,66.252.30.122,66.252.30.123,66.252.30.168,66.252.30.205,66.252.30.242,66.252.31.210,66.252.31.212,66.252.6.105,66.252.6.106,66.252.6.107,66.252.6.108,66.252.6.109,66.252.6.85,66.252.6.92,66.252.7.130,66.252.7.148,66.252.7.149,66.252.7.71,66.252.8.11,66.252.8.12,66.252.8.13,66.252.8.14,66.252.8.15,66.252.8.16,66.252.8.17,66.252.8.19,66.252.8.2,66.252.8.21,66.252.8.23,66.252.8.24,66.252.8.28,66.252.8.29,66.252.8.3,66.252.8.4,66.252.8.6] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 15) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405029; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [66.252.8.7,66.252.8.8,66.252.9.140,66.252.9.141,66.252.9.59,66.252.9.61,66.45.234.200,66.46.183.34,66.55.71.248,66.7.210.158,66.71.252.90,66.79.163.42,66.79.163.86,66.79.181.24,66.90.108.46,66.90.110.140,66.90.118.14,66.90.64.174,66.90.78.220,66.90.82.8,66.90.84.147,66.90.84.149,66.90.90.195,66.98.224.132,67.101.75.211,67.159.17.231,67.159.18.51,67.159.18.53,67.159.27.26,67.159.27.30,67.159.34.18,67.159.34.20,67.159.56.58,67.18.176.176,67.18.176.230,67.18.187.34,67.18.208.96,67.198.195.194,67.202.107.13,67.202.215.250,67.21.72.50,67.21.76.176,67.21.76.177,67.21.93.115,67.21.93.55,67.210.234.18,67.215.235.58,67.216.89.164,67.216.89.165,67.219.59.167,67.220.219.4,67.220.65.51,67.220.66.146,67.220.66.72,67.220.67.118,67.220.67.70,67.220.67.71,67.220.67.72,67.220.71.84,67.220.71.90] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 16) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405030; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [66.252.8.7,66.252.8.8,66.252.9.140,66.252.9.141,66.252.9.59,66.252.9.61,66.45.234.200,66.46.183.34,66.55.71.248,66.7.210.158,66.71.252.90,66.79.163.42,66.79.163.86,66.79.181.24,66.90.108.46,66.90.110.140,66.90.118.14,66.90.64.174,66.90.78.220,66.90.82.8,66.90.84.147,66.90.84.149,66.90.90.195,66.98.224.132,67.101.75.211,67.159.17.231,67.159.18.51,67.159.18.53,67.159.27.26,67.159.27.30,67.159.34.18,67.159.34.20,67.159.56.58,67.18.176.176,67.18.176.230,67.18.187.34,67.18.208.96,67.198.195.194,67.202.107.13,67.202.215.250,67.21.72.50,67.21.76.176,67.21.76.177,67.21.93.115,67.21.93.55,67.210.234.18,67.215.235.58,67.216.89.164,67.216.89.165,67.219.59.167,67.220.219.4,67.220.65.51,67.220.66.146,67.220.66.72,67.220.67.118,67.220.67.70,67.220.67.71,67.220.67.72,67.220.71.84,67.220.71.90] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 16) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405031; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [67.220.73.102,67.220.73.105,67.220.73.107,67.220.74.124,67.220.74.70,67.220.75.136,67.220.75.157,67.220.75.175,67.220.78.43,67.220.81.62,67.220.82.2,67.220.82.22,67.223.237.99,67.223.254.182,67.223.97.74,67.228.120.186,67.23.224.4,67.23.27.9,67.23.6.180,67.23.7.58,67.42.201.33,67.43.226.20,67.43.226.242,67.43.226.244,67.43.226.245,67.43.226.246,67.43.226.25,67.43.226.42,67.43.226.7,67.43.232.178,67.43.232.34,67.43.233.66,67.43.236.66,67.43.236.67,67.43.236.68,67.43.236.69,67.43.236.98,67.43.236.99,67.43.238.222,67.79.111.165,68.232.162.247,68.232.170.240,68.75.207.189,68.99.69.10,69.10.61.226,69.12.8.25,69.147.233.144,69.147.233.170,69.147.233.188,69.16.172.2,69.162.101.37,69.162.115.137,69.162.80.43,69.162.84.50,69.163.33.100,69.17.17.5,69.17.2.219,69.199.121.114,69.20.231.81,69.20.234.2] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 17) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405032; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [67.220.73.102,67.220.73.105,67.220.73.107,67.220.74.124,67.220.74.70,67.220.75.136,67.220.75.157,67.220.75.175,67.220.78.43,67.220.81.62,67.220.82.2,67.220.82.22,67.223.237.99,67.223.254.182,67.223.97.74,67.228.120.186,67.23.224.4,67.23.27.9,67.23.6.180,67.23.7.58,67.42.201.33,67.43.226.20,67.43.226.242,67.43.226.244,67.43.226.245,67.43.226.246,67.43.226.25,67.43.226.42,67.43.226.7,67.43.232.178,67.43.232.34,67.43.233.66,67.43.236.66,67.43.236.67,67.43.236.68,67.43.236.69,67.43.236.98,67.43.236.99,67.43.238.222,67.79.111.165,68.232.162.247,68.232.170.240,68.75.207.189,68.99.69.10,69.10.61.226,69.12.8.25,69.147.233.144,69.147.233.170,69.147.233.188,69.16.172.2,69.162.101.37,69.162.115.137,69.162.80.43,69.162.84.50,69.163.33.100,69.17.17.5,69.17.2.219,69.199.121.114,69.20.231.81,69.20.234.2] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 17) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405033; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [69.217.36.153,69.245.107.191,69.30.232.148,69.31.228.75,69.36.111.69,69.41.178.98,69.42.210.56,69.42.214.59,69.42.215.10,69.42.215.12,69.42.215.14,69.42.215.161,69.42.215.178,69.42.215.179,69.42.215.180,69.42.215.20,69.42.215.22,69.42.215.24,69.42.215.4,69.42.215.6,69.42.215.8,69.42.216.215,69.42.217.171,69.42.217.188,69.42.218.161,69.42.218.198,69.42.218.29,69.42.219.68,69.42.220.161,69.42.220.178,69.42.221.253,69.42.221.7,69.42.222.17,69.42.222.29,69.42.74.177,69.56.173.120,69.60.119.115,69.61.21.115,69.64.36.197,69.64.38.216,69.64.39.194,69.64.39.201,69.64.39.202,69.64.43.115,69.64.43.197,69.64.49.244,69.64.50.245,69.64.50.61,69.64.58.106,69.64.61.249,69.64.63.229,69.65.42.31,69.7.104.155,69.90.157.210,69.93.229.206,69.93.9.12,70.32.35.17,70.32.80.161,70.84.15.212,70.84.53.182] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 18) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405034; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [69.217.36.153,69.245.107.191,69.30.232.148,69.31.228.75,69.36.111.69,69.41.178.98,69.42.210.56,69.42.214.59,69.42.215.10,69.42.215.12,69.42.215.14,69.42.215.161,69.42.215.178,69.42.215.179,69.42.215.180,69.42.215.20,69.42.215.22,69.42.215.24,69.42.215.4,69.42.215.6,69.42.215.8,69.42.216.215,69.42.217.171,69.42.217.188,69.42.218.161,69.42.218.198,69.42.218.29,69.42.219.68,69.42.220.161,69.42.220.178,69.42.221.253,69.42.221.7,69.42.222.17,69.42.222.29,69.42.74.177,69.56.173.120,69.60.119.115,69.61.21.115,69.64.36.197,69.64.38.216,69.64.39.194,69.64.39.201,69.64.39.202,69.64.43.115,69.64.43.197,69.64.49.244,69.64.50.245,69.64.50.61,69.64.58.106,69.64.61.249,69.64.63.229,69.65.42.31,69.7.104.155,69.90.157.210,69.93.229.206,69.93.9.12,70.32.35.17,70.32.80.161,70.84.15.212,70.84.53.182] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 18) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405035; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [70.85.129.223,70.85.237.252,70.91.45.236,71.160.39.114,71.249.197.148,71.6.218.42,72.10.169.26,72.10.172.210,72.10.172.211,72.10.172.212,72.10.172.214,72.11.142.40,72.14.179.148,72.14.185.157,72.14.188.215,72.14.189.60,72.18.202.24,72.20.13.58,72.20.13.60,72.20.14.10,72.20.14.195,72.20.14.197,72.20.14.204,72.20.14.205,72.20.14.212,72.20.14.220,72.20.14.234,72.20.14.249,72.20.14.254,72.20.14.27,72.20.14.9,72.20.15.196,72.20.15.208,72.20.15.215,72.20.15.229,72.20.15.234,72.20.15.246,72.20.15.252,72.20.15.35,72.20.17.133,72.20.17.139,72.20.17.147,72.20.17.149,72.20.17.151,72.20.17.167,72.20.17.168,72.20.17.178,72.20.17.241,72.20.2.130,72.20.2.186,72.20.21.124,72.20.21.126,72.20.21.13,72.20.21.3,72.20.21.33,72.20.21.45,72.20.23.102,72.20.23.104,72.20.23.107,72.20.23.74] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 19) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405036; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [70.85.129.223,70.85.237.252,70.91.45.236,71.160.39.114,71.249.197.148,71.6.218.42,72.10.169.26,72.10.172.210,72.10.172.211,72.10.172.212,72.10.172.214,72.11.142.40,72.14.179.148,72.14.185.157,72.14.188.215,72.14.189.60,72.18.202.24,72.20.13.58,72.20.13.60,72.20.14.10,72.20.14.195,72.20.14.197,72.20.14.204,72.20.14.205,72.20.14.212,72.20.14.220,72.20.14.234,72.20.14.249,72.20.14.254,72.20.14.27,72.20.14.9,72.20.15.196,72.20.15.208,72.20.15.215,72.20.15.229,72.20.15.234,72.20.15.246,72.20.15.252,72.20.15.35,72.20.17.133,72.20.17.139,72.20.17.147,72.20.17.149,72.20.17.151,72.20.17.167,72.20.17.168,72.20.17.178,72.20.17.241,72.20.2.130,72.20.2.186,72.20.21.124,72.20.21.126,72.20.21.13,72.20.21.3,72.20.21.33,72.20.21.45,72.20.23.102,72.20.23.104,72.20.23.107,72.20.23.74] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 19) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405037; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [72.20.23.77,72.20.23.92,72.20.24.146,72.20.24.151,72.20.24.161,72.20.24.162,72.20.24.163,72.20.24.164,72.20.24.169,72.20.24.170,72.20.24.171,72.20.24.172,72.20.24.173,72.20.25.140,72.20.25.153,72.20.25.181,72.20.26.109,72.20.27.113,72.20.27.120,72.20.3.62,72.20.32.5,72.20.33.109,72.20.33.77,72.20.35.120,72.20.35.135,72.20.35.183,72.20.35.70,72.20.36.57,72.20.36.9,72.20.37.151,72.20.37.159,72.20.37.189,72.20.37.234,72.20.37.32,72.20.37.39,72.20.38.9,72.20.39.112,72.20.40.249,72.20.40.35,72.20.40.52,72.20.41.222,72.20.42.81,72.20.42.89,72.20.45.81,72.20.45.82,72.20.45.83,72.20.45.84,72.20.45.85,72.20.45.86,72.20.46.9,72.20.48.111,72.20.48.126,72.20.48.40,72.20.48.50,72.20.48.60,72.20.48.95,72.20.50.250,72.20.50.70,72.20.51.115,72.20.52.49] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 20) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405038; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [72.20.23.77,72.20.23.92,72.20.24.146,72.20.24.151,72.20.24.161,72.20.24.162,72.20.24.163,72.20.24.164,72.20.24.169,72.20.24.170,72.20.24.171,72.20.24.172,72.20.24.173,72.20.25.140,72.20.25.153,72.20.25.181,72.20.26.109,72.20.27.113,72.20.27.120,72.20.3.62,72.20.32.5,72.20.33.109,72.20.33.77,72.20.35.120,72.20.35.135,72.20.35.183,72.20.35.70,72.20.36.57,72.20.36.9,72.20.37.151,72.20.37.159,72.20.37.189,72.20.37.234,72.20.37.32,72.20.37.39,72.20.38.9,72.20.39.112,72.20.40.249,72.20.40.35,72.20.40.52,72.20.41.222,72.20.42.81,72.20.42.89,72.20.45.81,72.20.45.82,72.20.45.83,72.20.45.84,72.20.45.85,72.20.45.86,72.20.46.9,72.20.48.111,72.20.48.126,72.20.48.40,72.20.48.50,72.20.48.60,72.20.48.95,72.20.50.250,72.20.50.70,72.20.51.115,72.20.52.49] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 20) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405039; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [72.20.52.52,72.20.54.120,72.20.54.121,72.20.54.123,72.20.54.124,72.20.54.67,72.20.54.69,72.20.54.74,72.20.54.90,72.20.54.97,72.20.56.48,72.20.56.59,72.20.57.119,72.20.57.120,72.20.58.123,72.20.58.143,72.20.58.147,72.20.58.175,72.20.58.177,72.233.8.18,72.250.175.12,72.32.146.136,72.47.218.197,72.51.18.254,72.55.133.56,72.64.146.12,72.64.146.15,72.8.129.209,72.8.130.53,72.8.132.34,72.8.134.218,72.8.134.254,72.8.135.124,72.8.135.125,72.8.167.100,72.8.167.11,72.8.167.147,72.8.167.148,72.8.167.150,72.8.167.151,72.8.167.153,72.8.167.160,72.8.167.161,72.8.167.20,72.8.167.36,72.8.167.73,72.8.167.99,72.8.189.140,72.8.189.141,72.8.189.142,72.8.189.143,72.9.150.155,72.9.150.161,72.90.73.67,74.117.115.102,74.117.172.230,74.117.173.200,74.117.174.101,74.117.174.110,74.117.174.119] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 21) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405040; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [72.20.52.52,72.20.54.120,72.20.54.121,72.20.54.123,72.20.54.124,72.20.54.67,72.20.54.69,72.20.54.74,72.20.54.90,72.20.54.97,72.20.56.48,72.20.56.59,72.20.57.119,72.20.57.120,72.20.58.123,72.20.58.143,72.20.58.147,72.20.58.175,72.20.58.177,72.233.8.18,72.250.175.12,72.32.146.136,72.47.218.197,72.51.18.254,72.55.133.56,72.64.146.12,72.64.146.15,72.8.129.209,72.8.130.53,72.8.132.34,72.8.134.218,72.8.134.254,72.8.135.124,72.8.135.125,72.8.167.100,72.8.167.11,72.8.167.147,72.8.167.148,72.8.167.150,72.8.167.151,72.8.167.153,72.8.167.160,72.8.167.161,72.8.167.20,72.8.167.36,72.8.167.73,72.8.167.99,72.8.189.140,72.8.189.141,72.8.189.142,72.8.189.143,72.9.150.155,72.9.150.161,72.90.73.67,74.117.115.102,74.117.172.230,74.117.173.200,74.117.174.101,74.117.174.110,74.117.174.119] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 21) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405041; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [74.117.174.3,74.117.174.5,74.117.174.69,74.117.174.79,74.117.174.85,74.117.174.89,74.117.174.90,74.117.56.131,74.117.58.137,74.117.59.75,74.117.62.133,74.117.62.251,74.199.29.172,74.207.233.37,74.207.245.186,74.208.101.128,74.208.103.34,74.208.149.196,74.208.166.160,74.208.174.239,74.41.18.106,74.52.26.50,74.63.11.207,74.63.197.230,74.63.208.146,74.63.251.14,74.63.78.37,74.63.87.194,74.65.199.135,74.82.57.7,75.102.24.35,75.102.26.70,75.118.123.95,75.125.18.228,75.126.35.98,75.149.224.129,75.150.46.25,76.10.144.86,76.185.136.131,76.73.101.101,76.73.17.206,76.73.3.140,76.73.53.101,76.74.250.94,76.76.102.235,76.76.11.208,77.244.242.98,77.244.252.140,77.43.29.107,77.59.219.91,77.66.33.10,77.68.42.111,77.68.42.112,77.68.45.222,77.68.46.27,77.75.110.17,77.91.226.45,77.92.85.162,78.111.98.18,78.129.228.10] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 22) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405042; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [74.117.174.3,74.117.174.5,74.117.174.69,74.117.174.79,74.117.174.85,74.117.174.89,74.117.174.90,74.117.56.131,74.117.58.137,74.117.59.75,74.117.62.133,74.117.62.251,74.199.29.172,74.207.233.37,74.207.245.186,74.208.101.128,74.208.103.34,74.208.149.196,74.208.166.160,74.208.174.239,74.41.18.106,74.52.26.50,74.63.11.207,74.63.197.230,74.63.208.146,74.63.251.14,74.63.78.37,74.63.87.194,74.65.199.135,74.82.57.7,75.102.24.35,75.102.26.70,75.118.123.95,75.125.18.228,75.126.35.98,75.149.224.129,75.150.46.25,76.10.144.86,76.185.136.131,76.73.101.101,76.73.17.206,76.73.3.140,76.73.53.101,76.74.250.94,76.76.102.235,76.76.11.208,77.244.242.98,77.244.252.140,77.43.29.107,77.59.219.91,77.66.33.10,77.68.42.111,77.68.42.112,77.68.45.222,77.68.46.27,77.75.110.17,77.91.226.45,77.92.85.162,78.111.98.18,78.129.228.10] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 22) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405043; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [78.129.228.16,78.129.228.23,78.129.228.24,78.129.228.30,78.129.228.32,78.129.228.39,78.129.228.40,78.129.228.51,78.129.228.52,78.129.228.53,78.129.228.54,78.129.228.58,78.129.228.6,78.129.228.64,78.129.228.65,78.129.228.7,78.157.104.207,78.159.100.188,78.159.108.41,78.24.188.201,78.32.173.145,78.40.125.4,79.134.0.34,79.143.254.153,8.7.233.233,8.7.233.36,8.7.233.42,8.7.233.43,8.7.233.44,8.7.233.45,80.126.201.245,80.13.162.101,80.144.236.91,80.154.33.35,80.154.61.188,80.179.146.140,80.190.246.162,80.242.33.83,80.244.90.117,80.244.90.85,80.248.218.122,80.57.155.69,80.64.138.34,80.64.140.13,80.68.89.201,80.80.163.214,80.81.243.106,80.88.108.18,81.167.118.55,81.169.134.201,81.169.136.37,81.169.168.122,81.173.19.77,81.176.236.190,81.26.211.130,81.29.65.57,81.31.33.35,81.9.51.98,82.138.241.140,82.138.241.146] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 23) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405044; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [78.129.228.16,78.129.228.23,78.129.228.24,78.129.228.30,78.129.228.32,78.129.228.39,78.129.228.40,78.129.228.51,78.129.228.52,78.129.228.53,78.129.228.54,78.129.228.58,78.129.228.6,78.129.228.64,78.129.228.65,78.129.228.7,78.157.104.207,78.159.100.188,78.159.108.41,78.24.188.201,78.32.173.145,78.40.125.4,79.134.0.34,79.143.254.153,8.7.233.233,8.7.233.36,8.7.233.42,8.7.233.43,8.7.233.44,8.7.233.45,80.126.201.245,80.13.162.101,80.144.236.91,80.154.33.35,80.154.61.188,80.179.146.140,80.190.246.162,80.242.33.83,80.244.90.117,80.244.90.85,80.248.218.122,80.57.155.69,80.64.138.34,80.64.140.13,80.68.89.201,80.80.163.214,80.81.243.106,80.88.108.18,81.167.118.55,81.169.134.201,81.169.136.37,81.169.168.122,81.173.19.77,81.176.236.190,81.26.211.130,81.29.65.57,81.31.33.35,81.9.51.98,82.138.241.140,82.138.241.146] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 23) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405045; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [82.138.241.150,82.146.49.130,82.146.49.134,82.146.49.136,82.146.49.139,82.146.49.148,82.146.49.149,82.146.49.168,82.146.49.176,82.146.49.179,82.146.49.200,82.146.49.203,82.146.49.241,82.146.51.130,82.146.51.132,82.146.51.202,82.146.52.136,82.146.52.139,82.146.52.144,82.146.52.158,82.146.52.167,82.146.52.170,82.146.52.182,82.146.52.194,82.146.52.196,82.146.52.245,82.146.52.66,82.146.52.89,82.146.53.168,82.146.53.183,82.146.53.194,82.146.59.188,82.165.139.95,82.165.154.249,82.182.115.167,82.23.226.214,82.230.41.47,82.39.138.164,82.94.222.186,82.96.75.46,83.133.119.206,83.136.68.32,83.137.112.20,83.137.41.33,83.140.162.126,83.140.172.210,83.140.172.211,83.140.172.212,83.142.48.72,83.142.85.10,83.149.112.40,83.149.112.7,83.149.112.71,83.149.234.76,83.167.180.110,83.170.81.10,83.170.81.4,83.170.84.101,83.170.84.11,83.170.84.118] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 24) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405046; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [82.138.241.150,82.146.49.130,82.146.49.134,82.146.49.136,82.146.49.139,82.146.49.148,82.146.49.149,82.146.49.168,82.146.49.176,82.146.49.179,82.146.49.200,82.146.49.203,82.146.49.241,82.146.51.130,82.146.51.132,82.146.51.202,82.146.52.136,82.146.52.139,82.146.52.144,82.146.52.158,82.146.52.167,82.146.52.170,82.146.52.182,82.146.52.194,82.146.52.196,82.146.52.245,82.146.52.66,82.146.52.89,82.146.53.168,82.146.53.183,82.146.53.194,82.146.59.188,82.165.139.95,82.165.154.249,82.182.115.167,82.23.226.214,82.230.41.47,82.39.138.164,82.94.222.186,82.96.75.46,83.133.119.206,83.136.68.32,83.137.112.20,83.137.41.33,83.140.162.126,83.140.172.210,83.140.172.211,83.140.172.212,83.142.48.72,83.142.85.10,83.149.112.40,83.149.112.7,83.149.112.71,83.149.234.76,83.167.180.110,83.170.81.10,83.170.81.4,83.170.84.101,83.170.84.11,83.170.84.118] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 24) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405047; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [83.170.84.12,83.170.84.13,83.170.84.9,83.170.93.14,83.217.192.243,83.222.226.219,83.226.250.119,83.243.46.2,83.246.94.87,83.68.16.30,83.68.16.6,83.69.96.16,83.81.251.171,84.11.26.30,84.124.147.148,84.16.231.52,84.16.246.249,84.16.37.205,84.200.208.182,84.200.225.80,84.200.242.4,84.201.7.15,84.208.29.17,84.232.6.70,84.234.138.106,84.235.98.106,84.243.214.93,84.31.125.155,84.53.216.86,85.114.140.126,85.14.200.37,85.153.22.233,85.159.233.66,85.17.137.135,85.17.138.155,85.17.139.182,85.17.139.34,85.17.148.13,85.17.207.164,85.196.81.19,85.196.81.211,85.196.81.9,85.214.117.33,85.214.140.176,85.214.27.94,85.214.36.108,85.214.75.67,85.214.97.16,85.234.150.99,85.236.110.226,85.236.110.228,85.24.148.106,85.24.148.125,85.244.64.245,85.25.10.63,85.25.224.38,85.25.3.62,85.31.187.144,85.92.87.233,85.94.194.111] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 25) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405048; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [83.170.84.12,83.170.84.13,83.170.84.9,83.170.93.14,83.217.192.243,83.222.226.219,83.226.250.119,83.243.46.2,83.246.94.87,83.68.16.30,83.68.16.6,83.69.96.16,83.81.251.171,84.11.26.30,84.124.147.148,84.16.231.52,84.16.246.249,84.16.37.205,84.200.208.182,84.200.225.80,84.200.242.4,84.201.7.15,84.208.29.17,84.232.6.70,84.234.138.106,84.235.98.106,84.243.214.93,84.31.125.155,84.53.216.86,85.114.140.126,85.14.200.37,85.153.22.233,85.159.233.66,85.17.137.135,85.17.138.155,85.17.139.182,85.17.139.34,85.17.148.13,85.17.207.164,85.196.81.19,85.196.81.211,85.196.81.9,85.214.117.33,85.214.140.176,85.214.27.94,85.214.36.108,85.214.75.67,85.214.97.16,85.234.150.99,85.236.110.226,85.236.110.228,85.24.148.106,85.24.148.125,85.244.64.245,85.25.10.63,85.25.224.38,85.25.3.62,85.31.187.144,85.92.87.233,85.94.194.111] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 25) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405049; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [86.110.67.72,86.121.140.13,86.123.149.33,86.125.217.5,86.164.26.75,86.57.151.5,86.65.39.15,87.106.138.9,87.106.61.8,87.118.102.89,87.118.103.89,87.118.120.11,87.118.126.87,87.118.87.98,87.124.86.31,87.227.96.214,87.229.108.148,87.236.194.147,87.246.53.10,87.252.253.254,87.98.141.234,87.98.164.139,87.98.218.204,87.98.244.220,87.98.249.186,87.98.249.30,87.98.250.95,88.191.40.54,88.191.60.22,88.191.66.7,88.208.204.56,88.208.216.26,88.36.96.34,88.80.5.41,89.149.195.247,89.149.198.180,89.149.198.183,89.149.201.156,89.149.210.91,89.163.179.130,89.17.201.203,89.185.236.71,89.202.247.162,89.203.155.3,89.238.159.70,89.238.64.181,89.238.71.23,89.238.71.29,89.248.166.22,89.248.166.89,89.36.192.190,89.46.100.5,89.46.101.75,91.121.0.76,91.121.0.93,91.121.100.100,91.121.103.122,91.121.107.112,91.121.115.74,91.121.122.110] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 26) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405050; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [86.110.67.72,86.121.140.13,86.123.149.33,86.125.217.5,86.164.26.75,86.57.151.5,86.65.39.15,87.106.138.9,87.106.61.8,87.118.102.89,87.118.103.89,87.118.120.11,87.118.126.87,87.118.87.98,87.124.86.31,87.227.96.214,87.229.108.148,87.236.194.147,87.246.53.10,87.252.253.254,87.98.141.234,87.98.164.139,87.98.218.204,87.98.244.220,87.98.249.186,87.98.249.30,87.98.250.95,88.191.40.54,88.191.60.22,88.191.66.7,88.208.204.56,88.208.216.26,88.36.96.34,88.80.5.41,89.149.195.247,89.149.198.180,89.149.198.183,89.149.201.156,89.149.210.91,89.163.179.130,89.17.201.203,89.185.236.71,89.202.247.162,89.203.155.3,89.238.159.70,89.238.64.181,89.238.71.23,89.238.71.29,89.248.166.22,89.248.166.89,89.36.192.190,89.46.100.5,89.46.101.75,91.121.0.76,91.121.0.93,91.121.100.100,91.121.103.122,91.121.107.112,91.121.115.74,91.121.122.110] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 26) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405051; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [91.121.141.100,91.121.143.15,91.121.158.18,91.121.158.84,91.121.166.117,91.121.17.210,91.121.195.74,91.121.204.150,91.121.208.180,91.121.251.195,91.121.27.112,91.121.58.120,91.121.59.5,91.121.89.104,91.121.96.182,91.121.96.69,91.149.157.69,91.191.163.21,91.194.85.186,91.195.250.56,91.201.53.147,91.205.185.104,91.205.241.87,91.208.144.141,91.208.40.24,91.211.117.76,91.214.111.26,91.215.218.13,91.83.48.220,92.241.164.114,92.241.180.65,92.241.190.8,92.243.15.98,92.243.16.163,92.243.20.2,92.243.20.93,92.243.21.201,92.243.21.230,92.243.21.79,92.33.0.168,92.61.32.19,92.62.43.55,93.104.214.3,93.104.215.196,93.185.77.230,93.189.88.209,93.190.138.42,93.190.138.52,93.190.140.129,93.90.46.75,94.102.55.176,94.102.58.177,94.102.58.214,94.103.155.83,94.125.182.255,94.125.252.224,94.125.252.241,94.127.17.19,94.171.149.20,94.228.41.56] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 27) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405052; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [91.121.141.100,91.121.143.15,91.121.158.18,91.121.158.84,91.121.166.117,91.121.17.210,91.121.195.74,91.121.204.150,91.121.208.180,91.121.251.195,91.121.27.112,91.121.58.120,91.121.59.5,91.121.89.104,91.121.96.182,91.121.96.69,91.149.157.69,91.191.163.21,91.194.85.186,91.195.250.56,91.201.53.147,91.205.185.104,91.205.241.87,91.208.144.141,91.208.40.24,91.211.117.76,91.214.111.26,91.215.218.13,91.83.48.220,92.241.164.114,92.241.180.65,92.241.190.8,92.243.15.98,92.243.16.163,92.243.20.2,92.243.20.93,92.243.21.201,92.243.21.230,92.243.21.79,92.33.0.168,92.61.32.19,92.62.43.55,93.104.214.3,93.104.215.196,93.185.77.230,93.189.88.209,93.190.138.42,93.190.138.52,93.190.140.129,93.90.46.75,94.102.55.176,94.102.58.177,94.102.58.214,94.103.155.83,94.125.182.255,94.125.252.224,94.125.252.241,94.127.17.19,94.171.149.20,94.228.41.56] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 27) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405053; rev:1849; fwsam: dst, 30 days;)
alert tcp $HOME_NET any -> [94.229.73.198,94.23.0.120,94.23.111.18,94.23.114.26,94.23.120.229,94.23.154.132,94.23.154.167,94.23.212.116,94.23.22.62,94.23.225.225,94.23.239.95,94.23.60.6,94.23.8.74,94.247.169.164,94.247.241.6,94.32.66.150,94.46.127.1,94.47.254.1,94.62.8.57,94.75.205.140,94.75.206.129,94.75.216.194,94.82.109.9,95.154.216.63,95.154.216.64,95.154.237.9,95.168.170.178,95.168.183.181,95.168.187.112,95.168.187.128,95.168.187.206,95.168.187.46,95.168.187.52,95.211.24.165,95.211.26.11,95.211.26.160,95.211.32.4,95.211.84.107,95.211.84.108,95.50.75.34,95.86.129.10,96.44.128.61,96.9.182.21,97.107.129.187,97.107.130.165,97.107.132.56,97.107.137.102,98.141.220.182,98.141.220.183,98.142.242.183,98.142.254.236,98.142.254.239,98.143.158.23,98.189.231.149,98.23.191.122,98.234.178.128,99.36.74.241] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 28) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405054; rev:1849; fwsam: dst, 30 days;)
alert udp $HOME_NET any -> [94.229.73.198,94.23.0.120,94.23.111.18,94.23.114.26,94.23.120.229,94.23.154.132,94.23.154.167,94.23.212.116,94.23.22.62,94.23.225.225,94.23.239.95,94.23.60.6,94.23.8.74,94.247.169.164,94.247.241.6,94.32.66.150,94.46.127.1,94.47.254.1,94.62.8.57,94.75.205.140,94.75.206.129,94.75.216.194,94.82.109.9,95.154.216.63,95.154.216.64,95.154.237.9,95.168.170.178,95.168.183.181,95.168.187.112,95.168.187.128,95.168.187.206,95.168.187.46,95.168.187.52,95.211.24.165,95.211.26.11,95.211.26.160,95.211.32.4,95.211.84.107,95.211.84.108,95.50.75.34,95.86.129.10,96.44.128.61,96.9.182.21,97.107.129.187,97.107.130.165,97.107.132.56,97.107.137.102,98.141.220.182,98.141.220.183,98.142.242.183,98.142.254.236,98.142.254.239,98.143.158.23,98.189.231.149,98.23.191.122,98.234.178.128,99.36.74.241] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 28) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405055; rev:1849; fwsam: dst, 30 days;)