# # $Id: emerging-policy.rules $ # Emerging Threats Policy rules. # # SID's are 2000000+ to avoid conflicts # # More information available at www.emergingthreats.net # # Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2010, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #by Matt Jonkman alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop"; flow:established,from_server; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; content:"|0d 0a 0d 0a|MZ"; distance:0; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_404_EXE; sid:2009028; rev:2;) #by Matt Jonkman, from qru alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY AOL Toolbar User-Agent (AOLToolbar)"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+AOLToolbar/i"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003469; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_AOL_Toolbar; sid:2003469; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY AOL Webmail Message Send"; flow: to_server,established; uricontent:"/compose_frame.adp"; content:"POST"; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000571; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_AOL_Webmail; sid: 2000571; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY AOL Webmail Login"; flow: to_server,established; uricontent:"/login/login.psp?siteId="; content:"triedAimAuth"; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000572; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_AOL_Webmail; sid: 2000572; rev:6;) #by Kevin Ross alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY External Unencrypted Connection To Aanval Console"; flow:established,to_server; uricontent:"/aanval/flex/AanvalFlex"; nocase; classtype:misc-activity; reference:url,www.aanval.com; reference:url,doc.emergingthreats.net/bin/view/Main/2008561; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Aanval; sid:2008561; rev:2;) #By merphie. Please test this out, it should work on NT domains and 98. Disabled by default #alert udp $HOME_NET any -> $HOME_NET 137 (msg:"ET POLICY Administrator Login Detected"; content:"ebeeenejeoejfdfefcebfeepfc"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001806; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Administrator_Login; sid: 2001806; rev:4;) #by Kevin Ross #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY External Connection to Altiris HelpDesk"; flow:to_server,established; uricontent:"/aexhd/worker/"; nocase; classtype:misc-activity; reference:url,www.symantec.com/business/theme.jsp?themeid=altiris; reference:url,doc.emergingthreats.net/2009696; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Altiris; sid:2009696; rev:2;) #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY External Connection to Altiris Console"; flow:to_server,established; uricontent:"/altiris/ns/"; nocase; classtype:misc-activity; reference:url,www.symantec.com/business/theme.jsp?themeid=altiris; reference:url,doc.emergingthreats.net/2009697; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Altiris; sid:2009697; rev:2;) #by kevin ross #alert tcp [174.129.0.0/16] any -> $HOME_NET any (msg:"ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010815; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Amazon_Cloud; sid:2010815; rev:4;) #alert udp [174.129.0.0/16] !53 -> $HOME_NET !53 (msg:"ET POLICY Incoming UDP Packet From Amazon EC2 Cloud"; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010816; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Amazon_Cloud; sid:2010816; rev:5;) #by mex #apachebench alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY ApacheBenchmark[ab] Tool User-Agent Detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: ApacheBench"; offset:30; nocase; classtype:attempted-recon; threshold: type limit, count 1, seconds 60, track by_src; reference:url,httpd.apache.org/docs/2.0/programs/ab.html/; reference:url,doc.emergingthreats.net/2010725; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_ApacheBenchmark; sid:2010725; rev:2;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile"; flow:established,to_server; content:"|0d 0a|User-Agent\: AutoIt"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2008350; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Autoit; sid:2008350; rev:3;) #by Kevin Ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY External Unencrypted Connection to BASE Console"; flow:to_server,established; uricontent:"/base_main.php"; classtype:misc-activity; reference:url,base.secureideas.net; reference:url,doc.emergingthreats.net/bin/view/Main/2008570; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_BASE; sid:2008570; rev:2;) #this is not for a vuln, but for the use of an easily decrypted password in the clear # by Adam Ellison. Use this if you have a policy of not showing passwords in the clear #added negates of Anonymous and :, idea from Jon Schiedell alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2006380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Basic_HTTP_Auth; sid:2006380; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Basic_HTTP_Auth; sid:2006402; rev:6;) #Submitted by Joseph Gama #Good rules, turn them on if you are interested. They are accurate. #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download"; flow: established; content:"|7F|ELF"; content:"|00 00 00 00 00 00 00 00|"; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid: 2000418; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; flowbits:set,ET.http.binary; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid: 2000419; rev:12;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 4 download"; flow: established; content:"REGEDIT4"; content:"|0D 0A|"; content:"["; content:"HKEY_"; nocase; reference:url,www.ss64.com/nt/regedit.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000420; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid: 2000420; rev:10;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 5 download"; flow: established; content:"Windows Registry Editor Version 5.00"; content:"|0D 0A|"; content:"["; content:"HKEY_"; nocase; reference:url,www.ss64.com/nt/regedit.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000421; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid: 2000421; rev:10;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 5 Unicode download"; flow: established; content:"W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|R|00|e|00|g|00|i|00|s|00|t|00|r|00|y|00| |00|E|00|d|00|i|00|t|00|o|00|r|00| |00|V|00|e|00|r|00|s|00|i|00|o|00|n|00| |00|5|00|.|00|0|00|0|00|"; content:"|0D 0A|"; content:"[|00|"; content:"H|00|K|00|E|00|Y|00|_|00|"; nocase; reference:url,www.ss64.com/nt/regedit.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000422; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid: 2000422; rev:10;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY NE EXE OS2 file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in a DOS session."; isdataat: 6,relative; content:"NE"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000423; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid: 2000423; rev:10;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY LX EXE OS2 file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in a DOS session."; isdataat: 6,relative; content:"LX"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000424; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid: 2000424; rev:9;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY NE EXE Windows 3.x file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program requires Microsoft Windows."; isdataat: 10,relative; content:"NE"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000425; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid: 2000425; rev:9;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY EXE compressed PKWARE Windows file download"; flow: established; content:"MZ"; isdataat: 28,relative; content:"PKLITE"; distance: 0; reference:url,www.program-transformation.org/Transform/PcExeFormat; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000426; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid: 2000426; rev:9;) #by jaime blasco #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download (2)"; flow:established; content:"MZ"; isdataat:76,relative; content:"Windows Program"; distance:0; isdataat:10,relative; content:"PE"; distance:0; flowbits:set,ET.http.binary; classtype:policy-violation; reference:url,doc.emergingthreats.net/2010869; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid:2010869; rev:2;) #Disabling as it overlaps with 2000419 #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE Install Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program must be "; distance: 0; isdataat: 140,relative; content:"PE"; distance: 0; flowbits:set,ET.http.binary; reference:url,www.program-transformation.org/Transform/PcExeFormat; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000427; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid: 2000427; rev:12;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ZIP file download"; flow: established; content:"PK|0304|"; byte_test:1, <=, 0x14, 0, string, hex;content:"|00 00 00|"; distance: 0; reference:url,zziplib.sourceforge.net/zzip-parse.print.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000428; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid: 2000428; rev:10;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Download Windows Help File CHM"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|7C 01 FD 10 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC 7C 01 FD 11 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference:url,www.speakeasy.org/~russotto/chm/chmformat.html; reference:url,www.securiteam.com/windowsntfocus/6V00N000AU.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000489; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid: 2000489; rev:9;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Download Windows Help File CHM 2"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|10 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC 11 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference:url,www.speakeasy.org/~russotto/chm/chmformat.html; reference:url,www.securiteam.com/windowsntfocus/6V00N000AU.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000429; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid: 2000429; rev:9;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY MSI (microsoft installer file) download"; flow: established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype: bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2001115; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid: 2001115; rev:6;) #this sig JUST gets updates from external_net alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET POLICY DNS Update From External net"; byte_test:1,&,40,2; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009702; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Bind; sid:2009702; rev:4;) #Idea by David Glosser, sig by Matt Jonkman alert ip [0.0.0.0/7,5.0.0.0/8,14.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8,42.0.0.0/8,49.0.0.0/8] any -> $HOME_NET any (msg:"ET POLICY Reserved IP Space Traffic - Bogon Nets 1"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Bogon_Nets; sid:2002749; rev:7;) alert ip [50.0.0.0/8,100.0.0.0/6,104.0.0.0/6,176.0.0.0/7,179.0.0.0/8,181.0.0.0/8,185.0.0.0/8] any -> $HOME_NET any (msg:"ET POLICY Reserved IP Space Traffic - Bogon Nets 2"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002750; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Bogon_Nets; sid:2002750; rev:20;) alert ip [192.0.2.0/24,198.18.0.0/15,223.0.0.0/8] any -> $HOME_NET any (msg:"ET POLICY Reserved IP Space Traffic - Bogon Nets 3"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002751; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Bogon_Nets; sid:2002751; rev:5;) # #This is for reserved internal space. Do NOT run this sig on your internal net, commented out by default. #alert ip [10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16] any -> $HOME_NET any (msg:"ET POLICY Reserved Internal IP Traffic"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002752; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Bogon_Nets; sid:2002752; rev:4;) #this is a distributed search engine crawling thing. I am not aware of any spyware-like activity, but it is likely not welcome on a corporate net alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc)"; flow:to_server,established; content:"User-Agent\: boitho.com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003653; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Boitho.com; sid:2003653; rev:3;) #ccproxy is a legitimate program, but has been seen in use by malware to proxy remote http # it's aproduct designed for internal network use. Run this sig externally to detect it in use remotely. # This would likely be hostile activity #by Matt Jonkman from sandnet analysis alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY CCProxy in use remotely - Possibly Hostile/Malware"; flow:established,from_server; content:"HTTP/1.0 200 Connection established|0d 0a|Proxy-agent\: CCProxy "; offset:0; depth:58; classtype:trojan-activity; reference:url,www.youngzsoft.net; reference:url,doc.emergingthreats.net/bin/view/Main/2007576; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_CCProxy; sid:2007576; rev:3;) #by christopher Campesi alert tcp $HOME_NET any -> 38.97.75.0/24 443 (msg:"ET POLICY Carbonite Online Backup SSL Handshake"; flow:established,to_server; content:"CarboniteInc"; offset:56; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009798; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite; sid:2009798; rev:2;) #by evilghost alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Carbonite.com Backup Software Leaking MAC Address"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/manage.old/sun/signup.aspx?MACAddresses=MAC"; nocase; uricontent:"ShowCount="; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009800; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite; sid:2009800; rev:3;) #by eoin miller alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer)"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: Carbonite Installer|0d 0a|"; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009801; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Carbonite; sid:2009801; rev:2;) #online tools alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Centralops.net Domain Dossier Utility Probe"; flow:established,to_server; content:"USER-Agent\: Domain Dossier utility (http\://CentralOps.net/)"; nocase; classtype:policy-violation; reference:url,centralops.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003623; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Centralops.net; sid:2003623; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Centralops.net Probe"; flow:established,to_server; content:"USER-Agent\: "; nocase; content:"CentralOps.net/)"; within:100; nocase; classtype:policy-violation; reference:url,centralops.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003631; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Centralops.net; sid:2003631; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET 23 -> any any (msg: "ET POLICY Cisco Device in Config Mode"; flow: established; content:"Enter configuration commands, one per line"; nocase; classtype: not-suspicious; reference:url,doc.emergingthreats.net/bin/view/Main/2001239; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Cisco; sid: 2001239; rev:9;) alert tcp $HOME_NET 23 -> any any (msg: "ET POLICY Cisco Device New Config Built"; flow: established; content:"Building configuration..."; nocase; classtype: not-suspicious; reference:url,doc.emergingthreats.net/bin/view/Main/2001240; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Cisco; sid: 2001240; rev:9;) #by Kevin Ross alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET POLICY External Telnet Attempt To Cisco Device With No Telnet Password Set (Automatically Dissalowed Until Password Set)"; flow:from_server; content:"Password required, but none set"; depth:31; classtype:misc-activity; reference:url,articles.techrepublic.com.com/5100-10878_11-5875046.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008860; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Cisco; sid:2008860; rev:3;) alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET POLICY External Telnet Login To Cisco Device"; flow:from_server,established; content:"User Access Verification"; classtype:misc-activity; depth:24; reference:url,articles.techrepublic.com.com/5100-10878_11-5875046.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008861; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Cisco; sid:2008861; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY External Access to Cisco Aironet AP Over HTTP (Post Authentication)"; flow:to_server,established; uricontent:"/ap_home.html"; classtype:misc-activity; reference:url,supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_HTTPS_on_the_AP; reference:url,doc.emergingthreats.net/bin/view/Main/2008862; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Cisco; sid:2008862; rev:2;) #By Cory Bys, Particle.bored. # These are going to increase load on a snort process, and are NOT FOOLPROOF. But they may help reveal issues # with informaion flow. NOTE: These will not detect classified UUEncoded docs (email attachments) etc. # # Email # # Non-US Restricted #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Non-US Restricted Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002410; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002410; rev:3;) # # Non-US Confidential #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Non-US Confidential Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002411; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002411; rev:3;) # # Non-US Top Secret #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Non-US Top Secret Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002412; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002412; rev:3;) # # Non-US Secret #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Non-US Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP NATO Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002414; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002414; rev:3;) # # NATO Confidential Atomal #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP NATO Confidential Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002415; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002415; rev:3;) # # NATO Confidential #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP NATO Confidential"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002416; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002416; rev:3;) # # NATO COSMIC Top Secret Atomal #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP NATO COSMIC Top Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002417; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002417; rev:3;) # # NATO Secret Atomal #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP NATO Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002418; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002418; rev:3;) # # NATO Secret #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP NATO Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002419; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002419; rev:3;) # # US Confidential, Electronic Format #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Confidential, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002420; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002420; rev:3;) # # US Top Secret, Electronic Format #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Top Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002421; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002421; rev:3;) # # US Secret, Electronic Format #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002422; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002422; rev:3;) # # US Confidential Authorized for Release To #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Confidential REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002423; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002423; rev:3;) # # US Top Secret Authorized for Release To #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Top Secret REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002424; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002424; rev:3;) # # US Secret Authorized for Release To #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Secret REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Confidential COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002426; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002426; rev:3;) # # US Top Secret Comint #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Top Secret COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002427; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002427; rev:3;) # # US Secret Comint #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Secret COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Unclassified COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002429; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002429; rev:3;) # # US Confidential Communications Security Material #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Confidential COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002430; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002430; rev:3;) # # US Top Secret Communications Security Material #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Top Secret COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002431; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002431; rev:3;) # # US Secret Communications Security Material #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Secret COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Secret IMCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Top Secret CNWDI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002434; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002434; rev:3;) # # US Secret Critical Nuclear Weapon Design Information #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Secret CNWDI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Top Secret TK"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002436; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002436; rev:3;) # # US Secret Talent Keyhole #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Secret TK"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US FGI"; flow:to_server,established; content:"Subject|3A|"; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002438; rev:3;) # # US For Official Use Only #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US FOUO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002439; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002439; rev:3;) # # US Confidential Not Releasable to Foreign Nationals #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Confidential NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002440; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002440; rev:3;) # # US Top Secret Not Releasable to Foreign Nationals #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Top Secret NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002441; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002441; rev:3;) # # US Secret Not Releasable to Foreign Nationals #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Secret NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Confidential ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002443; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002443; rev:3;) # # US Top Secret Originator Controlled #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Top Secret ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002444; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002444; rev:3;) # # US Secret Originator Controlled #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Secret ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Unclassified PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002446; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002446; rev:3;) # # US Confidential Proprietary Information #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Confidential PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002447; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002447; rev:3;) # # US Top Secret Proprietary Information #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Top Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002448; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002448; rev:3;) # # US Secret Proprietary Information #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Confidential RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002450; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002450; rev:3;) # # US Top Secret Restricted Data #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Top Secret RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002451; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002451; rev:3;) # # US Secret Restricted Data #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Secret RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US SAMI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002453; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002453; rev:3;) # # US Confidential Special Category #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Confidential SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002454; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002454; rev:3;) # # US Top Secret Special Category #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Top Secret SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002455; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002455; rev:3;) # # US Secret Special Category #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Secret SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP US Top Secret STOP"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002457; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002457; rev:3;) # # The word "private" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Private"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002458; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002458; rev:3;) # # The word "restricted" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Confidential"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Top Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Sealed"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002463; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002463; rev:3;) # # The word "sensitive" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Proprietary"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002465; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002465; rev:3;) # # The word "protected" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Protected"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002466; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002466; rev:3;) # # The phrase "law enforcement sensitive" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Law Enorcement Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002467; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002467; rev:3;) # # The phrase "internal use only" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Internal Use Only"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Winternal\suse\sonly\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002468; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002468; rev:3;) # # The phrase "date of birth" or its typical abbreviations #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Date of Birth"; flow:to_server,established; content:"Subject|3A|"; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002469; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002469; rev:3;) # # Health Care Common Procedure Coding System (HCPCS) Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP HCPCS Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002470; rev:3;) # # International Statistical Classification of Diseases and Related Health Problems 10th Revision (ICD-10) Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP ICD-10 Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002471; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002471; rev:3;) # # Food and Drug Administration (FDA) National Drug Code (NDC) Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP FDA NDC Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002472; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002472; rev:3;) # # American Dental Association (ADA) Dental Procedure Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP ADA Procedure Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002473; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002473; rev:3;) # # Diagnostic and Statistical Manual of Mental Disorders (DSM-IV) Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP DSM-IV Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002474; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002474; rev:5;) # # American Medical Association (AMA) Current Procedural Terminology (CPT) Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP AMA CPT Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002475; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002475; rev:3;) # # Japan Credit Bureau Credit Card Number #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Credit Card, JCB"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002477; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002477; rev:3;) # # The word "password", its typical abbreviations or written/abbreviated in a few forms of "leet" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Password"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002483; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002483; rev:3;) # # The word "appraisal" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Appraisal"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wappraisal(s)?\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002484; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002484; rev:3;) # # The phrase "account balance" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Account Balance"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Waccount\sbalance(s)?\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002485; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002485; rev:3;) # # The phrase "payment history" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Payment History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wpayment\shistory\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002486; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002486; rev:3;) # # The phrase "annual income" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Annual Income"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wannual\sincome(s)?\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002487; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002487; rev:4;) # # The phrase "credit history" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Credit History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002488; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002488; rev:3;) # # The phrase "transaction history" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Transaction History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002489; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002489; rev:3;) # # The phrase "customer list" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET POLICY SMTP Customer List"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcustomer\slist(s)?\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002490; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002490; rev:3;) ########################################## # # HTTP POST # # Non-US Restricted #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002495; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002495; rev:4;) # # Non-US Confidential #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002496; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002496; rev:4;) # # Non-US Top Secret #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002497; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002497; rev:4;) # # Non-US Secret #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002499; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002499; rev:4;) # # NATO Confidential Atomal #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002500; rev:4;) # # NATO Confidential #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002501; rev:4;) # # NATO COSMIC Top Secret Atomal #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002502; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002502; rev:4;) # # NATO Secret Atomal #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002503; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002503; rev:4;) # # NATO Secret #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002504; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002504; rev:4;) # # US Confidential, Electronic Format #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002505; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002505; rev:4;) # # US Top Secret, Electronic Format #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002506; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002506; rev:4;) # # US Secret, Electronic Format #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002507; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002507; rev:4;) # # US Confidential Authorized for Release To #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002508; rev:4;) # # US Top Secret Authorized for Release To #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002509; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002509; rev:4;) # # US Secret Authorized for Release To #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Secret REL TO"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Confidential COMINT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002511; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002511; rev:4;) # # US Top Secret Comint #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Top Secret COMINT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002512; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002512; rev:4;) # # US Secret Comint #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Secret COMINT"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002514; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002514; rev:4;) # # US Confidential Communications Security Material #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002515; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002515; rev:4;) # # US Top Secret Communications Security Material #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002516; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002516; rev:4;) # # US Secret Communications Security Material #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Secret COMSEC"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Secret IMCON"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002519; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002519; rev:4;) # # US Secret Critical Nuclear Weapon Design Information #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Secret CNWDI"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002521; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002521; rev:4;) # # US Secret Talent Keyhole #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Secret TK"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002523; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002523; rev:4;) # # US For Official Use Only #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002524; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002524; rev:4;) # # US Confidential Not Releasable to Foreign Nationals #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002525; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002525; rev:4;) # # US Top Secret Not Releasable to Foreign Nationals #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002526; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002526; rev:4;) # # US Secret Not Releasable to Foreign Nationals #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Secret NOFORN"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002704; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002704; rev:3;) # # US Top Secret Originator Controlled #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002528; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002528; rev:4;) # # US Secret Originator Controlled #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Secret ORCON"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002530; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002530; rev:4;) # # US Confidential Proprietary Information #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002531; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002531; rev:4;) # # US Top Secret Proprietary Information #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002532; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002532; rev:4;) # # US Secret Proprietary Information #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Secret PROPIN"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002534; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002534; rev:4;) # # US Top Secret Restricted Data #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002535; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002535; rev:4;) # # US Secret Restricted Data #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Secret RD"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002537; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002537; rev:4;) # # US Confidential Special Category #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002538; rev:4;) # # US Top Secret Special Category #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002539; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002539; rev:4;) # # US Secret Special Category #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Secret SPECAT"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002541; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002541; rev:4;) # # The word "private" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002542; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002542; rev:4;) # # The word "restricted" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Restricted"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Confidential"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Secret"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Top Secret"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002547; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002547; rev:4;) # # The word "sensitive" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Sensitive"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002549; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002549; rev:4;) # # The word "protected" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002550; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002550; rev:4;) # # The phrase "law enforcement sensitive" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002551; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002551; rev:4;) # # The phrase "internal use only" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002552; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002552; rev:4;) # # The phrase "date of birth" or its typical abbreviations #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002553; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002553; rev:4;) # # Health Care Common Procedure Coding System (HCPCS) Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002554; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002554; rev:4;) # # International Statistical Classification of Diseases and Related Health Problems 10th Revision (ICD-10) Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002555; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002555; rev:4;) # # Food and Drug Administration (FDA) National Drug Code (NDC) Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002556; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002556; rev:4;) # # American Dental Association (ADA) Dental Procedure Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002557; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002557; rev:4;) # # Diagnostic and Statistical Manual of Mental Disorders (DSM-IV) Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002558; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002558; rev:5;) # # American Medical Association (AMA) Current Procedural Terminology (CPT) Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002559; rev:4;) # # Japan Credit Bureau Credit Card Number #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002561; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002561; rev:4;) # # The word "password", its typical abbreviations or written/abbreviated in a few forms of "leet" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002567; rev:4;) # # The word "appraisal" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002568; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002568; rev:4;) # # The phrase "account balance" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002569; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002569; rev:4;) # # The phrase "payment history" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002570; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002570; rev:4;) # # The phrase "annual income" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002571; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002571; rev:4;) # # The phrase "credit history" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002572; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002572; rev:4;) # # The phrase "transaction history" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002573; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002573; rev:4;) # # The phrase "customer list" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002574; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002574; rev:4;) # # ########################################## # # High Ports, possibly Passive FTP DATA # # Non-US Restricted #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002575; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002575; rev:4;) # # Non-US Confidential #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002576; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002576; rev:4;) # # Non-US Top Secret #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002577; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002577; rev:4;) # # Non-US Secret #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002579; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002579; rev:4;) # # NATO Confidential Atomal #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002580; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002580; rev:4;) # # NATO Confidential #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002581; rev:4;) # # NATO COSMIC Top Secret Atomal #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002582; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002582; rev:4;) # # NATO Secret Atomal #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002583; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002583; rev:4;) # # NATO Secret #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002584; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002584; rev:4;) # # US Confidential, Electronic Format #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002585; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002585; rev:4;) # # US Top Secret, Electronic Format #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002586; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002586; rev:4;) # # US Secret, Electronic Format #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002587; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002587; rev:4;) # # US Confidential Authorized for Release To #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002588; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002588; rev:4;) # # US Top Secret Authorized for Release To #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002589; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002589; rev:4;) # # US Secret Authorized for Release To #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Secret REL TO"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Confidential COMINT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002591; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002591; rev:4;) # # US Top Secret Comint #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Top Secret COMINT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002592; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002592; rev:4;) # # US Secret Comint #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Secret COMINT"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002594; rev:4;) # # US Confidential Communications Security Material #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002595; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002595; rev:4;) # # US Top Secret Communications Security Material #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002596; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002596; rev:4;) # # US Secret Communications Security Material #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Secret COMSEC"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Secret IMCON"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002599; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002599; rev:4;) # # US Secret Critical Nuclear Weapon Design Information #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Secret CNWDI"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002601; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002601; rev:4;) # # US Secret Talent Keyhole #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Secret TK"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002603; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002603; rev:4;) # # US For Official Use Only #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002604; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002604; rev:4;) # # US Confidential Not Releasable to Foreign Nationals #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002605; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002605; rev:4;) # # US Top Secret Not Releasable to Foreign Nationals #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002606; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002606; rev:4;) # # US Secret Not Releasable to Foreign Nationals #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Secret NOFORN"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002608; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002608; rev:4;) # # US Top Secret Originator Controlled #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002609; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002609; rev:4;) # # US Secret Originator Controlled #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Secret ORCON"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002611; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002611; rev:4;) # # US Confidential Proprietary Information #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002612; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002612; rev:4;) # # US Top Secret Proprietary Information #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002613; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002613; rev:4;) # # US Secret Proprietary Information #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Secret PROPIN"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002615; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002615; rev:4;) # # US Top Secret Restricted Data #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002616; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002616; rev:4;) # # US Secret Restricted Data #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Secret RD"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002618; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002618; rev:4;) # # US Confidential Special Category #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002619; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002619; rev:4;) # # US Top Secret Special Category #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002620; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002620; rev:4;) # # US Secret Special Category #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Secret SPECAT"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002622; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002622; rev:4;) # # The word "private" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002623; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002623; rev:4;) # # The word "restricted" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Restricted"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Confidential"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Secret"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Top Secret"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002628; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002628; rev:4;) # # The word "sensitive" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Sensitive"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002630; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002630; rev:5;) # # The word "protected" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002631; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002631; rev:5;) # # The phrase "law enforcement sensitive" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002632; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002632; rev:5;) # # The phrase "internal use only" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002633; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002633; rev:5;) # # The phrase "date of birth" or its typical abbreviations #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002634; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002634; rev:5;) # # Health Care Common Procedure Coding System (HCPCS) Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002635; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002635; rev:5;) # # International Statistical Classification of Diseases and Related Health Problems 10th Revision (ICD-10) Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002636; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002636; rev:5;) # # Food and Drug Administration (FDA) National Drug Code (NDC) Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002637; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002637; rev:5;) # # American Dental Association (ADA) Dental Procedure Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002638; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002638; rev:5;) # # Diagnostic and Statistical Manual of Mental Disorders (DSM-IV) Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002639; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002639; rev:7;) # # American Medical Association (AMA) Current Procedural Terminology (CPT) Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002640; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002640; rev:5;) # # Japan Credit Bureau Credit Card Number #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002642; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002642; rev:5;) # # The word "password", its typical abbreviations or written/abbreviated in a few forms of "leet" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002648; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002648; rev:5;) # # The word "appraisal" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002649; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002649; rev:5;) # # The phrase "account balance" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002650; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002650; rev:5;) # # The phrase "payment history" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002651; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002651; rev:5;) # # The phrase "annual income" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002652; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002652; rev:5;) # # The phrase "credit history" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002653; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002653; rev:5;) # # The phrase "transaction history" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002654; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002654; rev:5;) # # The phrase "customer list" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY High Ports - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002655; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Classified_Information; sid:2002655; rev:5;) # #by Matt Jonkman, sandnetted binary # App on port 20000 for this casino stuff. Not malicious, but likely not allowed in most environments alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET POLICY Club World Casino Client in Use"; flow:established,to_server; dsize:23; content:"Club World Casinos"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007754; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Club_World_Casinos; sid:2007754; rev:4;) #by evilghost alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Coupons.com Coupon Printer Use"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible)|0d 0a|"; uricontent:"/ccr/default.aspx?"; uricontent:"go="; uricontent:"&bid=xml&cid="; classtype:policy-violation; reference:url,coupons.com; reference:url,doc.emergingthreats.net/2009910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Coupons.com; sid:2009910; rev:5;) #Submitted by Matt Jonkman #Thees rules are disabled by default. They should generally be run on the outside of your network, not internally. Enable it where useful. #alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit spaced)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3}) \d{4} \d{4} \d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2001375; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Credit_Card_Numbers; sid:2001375; rev:12;) #alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2001376; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Credit_Card_Numbers; sid:2001376; rev:12;) #alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2001377; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Credit_Card_Numbers; sid:2001377; rev:12;) #alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)\d{11} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2001378; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Credit_Card_Numbers; sid:2001378; rev:12;) #alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit spaced)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800) \d{4} \d{4} \d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2001379; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Credit_Card_Numbers; sid:2001379; rev:12;) #alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit dashed)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{4}-\d{4}-\d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2001380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Credit_Card_Numbers; sid:2001380; rev:12;) #alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (14 digit)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})\d{10} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2001381; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Credit_Card_Numbers; sid:2001381; rev:12;) #alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (14 digit spaced)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2}) \d{4} \d{4} \d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2001382; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Credit_Card_Numbers; sid:2001382; rev:12;) #alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (14 digit dashed)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})-\d{4}-\d{4}-\d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2001383; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Credit_Card_Numbers; sid:2001383; rev:12;) #alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800) \d{6} \d{5} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009293; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Credit_Card_Numbers; sid:2009293; rev:1;) #alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{6}-\d{5} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009294; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Credit_Card_Numbers; sid:2009294; rev:1;) #Submitted by Joseph Gama #alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS - Standard query response, Format error"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x81/"; classtype: not-suspicious; reference:url,doc.emergingthreats.net/2001116; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_DNS_Responses; sid: 2001116; rev:4;) #alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS - Standard query response, Name Error"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x83/"; classtype: not-suspicious; reference:url,doc.emergingthreats.net/2001117; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_DNS_Responses; sid: 2001117; rev:4;) #alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS - Standard query response, Not Implemented"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x84/"; classtype: not-suspicious; reference:url,doc.emergingthreats.net/2001118; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_DNS_Responses; sid: 2001118; rev:4;) #alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS - Standard query response, Refused"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x85/"; classtype: not-suspicious; reference:url,doc.emergingthreats.net/2001119; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_DNS_Responses; sid: 2001119; rev:4;) #Adapted from nextsoft.cz alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2003195; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_DNS_Responses; sid:2003195; rev:5;) #by Myron Davis alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY nstx DNS Tunnel Outbound"; content:"cT"; offset:12; depth:3; content:"|00 10 00 01 00 00 29 08|"; within:255; classtype:bad-unknown; reference:url,savannah.nongnu.org/projects/nstx/; reference:url,nstx.dereference.de/nstx; reference:url,doc.emergingthreats.net/2002676; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_DNS_Tunnel_nstx; sid:2002676; rev:3;) #Submitted by Ole-Martin alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Dameware Remote Control Service Install"; flow: to_server,established; content:"DWRCK.DLL"; nocase; classtype: successful-admin; reference:url,doc.emergingthreats.net/2001294; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Dameware; sid: 2001294; rev:5;) #by Jack Pepper alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gteko User-Agent Detected - Dell Remote Access"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:"Windows 98"; within:50; content:"GtekClient"; within:50; pcre:"/User-Agent\:[^\n]+Windows 98[^\n]+GtekClient/i"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Dell_Spyware; sid:2008037; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Dell MyWay Remote control agent"; flow:established,to_server; content:"|0d 0a|Referer\: http\://dell"; depth:100; content:"|0d 0a|Host\: "; depth:250; content:"myway.com"; nocase; within:20; distance:0; classtype:not-suspicious; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/2008051; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Dell_Spyware; sid:2008051; rev:2;) #for access to a local dlink router's config page. Some trojans try to access this #re 20069714fc077fe197d3fc27fa905025 alert tcp $HOME_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Dlink Soho Router Config Page Access Attempt"; flow:established,to_server; content:"GET /dlink/hwiz.html HTTP/1."; depth:30; content:"|0d 0a|Host\: "; pcre:"/Host\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; classtype:attempted-admin; reference:url,doc.emergingthreats.net/2008942; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Dlink; sid:2008942; rev:4;) #by Juan Manuel Lorenzo at ossim alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Megaupload file download service access"; flow:to_server,established; content:"GET "; depth: 4; uricontent:"/?d="; content:"|0d 0a|Host\: "; content:"megaupload.com"; within:25; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009301; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services; sid:2009301; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Badongo file download service access"; flow:to_server,established; content:"GET "; depth: 4; uricontent:"/file/"; content:"|0d 0a|Host\: "; nocase; content:"badongo.com"; nocase; within:25; content:"|0d 0a|Cookie\: badongoL="; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009302; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services; sid:2009302; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY MediaFire file download service access"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/?"; content:"|0d 0a|Host\:"; nocase; content:"mediafire.com"; nocase; within:25; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009303; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services; sid:2009303; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gigasize file download service access"; flow:to_server,established; content:"GET "; depth: 4; uricontent:"/get.php"; content:"|0d 0a|Host\: "; nocase; content:"gigasize.com"; nocase; within:25; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009304; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services; sid:2009304; rev:2;) #by marcus at unsober #re:051892a56b8aa633fc446ec827ed1911 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TeamViewer Dyngate User-Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; DynGate)"; classtype:policy-violation; reference:url,www.teamviewer.com/index.aspx; reference:url,doc.emergingthreats.net/2009475; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Dyngate; sid:2009475; rev:3;) #Blake Hartstein of Demarc #Potentially noisy, Not recommended unless you disallow exe files. written for executable virii that spread through email #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET POLICY SMTP Executable attachment"; flow:established,to_server; content:"filename="; nocase; content:".exe"; nocase; distance:0; pcre:"/filename=\s*[^\n]+\.exe/i"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003325; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE; sid:2003325; rev:4;) #by dxp alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE under 128)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,<,128,58,relative,little; content:"PE|00 00|"; rawbytes; within:130; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE; sid:2009033; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 160)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,160,58,relative,little; content:"PE|00 00|"; rawbytes; within:162; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009034; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE; sid:2009034; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 512)"; flow:established,from_server; content:"MZ"; rawbytes; byte_test:4,=,512,58,relative,little; content:"PE|00 00|"; rawbytes; within:514; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009035; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE; sid:2009035; rev:3;) #Matt Jonkman # To catch generic exe downloads via http. This does not mean it's a problem, just of interest. #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY exe download via HTTP - Informational"; flow:established,to_server; uricontent:".exe"; nocase; content:"GET "; nocase; offset:0; depth:4; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003595; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE_HTTP; sid:2003595; rev:3;) #to catch the common urls for storm worm downloads, etc #by Jack Pepper and Reg Quinton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible Ecard Trojan download"; flow:established,to_server; uricontent:".exe"; nocase; pcre:"/(card|gif|jpg|jpeg|cartao)\.exe$/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006434; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE_HTTP; sid:2006434; rev:6;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY exe download without User Agent"; flow:established,to_server; content:"GET "; depth:4; uricontent:".exe"; nocase; content:!"User-Agent\:"; content:!"download.windowsupdate.com"; content:!"mms\://"; nocase; pcre:"/\.exe[^0-9A-Z_]+/Ui"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003179; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE_NoUserAgent; sid:2003179; rev:7;) #by RPG, intended to catch exe's being hidden as requested BMPs alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Set flow on bmp file get"; flow:established,to_server; content:"GET "; depth:4; uricontent:".bmp"; content:".bmp HTTP/1."; flowbits:set,ET.bmp_seen; flowbits:noalert; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2009083; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE_in_BMP; sid:2009083; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Trojan File Download - BMP Requested but not received"; flow:established,from_server; flowbits:isset,ET.bmp_seen; flowbits:unset,ET.bmp_seen; content:"200 OK"; content:"Content-Type|3a| application|2f|octet-stream"; distance:0; content:!"BM"; content:!"|00 00 00 00|"; within:4; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009084; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_EXE_in_BMP; sid:2009084; rev:2;) #From Charles Lacroix # All form elements are encoded before they are sent to the server # This makes things a bit more complicated to decode via snort at least # for me. This rule will trigger when a user is starting to place # an item for sale on the ebay site. # #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET POLICY eBay Bid Placed"; flow: to_server,established; uricontent:"/ws/eBayISAPI.dll/"; nocase; content:"maxbid="; nocase; content:"offer.ebay.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001898; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Ebay; sid: 2001898; rev:4;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET POLICY eBay Placing Item for sale"; flow: to_server,established; uricontent:"/ws2/eBayISAPI.dll"; nocase; content:".ebay.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001907; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Ebay; sid: 2001907; rev:4;) # Look for a single item #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET POLICY eBay View Item"; flow: to_server,established; uricontent:"/ws/eBayISAPI.dll"; nocase; content:"ViewItem"; nocase; content:".ebay.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001908; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Ebay; sid: 2001908; rev:5;) # Mark an item to watch #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET POLICY eBay Watch This Item"; flow: to_server,established; uricontent:"/ws/eBayISAPI.dll"; nocase; content:"MakeTrack&Item="; nocase; content:".ebay.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001909; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Ebay; sid: 2001909; rev:5;) #by evilghost alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY offers.e-centives.com Coupon Printer"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; YourApp\; AK\; Windows 95)|0d 0a|"; nocase; classtype:policy-violation; reference:url,offers.e-centives.com; reference:url,doc.emergingthreats.net/2010338; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Ecentives; sid:2010338; rev:2;) #by Marcus at unsober #re a0b153ea54ed61d1ac650f139dd86f54 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Eurobarre.us Setup User-Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: eurobarre "; classtype:policy-violation; nocase; reference:url,doc.emergingthreats.net/2008336; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Eurobarre; sid:2008336; rev:2;) #by Matt Jonkman # sets a flowbit for viruscatch.co.kr related, win32.small.hvd and others alert tcp $EXTERNAL_NET 3306 -> $HOME_NET any (msg:"ET POLICY External MYSQL Server Connection"; flow:from_server,established; content:"|00|"; depth:1; offset:3; flowbits:set,EText.mysql.greeting; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008572; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_External_Mysql_Servers; sid:2008572; rev:2;) #by Steven Adair at securityzone.org #Rule to catch all FTP logins that do not start with "anonymous" or "ftp" # and do not contain "pass " (pass followed by a space). -steven@securityzone alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP Login Attempt (non-anonymous)"; flow:to_server,established; content:"USER"; content:!"PASS "; nocase; pcre:!"/^USER\s+(anonymous|ftp)/smi"; classtype:misc-activity; reference:url,doc.emergingthreats.net/2003303; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_FTP_Login; sid:2003303; rev:3;) #By CunningPike alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET POLICY FTP Login Successful (non-anonymous)"; flow:from_server,established; flowbits:isset,ET.ftp.user.login; flowbits:isnotset,ftp.user.logged_in; flowbits:set,ftp.user.logged_in; content:"230 "; pcre:!"/^230(\s+USER)?\s+(anonymous|ftp)/smi"; classtype:misc-activity; reference:url,doc.emergingthreats.net/2003410; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_FTP_Login; sid:2003410; rev:7;) #by jack pepper #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP Frequent Administrator Login Attempts"; flow:to_server,established; content:"USER Administrator|0d0a|"; nocase; threshold: type threshold, track by_src, count 3, seconds 30; classtype:attempted-admin; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_FTP_Login; reference:url,doc.emergingthreats.net/2009667; sid:2009667; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP Frequent Admin Login Attempts"; flow:to_server,established; content:"USER Admin|0d0a|"; nocase; threshold: type threshold, track by_src, count 3, seconds 30; classtype:attempted-admin; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_FTP_Login; reference:url,doc.emergingthreats.net/2009668; sid:2009668; rev:2;) #matt jonkman alert tcp $EXTERNAL_NET any -> $HOME_NET 22:1024 (msg:"ET POLICY FTP Conversation on Low Port - Likely Hostile (TYPE A)"; flow:established,to_server; dsize:6; content:"TYPE "; depth:5; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008589; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_FTP_Off_Ports; sid:2008589; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22:1024 (msg:"ET POLICY FTP Conversation on Low Port - Likely Hostile (PASV)"; flow:established,to_server; dsize:4; content:"PASV"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008590; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_FTP_Off_Ports; sid:2008590; rev:2;) #by SpOoKeR alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Facebook Chat (send message)"; flow:established,to_server;content:"POST "; depth:5; uricontent:"/ajax/chat/send.php"; content:"|0d 0a|Host\: "; content:"facebook.com|0d 0a|"; within:20; classtype:policy-violation; reference:url,doc.emergingthreats.net/2010784; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Facebook_Chat; sid:2010784; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Facebook Chat (buddy list)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ajax/chat/buddy_list.php"; content:"|0d 0a|Host\: "; content:"facebook.com|0d 0a|"; within:20; classtype:policy-violation; reference:url,doc.emergingthreats.net/2010785; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Facebook_Chat; sid:2010785; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Facebook Chat (settings)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ajax/chat/settings.php"; content:"|0d 0a|Host\: "; content:"facebook.com|0d 0a|"; within:20; classtype:policy-violation; reference:url,doc.emergingthreats.net/2010786; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Facebook_Chat; sid:2010786; rev:2;) #by rodrigo and joel esler alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET POLICY Facebook Chat using XMPP"; flow:to_server,established; content:"chat.facebook.com"; nocase; content:"jabber|3A|client"; nocase; distance:9; within:13; threshold: type limit, track by_src, count 1, seconds 60; reference:url,www.facebook.com/sitetour/chat.php; reference:url,doc.emergingthreats.net/2010819; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Facebook_Chat; classtype:policy-violation; sid:2010819; rev:4;) #by Will Metcalf alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY FOX,ABC On-demand UA"; flow:to_server,established; content:"User-Agent\: QSP"; nocase; pcre:"/User-Agent\:[^\n]+QSP\s*\d+\:\d+\s*/i"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007639; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Fox_ABC_On_Demand; sid:2007639; rev:4;) #by Sandro Reis alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 31 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008744; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_FreeGate; sid:2008744; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 32 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008745; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_FreeGate; sid:2008745; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 33 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008746; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_FreeGate; sid:2008746; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 34 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008747; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_FreeGate; sid:2008747; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 35 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 3, seconds 30; reference:url,doc.emergingthreats.net/2008748; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_FreeGate; sid:2008748; rev:3;) #by Jamian Mason of Deepnines.com alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gazzag.com Social Site Access"; flow:established,to_server; content:"Host\: www.gazzag.com"; threshold: type both, track by_src, count 5, seconds 300; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003456; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Gazzag.com; sid:2003456; rev:3;) # Submitted 2006-10-17 by Adam Nunn alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET POLICY docs.google.com Activity"; flow:established,to_server; content:"Host|3a| docs.google.com"; nocase; classtype:policy-violation; reference:url,docs.google.com; reference:url,doc.emergingthreats.net/2003121; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Google; sid:2003121; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET POLICY Possible docs.google.com Activity"; flow:established,to_server; content:"WRITELY_SID"; nocase; classtype:policy-violation; reference:url,docs.google.com; reference:url,doc.emergingthreats.net/2003122; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Google; sid:2003122; rev:4;) # Matt Jonkman # Google calendar in the news as most entries are public # I'm sure it's a good calendar, but folks have to realize what's public and what's not #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Calendar in Use"; flow:established,to_server; uricontent:"/calendar/"; content:"GET /calendar/"; rawbytes; offset:0; content:"Host\: www.google.com|0d 0a|"; nocase; threshold:type both, count 1, seconds 60, track by_src; classtype:policy-violation; reference:url,www.computerworld.com.au/index.php?id=1687889918&eid=-255; reference:url,doc.emergingthreats.net/2003597; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Google; sid:2003597; rev:3;) #by will metcalf alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Likely Google Groups pr0n Access"; flow:to_server,established; content:"POST "; depth:5; uricontent:"/groups/adult_confirm"; nocase; content:"|0d 0a|Host\: groups.google.com|0d 0a|"; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008050; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Google; sid:2008050; rev:2;) # Submitted by Michael Holstein, 2006-02-13. Reference from scheidell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Desktop User-Agent Detected"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0 (compatible\; Google Desktop)"; nocase; threshold: type limit, count 1, seconds 360, track by_src; classtype:policy-violation; reference:url,news.com.com/2100-1032_3-6038197.html; reference:url,doc.emergingthreats.net/2002801; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Google; sid:2002801; rev:7;) # Submitted 2006-02-28 by Mark Warren. For Google appliances that "should" only spider internal web sites (but sometimes go wild and spider the Internet) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Search Appliance browsing the Internet"; flow:to_server,established; content:"GET "; depth:4; content:"User-Agent|3A| gsa-crawler"; nocase; reference:url,www.google.com/enterprise/gsa/index.html; classtype:web-application-activity; reference:url,doc.emergingthreats.net/2002838; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Google; sid:2002838; rev:7;) #By Matt Jonkman. Reviving this rule as it's been dropped from the snort.org rulesets. alert tcp $HOME_NET any -> 66.151.158.177 any (msg:"ET POLICY GotoMyPC Polling Client"; flow: established; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2000309; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_GotoMyPC; sid: 2000309; rev:8;) #This intends to be a more intelligent version of the old gotomypc rule, eventually to replace the old if it catches everything alert tcp 66.151.158.177 8200 -> $HOME_NET any (msg:"ET POLICY GotoMyPC poll.gotomypc.com Server Response to Polling Client OK"; flow: established,from_server; content:"cnt=0"; nocase; depth: 40; content:"eventid="; nocase; depth: 40; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2002022; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_GotoMyPC; sid: 2002022; rev:4;) #by Mikael Keri # Groove is a legitimate application, but may not be approved in all environments. Use these rules only if appropriate alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Groove.net Virtual Office Suite Install/Startup Report"; flow:established,to_server; content:"User-Agent\: GrooveInstallValidator|0d 0a|"; depth:200; offset:0; classtype:policy-violation; reference:url,www.groove.net; reference:url,doc.emergingthreats.net/bin/view/Main/GrooveNet; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Groove.net; sid:2003599; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Groove.net Virtual Office Suite Install Report"; flow:established,to_server; content:"User-Agent\: Groove Install|0d 0a|"; depth:200; offset:0; classtype:policy-violation; reference:url,www.groove.net; reference:url,doc.emergingthreats.net/bin/view/Main/GrooveNet; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Groove.net; sid:2003600; rev:4;) alert tcp any 2492 -> any 2492 (msg:"ET POLICY Groove.net Virtual Office In Use"; flow:established,to_server; content:"dpp\://"; nocase; content:"groove.net"; nocase; distance:0; classtype:policy-violation; reference:url,www.groove.net; reference:url,doc.emergingthreats.net/bin/view/Main/GrooveNet; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Groove.net; sid:2003601; rev:4;) alert udp $HOME_NET any -> 255.255.255.255 1211 (msg:"ET POLICY Groove.net Virtual Office Local Service Discovery Broadcast"; content:"dpp\://"; nocase; content:"groove.net"; nocase; distance:0; classtype:policy-violation; reference:url,www.groove.net; reference:url,doc.emergingthreats.net/bin/view/Main/GrooveNet; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Groove.net; sid:2003602; rev:4;) # Submitted 2006-08-30 by Robert Sharp #alert tcp $HOME_NET any <> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gmail gtalk"; flow:established; pcre:"/\[\[\d{1,3}\,\[\\\"\w\\\"\,\\\".+@gmail.com.+\\\"\,\\\"/i"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003092; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Gtalk; sid:2003092; rev:3;) #Submitted by Matt Jonkman # hotmail has changed, obsoleting these # to be deleted #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Inbox Access"; flow: to_server,established; content:"hotmail.msn.com"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/HoTMaiL\?curmbox=/i"; classtype: policy-violation; reference:url,doc.emergingthreats.net/2000035; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HOTMAIL_Mail_Use; sid: 2000035; rev:12;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Message Access"; flow: to_server,established; content:"hotmail.msn.com"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/getmsg\?msg=MSG/i"; classtype: policy-violation; reference:url,doc.emergingthreats.net/2000036; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HOTMAIL_Mail_Use; sid: 2000036; rev:12;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Compose Message Access"; flow: to_server,established; content:"curmbox="; nocase; content:"hotmail.msn.com"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/compose\?/i"; classtype: policy-violation; reference:url,doc.emergingthreats.net/2000037; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HOTMAIL_Mail_Use; sid: 2000037; rev:12;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Compose Message Submit"; flow: to_server,established; content:"hotmail.msn.com"; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/premail/i"; classtype: policy-violation; reference:url,doc.emergingthreats.net/2000038; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HOTMAIL_Mail_Use; sid: 2000038; rev:11;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Compose Message Submit Data"; flow: to_server,established; content:"curmbox="; nocase; content:"login="; nocase; content:"msghdrid"; nocase; content:"sigflag="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2000039; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HOTMAIL_Mail_Use; sid: 2000039; rev:9;) #by Rouke de Jong alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Inbox Access"; flow:to_server,established; content:"GET "; depth:4; content:"mail.live.com"; uricontent:"/mail/InboxLight.aspx"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008238; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HOTMAIL_Mail_Use; sid:2008238; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Message Access"; flow:to_server,established; content:"GET "; depth:4; content:"mail.live.com"; uricontent:"/mail/ReadMessageLight.aspx"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008239; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HOTMAIL_Mail_Use; sid:2008239; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Compose Message Access"; flow:to_server,established; content:"GET "; depth:4; content:"mail.live.com"; nocase; uricontent:"/mail/EditMessageLight.aspx"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008240; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HOTMAIL_Mail_Use; sid:2008240; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Compose Message Submit"; flow:to_server,established; content:"POST "; depth:5; content:"mail.live.com"; nocase; uricontent:"SendMessageLight.aspx"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008241; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HOTMAIL_Mail_Use; sid:2008241; rev:2;) # In full mode induvidual inbox, compose message etc rules cannot be # aplied : alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Access Full Mode"; flow:to_server,established; content:"GET "; depth:4; content:"mail.live.com"; uricontent:"/mail/ApplicationMain"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008242; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HOTMAIL_Mail_Use; sid:2008242; rev:2;) #by Kevin Ross alert tcp $HOME_NET 23 -> any any (msg:"ET POLICY Telnet to HP JetDirect Printer With No Password Set"; flow:to_client,established; content:"HP JetDirect"; content:"Password is not set"; offset:40; depth:30; distance:2; classtype:misc-activity; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999#A3; reference:url,doc.emergingthreats.net/2009535; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HPJetDirect; sid:2009535; rev:2;) alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET POLICY External FTP Connection TO Local HP JetDirect Printer"; flow:to_client,established; content:"Hewlett-Packard FTP Print Server Version"; content:"To print a file, use the command\: put [portx]"; offset:40; distance:80; depth:190; classtype:misc-activity; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj06165; reference:url,doc.emergingthreats.net/2009536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HPJetDirect; sid:2009536; rev:2;) #Submitted by Thomas Alex alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"ET MISC HP Web JetAdmin ExecuteFile admin access"; flow: to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; classtype: attempted-admin; reference:url,doc.emergingthreats.net/2001055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HP_Web_Jetadmin_Executefile_Access; sid: 2001055; rev:6;) #by Jaime Blasco alert udp any 1985 -> 224.0.0.2 1985 (msg:"ET POLICY HSRP Active Router Changed"; content:"|00 04|"; depth:3; classtype:bad-unknown; reference:url,packetlife.net/blog/2008/oct/27/hijacking-hsrp/; reference:url,doc.emergingthreats.net/2009243; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HSRP_Change; sid:2009243; rev:2;) #Matt Jonkman alert tcp $EXTERNAL_NET any -> $HOME_NET !$HTTP_PORTS (msg:"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port"; flow:to_server,established; content:"CONNECT "; nocase; depth:8; content:" HTTP/1."; nocase; within:1000; classtype:misc-activity; reference:url,doc.emergingthreats.net/2008284; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HTTP_Tunneling_via_Proxy; sid:2008284; rev:3;) #Submitted by Jason #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY HTTP CONNECT Tunnel Attempt Inbound"; flow: to_server,established; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"\:80"; within: 4; distance: -11; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"\:443"; within: 5; distance: -12; classtype: misc-activity; reference:url,doc.emergingthreats.net/2000560; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HTTP_Tunneling_via_Proxy; sid: 2000560; rev:9;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP CONNECT Tunnel Attempt Outbound"; flow: to_server,established; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"\:80"; within: 4; distance: -11; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"\:443"; within: 5; distance: -12; classtype: misc-activity; reference:url,doc.emergingthreats.net/2008330; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HTTP_Tunneling_via_Proxy; sid: 2008330; rev:10;) #by Sandro Reis alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access"; flow:established,to_server; content:"GET /login/FetchProtocolVersion2.htm"; depth:36; classtype:policy-violation; threshold:type limit, track by_src,count 5, seconds 30; reference:url,doc.emergingthreats.net/2008842; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HTTP_Tunneling_via_Proxy; sid:2008842; rev:3;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access (server download)"; flow:established,to_server; content:"GET login/fetchFreeServersVersion2.aspx"; depth:39; classtype:policy-violation; threshold:type limit, track by_src,count 5, seconds 30; reference:url,doc.emergingthreats.net/2008843; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HTTP_Tunneling_via_Proxy; sid:2008843; rev:3;) #idea from Blake Hartstein, use these only if you like. Not a definite indication of hostile activity #add a pass rule like below for any expected ports you use that are not listed #pass tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET POLICY HTTP GET on Normal Port 8080 - Passing"; flow:established,to_server; content:"GET "; nocase; depth:4; offset:0; flowbits:set,BS.HTTP.ok; flowbits:noalert; classtype:policy-violation; reference:url,doc.emergingthreats.net/2006407; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HTTP_on_Off_Ports; sid:2006407; rev:3;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"ET POLICY HTTP GET on unusual Port Possibly Hostile"; flowbits:isnotset,BS.HTTP.ok; flow:established,to_server; content:"GET "; nocase; depth:4; classtype:policy-violation; reference:url,doc.emergingthreats.net/2006408; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HTTP_on_Off_Ports; sid:2006408; rev:4;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"ET POLICY HTTP POST on unusual Port Possibly Hostile"; flowbits:isnotset,BS.HTTP.ok; flow:established,to_server; content:"POST "; nocase; depth:5; classtype:policy-violation; reference:url,doc.emergingthreats.net/2006409; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HTTP_on_Off_Ports; sid:2006409; rev:4;) #by Dajackman alert tcp $HOME_NET any -> [64.34.106.33,64.94.18.67] 12975 (msg:"ET POLICY Outbound Hamachi VPN Connection Attempt"; flags:S,12; threshold:type limit, track by_src, count 1, seconds 120; classtype:policy-violation; reference:url,www.hamachi.cc; reference:url,doc.emergingthreats.net/2002729; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Hamachi_VPN; sid:2002729; rev:4;) #by Jamian Mason of Deepnines.com alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hi5.com Social Site Access"; flow:established,to_server; content:"Host\: www.hi5.com"; threshold: type both, track by_src, count 5, seconds 300; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003455; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Hi5.com; sid:2003455; rev:3;) #Dutch myspace style social networking site. Not a security threat, just a generally not permissable thing for the workplace # by Cees Elzinga # Both hyves.nl and hyves.net are used, so check for "hyves." alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Login Attempt"; flow:established,to_server; content:"Host\: www.hyves."; content:"login_username"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007627; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Hyves; sid:2007627; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Inbox Access"; flow:established,to_server; content:"Host\: www.hyves."; uricontent:"/messages/inbox/"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007628; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Hyves; sid:2007628; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Message Access"; flow:established,to_server; content:"Host\: www.hyves."; uricontent:"/messages/inbox/messages/"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007629; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Hyves; sid:2007629; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Compose Message"; flow:established,to_server; content:"Host\: www.hyves."; uricontent:"index.php?l1=mg"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007630; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Hyves; sid:2007630; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Message Submit"; flow:established,to_server; content:"Host\: www.hyves."; uricontent:"/messages/"; content:"POST /messages/"; content:"postman_secret"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007631; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Hyves; sid:2007631; rev:4;) #by jack pepper #disabled by default, but run it if you have your old IE under control #alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET USER_AGENTS Internet Explorer 6 in use - Significant Security Risk"; flow:to_server,established; content:"User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\;"; threshold: type limit, track by_src, seconds 180, count 1; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010706; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IE6; sid:2010706; rev:2;) #by Matt Jonkman, reference at http://piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gadu-Gadu IM Login Server Request"; flow:established,to_server; uricontent:"/appsvc/appmsg"; nocase; uricontent:".asp"; nocase; uricontent:"fmnumber="; uricontent:"&version="; uricontent:"&fmt="; content:"|0d 0a|Host\: appmsg.gadu-gadu."; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008295; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_GaduGadu; sid:2008295; rev:4;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET POLICY GaduGadu Chat Server Welcome Packet"; flow:established,from_server; dsize:12; content:"|01 00 00 00|"; depth:4; flowbits:set,ET.gadu.welcome; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008297; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_GaduGadu; sid:2008297; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET POLICY GaduGadu Chat Client Login Packet"; flowbits:isset,ET.gadu.welcome; flow:established,to_server; dsize:<50; content:"|15 00 00 00|"; depth:4; flowbits:set,ET.gadu.loginsent; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008298; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_GaduGadu; sid:2008298; rev:3;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET POLICY GaduGadu Chat Server Login OK Packet"; flowbits:isset,ET.gadu.loginsent; flow:established,from_server; dsize:8; content:"|03 00 00 00 00 00 00 00|"; flowbits:set,ET.gadu.loggedin; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008299; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_GaduGadu; sid:2008299; rev:3;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET POLICY GaduGadu Chat Server Login Failed Packet"; flowbits:isset,ET.gadu.loginsent; flow:established,from_server; dsize:8; content:"|09 00 00 00 00 00 00 00|"; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008300; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_GaduGadu; sid:2008300; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET POLICY GaduGadu Chat Server Available Status Packet"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|02 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008301; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_GaduGadu; sid:2008301; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET POLICY GaduGadu Chat Send Message"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|0b 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008302; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_GaduGadu; sid:2008302; rev:3;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET POLICY GaduGadu Chat Receive Message"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|0a 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008303; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_GaduGadu; sid:2008303; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET POLICY GaduGadu Chat Keepalive PING"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|08 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008304; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_GaduGadu; sid:2008304; rev:3;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET POLICY GaduGadu Chat Keepalive PONG"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|07 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008305; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_GaduGadu; sid:2008305; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET POLICY GaduGadu Chat File Send Request"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|01 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008306; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_GaduGadu; sid:2008306; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET POLICY GaduGadu Chat File Send Details"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|03 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008307; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_GaduGadu; sid:2008307; rev:3;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET POLICY GaduGadu Chat File Send Accept"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|06 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008308; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_GaduGadu; sid:2008308; rev:3;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET POLICY GaduGadu Chat File Send Begin"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|03 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008309; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_GaduGadu; sid:2008309; rev:3;) #By Merphie from the forums alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET POLICY ICQ Status Invisible"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|001900130005|"; offset: 4; depth: 6; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001801; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_ICQ; sid: 2001801; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET POLICY ICQ Status Change (1)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|000E00010011|"; offset: 4; depth: 6; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001802; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_ICQ; sid: 2001802; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET POLICY ICQ Status Change (2)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|00120001001E|"; offset: 4; depth: 6; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001803; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_ICQ; sid: 2001803; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET POLICY ICQ Login"; flow: from_client,established; content:"|2A01|"; depth: 2; content:"|00010001|"; offset: 8; depth: 4; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001804; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_ICQ; sid: 2001804; rev:5;) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET POLICY ICQ Message"; flow: established; content:"|2A02|"; depth: 2; content:"|000400060000|"; offset: 6; depth: 6; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001805; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_ICQ; sid: 2001805; rev:5;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY ICQ Install Direct download - Not normal mode of install"; flow:established,to_server; uricontent:"/pub/ICQ_Win95_98_NT4/"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2002986; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_ICQ; sid:2002986; rev:3;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY ICP Email Send via HTTP - Often Trojan Install Reports"; flow:established,to_server; uricontent:"/friendship/email_thank_you.php?"; nocase; uricontent:"folder_id="; nocase; uricontent:"¶ms_count="; nocase; uricontent:"&nick_name="; nocase; uricontent:"&user_email="; nocase; uricontent:"&user_uin="; nocase; uricontent:"&friend_nickname="; nocase; uricontent:"&friend_contact="; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008351; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_ICQ; sid:2008351; rev:2;) #by Mark Tombaugh alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET POLICY Google Talk (Jabber) Client Login"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:9; within:6; classtype:policy-violation; reference:url,talk.google.com; reference:url,www.xmpp.org; reference:url,doc.emergingthreats.net/2002327; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Jabber; sid:2002327; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Google Talk TLS Client Traffic"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:64; within:78; classtype:policy-violation; reference:url,talk.google.com; reference:url,www.xmpp.org; reference:url,doc.emergingthreats.net/2002330; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Jabber; sid:2002330; rev:4;) #by Brad Doctor alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google IM traffic Windows client user sign-on"; flow:to_server; content:"ms\:xml\:ns\:xmpp-s"; content:"X-GOOGLE-TOKEN\">"; classtype:policy-violation; reference:url,www.google.com/talk; reference:url,doc.emergingthreats.net/2002332; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Jabber; sid:2002332; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google IM traffic friend invited"; flow:to_server; content:"\"> $EXTERNAL_NET 5222 (msg:"ET POLICY Google IM traffic Jabber client sign-on"; flow:to_server; pcre:"/gmail.com/i"; pcre:"/jabber.org/i"; pcre:"/version=/"; classtype:policy-violation; reference:url,www.google.com/talk; reference:url,doc.emergingthreats.net/2002334; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Jabber; sid:2002334; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google IM traffic Windows client user sign-off"; flow:to_server; content:"|3C 2F|stream\:s"; content:"tream>"; classtype:policy-violation; reference:url,www.google.com/talk; reference:url,doc.emergingthreats.net/2002335; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Jabber; sid:2002335; rev:6;) #Submitted by Joel Esler alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT MSN file transfer request"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; distance: 0; content:"text/x-msmsgsinvite"; nocase; distance: 0; content:"Application-Name|3A|"; content:"File Transfer"; nocase; distance: 0; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001241; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_MSN; sid: 2001241; rev:5;) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT MSN file transfer accept"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance: 0; content:"Invitation-Command|3A|"; content:"ACCEPT"; distance: 1; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001242; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_MSN; sid: 2001242; rev:5;) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT MSN file transfer reject"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance: 0; content:"Invitation-Command|3A|"; content:"CANCEL"; distance: 0; content:"Cancel-Code|3A|"; nocase; content:"REJECT"; nocase; distance: 0; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001243; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_MSN; sid: 2001243; rev:5;) #Matt Jonkman, more msn alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY MSN IM Poll via HTTP"; flow: established,to_server; uricontent:"/gateway/gateway.dll?Action=poll&SessionID="; nocase; threshold: type limit, track by_src, count 10, seconds 3600; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001682; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_MSN; sid: 2001682; rev:8;) #Submitted by Scott Melnick alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MSN status change"; flow:established,to_server; content:"CHG "; depth:55; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002192; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_MSN; sid:2002192; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "ET POLICY MSN Game Loading"; flow:established,to_server; content:"|6D 73 6E 67 61 6D 65 2E 61 73 70 78|"; depth:90; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002312; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_MSN; sid:2002312; rev:4;) #by Sp0oker alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"ET POLICY Possible MSN Messenger File Transfer"; flow:established,from_client; content:"x-msnmsgrp2p"; nocase; content:"appid\:"; nocase; pcre:"/appid\:\s+2/i"; reference:url,www.hypothetic.org/docs/msn/client/file_transfer.php; classtype: policy-violation; reference:url,doc.emergingthreats.net/2008289; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_MSN; sid:2008289; rev:4;) #bu Jaime Blasco alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET POLICY General MSN Chat Activity"; flow: established; content:"|0d 0a|Content-Type|3A|"; content:"application/x-msn-messenger"; distance:0; classtype:policy-violation; reference:url,www.hypothetic.org/docs/msn/general/http_examples.php; reference:url,doc.emergingthreats.net/2009375; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_MSN; sid:2009375; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MSN User-Agent Activity"; flow:established,to_server; content:"|0d 0a|User-Agent\: MSMSGS"; nocase; classtype:policy-violation; reference:url,www.hypothetic.org/docs/msn/general/http_examples.php; reference:url,doc.emergingthreats.net/2009376; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_MSN; sid:2009376; rev:2;) #Submitted by Joel Esler alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM successful logon"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 01|"; offset: 10; depth: 2; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001253; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Yahoo; sid: 2001253; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM voicechat"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|J"; offset: 10; depth: 2; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001254; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Yahoo; sid: 2001254; rev:5;) #Commenting out, duplicated in Snort.org set #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM ping"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 12|"; offset: 10; depth: 2; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001255; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Yahoo; sid: 2001255; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM conference invitation"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 18|"; offset: 10; depth: 2; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001256; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Yahoo; sid: 2001256; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM conference logon success"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 19|"; offset: 10; depth: 2; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001257; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Yahoo; sid: 2001257; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference message"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 1D|"; offset: 10; depth: 2; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001258; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Yahoo; sid: 2001258; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM Unavailable Status"; flow: to_server,established; content:"|59 47 00 0b 00 00 00 00 00 12 00 00 00 00|"; depth: 55; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001427; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Yahoo; sid: 2001427; rev:5;) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM file transfer request"; flow: established; content:"YMSG"; nocase; depth: 4; content:"|00|M"; offset: 10; depth: 2; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001259; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Yahoo; sid: 2001259; rev:6;) #alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM message"; flow: established; content:"YMSG"; depth: 4; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001260; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Yahoo; sid: 2001260; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM successful chat join"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 98|"; offset: 10; depth: 2; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001261; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Yahoo; sid: 2001261; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference offer invitation"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|P"; offset: 10; depth: 2; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001262; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Yahoo; sid: 2001262; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference request"; flow: to_server,established; content:" $HOME_NET any (msg:"ET CHAT Yahoo IM conference watch"; flow: from_server,established; content:"|0D 00 05 00|"; depth: 4; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001264; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Yahoo; sid: 2001264; rev:5;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Yahoo IM Client Install"; flow: to_server,established; uricontent:"/ycontent/stats.php?version="; nocase; uricontent:"EVENT=InstallBegin"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2002659; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Yahoo; sid: 2002659; rev:4;) #by Chris Newton alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"ET POLICY Yahoo Chat Signin Inside Webmail"; flow:established,to_server; content:"content-length\:"; nocase; depth:15; content:" $HOME_NET any (msg:"ET POLICY Yahoo Chat Signin Success Inside Webmail"; flow:established,to_server; content:"content-length\:"; nocase; depth:15; content:" $HOME_NET any (msg:"ET POLICY Yahoo Chat Activity Inside Webmail"; flow:established,to_server; content:"content-length\:"; nocase; depth:15; content:" $HOME_NET any (msg:"ET POLICY Yahoo Chat Activity Inside Webmail (2)"; flow:established,to_server; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection"; flow:established,to_server; uricontent:"/automation/n09230945.asp"; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2008985; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IP_Check; sid:2008985; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; content:".whatismyip."; within:15; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2008986; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IP_Check; sid:2008986; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via showip.net - Possible Infection"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; content:".showip."; within:15; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2008987; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IP_Check; sid:2008987; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; content:".cmyip."; within:12; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2008988; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IP_Check; sid:2008988; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via showmyip.com - Possible Infection"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; content:".showmyip."; within:15; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2008989; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IP_Check; sid:2008989; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; content:".ipchicken.com"; within:25; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2009020; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IP_Check; sid:2009020; rev:2;) #Submitted by Vernon Stark alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY IRC authorization message"; flow: established; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; classtype: misc-activity; reference:url,doc.emergingthreats.net/2000355; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IRC; sid: 2000355; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY IRC connection"; flow: established; content:"Welcome to the "; content:"IRC Network"; nocase; classtype: misc-activity; reference:url,doc.emergingthreats.net/2000356; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IRC; sid: 2000356; rev:5;) #by Matt Jonkman #alert ip any any -> any any (msg:"ET POLICY EIN in the clear (US-IRS Employer ID Number)"; pcre:"/ \d\d-\d{7} /"; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001004; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001001?opendocument; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002658; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IRS_Related; sid:2002658; rev:4;) #by Cam Beasley. Experimental, please report your experiences alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Image Spam Inbound (simple rule)"; flow:established,to_server; content:"Content-Transfer-Encoding|3A|"; content:"AMAgAOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBg"; depth:575; content:"AACAACCAAECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDA"; content:"AEDAAGDAAIDAAKDAAMDAAODAAADgACDgAEDgAGDgAIDgAKDgAMDgAODgAAAAQCAAQEAAQGAA"; classtype:misc-activity; reference:url,doc.emergingthreats.net/2003096; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_ImageSpam; sid:2003096; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Image Spam Inbound (complex rule)"; flow:established,to_server; content:"Content-Transfer-Encoding|3A|"; content:"AMAgAOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBg"; depth:575; content:"AACAACCAAECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDA"; content:"AEDAAGDAAIDAAKDAAMDAAODAAADgACDgAEDgAGDgAIDgAKDgAMDgAODgAAAAQCAAQEAAQGAA"; content:"QIAAQKAAQMAAQOAAQAAgQCAgQEAgQGAgQIAgQKAgQMAgQOAgQABAQCBAQEBAQGBAQIBAQKBA"; content:"QMBAQOBAQABgQCBgQEBgQGBgQIBgQKBgQMBgQOBgQACAQCCAQECAQGCAQICAQKCAQMCAQOCA"; content:"QACgQCCgQECgQGCgQICgQKCgQMCgQOCgQADAQCDAQEDAQGDAQIDAQKDAQMDAQODAQADgQCDg"; content:"QEDgQGDgQIDgQKDgQMDgQODgQAAAgCAAgEAAgGAAgIAAgKAAgMAAgOAAgAAggCAggEAggGAg"; content:"gIAggKAggMAggOAggABAgCBAgEBAgGBAgIBAgKBAgMBAgOBAgABggCBggEBggGBggIBggKBg"; content:"gMBggOBggACAgCCAgECAgGCAgICAgKCAgMCAgOCAgACggCCggECggGCggICggKCggMCggOCg"; content:"gADAgCDAgEDAgGDAgIDAgKDAgMDAgODAgADggCDggEDggGDggIDggKDggMDggODggAAAwCAA"; content:"wEAAwGAAwIAAwKAAwMAAwOAAwAAgwCAgwEAgwGAgwIAgwKAgwMAgwOAgwABAwCBAwEBAwGBA"; content:"wIBAwKBAwMBAwOBAwABgwCBgwEBgwGBgwIBgwKBgwMBgwOBgwACAwCCAwECAwGCAwICAwKCA"; content:"wMCAwOCAwACgwCCgwECgwGCgwICgwKCgwMCgwOCgwADAwCDAwEDAwGDAwIDAwKDAwP/78KCg"; classtype:misc-activity; reference:url,doc.emergingthreats.net/2003097; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_ImageSpam; sid:2003097; rev:4;) #Another from Cam Beasley alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Image Spam Inbound (3)"; flow:established,to_server; content:"Content-Transfer-Encoding|3A|"; content:"R0lGODlh"; depth:575; content:"AOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBgAACAACCA";content:"AECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDAAEDAAGDAAIDA"; classtype:misc-activity; reference:url,doc.emergingthreats.net/2003120; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_ImageSpam; sid:2003120; rev:4;) #Moved from Malware, this is likely not spyware related alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unusual User Agent (Client)"; flow: to_server,established; content:"|0d 0a|User-Agent\: Client|0d 0a|"; nocase; content:!".microsoft.com|0d 0a|"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002082; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Infotriever; sid:2002082; rev:12;) #from Russ Mcree alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY iTunes User Agent"; flow: established,to_server; content:"User-Agent\: "; nocase; pcre:"/User-Agent\:[^\n]+iTunes/i"; reference:url,hcsoftware.sourceforge.net/jason-rohrer/itms4all/; classtype:policy-violation; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2002878; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Itunes; sid:2002878; rev:4;) #by mex alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"ET POLICY JBOSS/JMX port 80 access from outside"; flow:established,to_server; content:"GET"; nocase; depth:3; uricontent:"/jmx-console"; nocase; classtype:web-application-attack; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010377; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Jboss; sid:2010377; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET POLICY JBOSS/JMX port 8080 access from outside"; flow:established,to_server; content: "GET"; nocase; depth:3; uricontent:"/jmx-console"; nocase; classtype:web-application-attack; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010378; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Jboss; sid:2010378; rev:3;) #Submitted by Jonathan Miner alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY KitCo Kcast Ticker (agtray)"; flow: to_server,established; uricontent:"/pr/agtray.txt"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2000569; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Kitco_Ticker; sid: 2000569; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY KitCo Kcast Ticker (autray)"; flow: to_server,established; uricontent:"/pr/autray.txt"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2000570; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Kitco_Ticker; sid: 2000570; rev:6;) #by William Metcalf alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Logmein.com Host List Download"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/myrahost/list.aspx?"; nocase; content:!"|0d 0a|Host\: "; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007765; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Logmein.com; sid:2007765; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Logmein.com Update Activity"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/update.logmein.com/"; nocase; content:!"|0d 0a|Host\: "; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007766; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Logmein.com; sid:2007766; rev:3;) #by William Bell alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MP3 File Transfer Outbound"; flow:established; content:"ID3|03|"; content:"TIT2"; distance:6; within:10; reference:url,filext.com/detaillist.php?extdetail=mp3&Search=Search; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002722; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_MP3_Files; sid:2002722; rev:4;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY MP3 File Transfer Inbound"; flow: established; content:"ID3|03|"; content:"TIT2"; distance:6; within:10; reference:url,filext.com/detaillist.php?extdetail=mp3&Search=Search; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002723; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_MP3_Files; sid:2002723; rev:4;) #by Jeff Kell # Microsoft teredo tunnel alert udp $HOME_NET any -> $EXTERNAL_NET 3544 (msg:"ET POLICY Microsoft TEREDO IPv6 tunneling"; content:"|FE 80 00 00 00 00 00 00 80 00|TEREDO"; offset:21; depth:16; classtype:misc-activity; reference:url,doc.emergingthreats.net/2003155; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_MS_Teredo_Tunnel; sid:2003155; rev:4;) #by Stephen Nesman at Monster.com alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Majestic-12 Spider Bot User-Agent (MJ12bot)"; flow:to_server,established; content:"|0d 0a|User-Agent\: MJ12bot|0d 0a|"; reference:url,www.majestic12.co.uk/; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003409; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Majestic-12; sid:2003409; rev:4;) #by cunningpike alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Majestic-12 Spider Bot User-Agent Inbound (MJ12bot)"; flow:to_server,established; content:"|0d 0a|User-Agent\: MJ12bot"; reference:url,www.majestic12.co.uk/; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007762; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Majestic-12; sid:2007762; rev:4;) #Matt Jonkman #This will let you know when McAffee is updating sigs. Not a security threat, but could be of interest to folks using mcafee to track updates #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY McAfee Update User Agent -NOT HOSTILE- (McAfee AutoUpdate)"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+McAfee AutoUpdate/i"; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2003381; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_McAffee; sid:2003381; rev:4;) #by Will Metcalf #Rapidshare is a video sharing service, uses VERY ppor auth, and can be used for non-work appropriate material. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Metacafe.com family filter off"; flow:established,to_server; content:"POST "; depth:5; content:"Host\: www.metacafe.com"; content:"submit=Continue+-+I%27m+over+18"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2006367; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Metacafe; sid:2006367; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Rapidshare download unauthd image post"; flow:to_server,established; content:"POST "; depth: 5; uricontent:"/files/"; nocase; content:"Host\:"; nocase; content:"rapidshare.com"; nocase; within: 40; content:"&accesscode="; nocase; content:"&actionstring=Download"; nocase; within:50; reference:url,en.wikipedia.org/wiki/RapidShare; classtype:policy-violation; reference:url,doc.emergingthreats.net/2006368; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Metacafe; sid:2006368; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Rapidshare auth cookie download"; flow:to_server,established; content:"GET "; depth: 4; uricontent:"/files/"; content:"Host\:"; nocase; content:"rapidshare.com"; nocase; within:40; content:"Cookie\: user="; nocase; reference:url,en.wikipedia.org/wiki/RapidShare; classtype:policy-violation; reference:url,doc.emergingthreats.net/2006369; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Metacafe; sid:2006369; rev:4;) #by Jamian Mason of Deepnines.com alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Metacafe.com Social Site Access"; flow:established,to_server; content:"Host\: www.metacafe.com"; threshold: type both, track by_src, count 5, seconds 300; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003457; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Metacafe.com; sid:2003457; rev:3;) #by Kevin Ross and others alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Metasploit Framework Update"; content:"http\://certificates.godaddy.com/repository"; content: "metasploit.com"; flow:from_server,established; classtype:misc-activity; reference:url,www.metasploit.com/framework/; reference:url,www.ethicalhacker.net/content/view/29/24/; reference:url,doc.emergingthreats.net/2008418; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Metasploit; sid:2008418; rev:3;) #by Kevin Ross alert tcp $HOME_NET any -> 76.74.9.18 $HTTP_PORTS (msg:"ET POLICY Milw0rm Exploit Archive Download"; content:"GET /sploits/milw0rm.tar.bz2"; depth:60; flow:to_server,established; classtype:misc-activity; reference:url,www.milw0rm.com; reference:url,doc.emergingthreats.net/2008524; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Metasploit; sid:2008524; rev:2;) alert tcp $HOME_NET any -> 76.74.9.19 $HTTP_PORTS (msg:"ET POLICY Packetstormsecurity Exploits Of The Month Download"; content:"GET /"; uricontent:"-exploits.tgz"; depth:70; flow:to_server,established; classtype:misc-activity; reference:url,www.packetstormsecurity.org; reference:url,doc.emergingthreats.net/2008525; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Metasploit; sid:2008525; rev:2;) #by wolvee alert tcp $HOME_NET any -> 76.74.9.18 $HTTP_PORTS (msg:"ET POLICY Milw0rm Exploit Launch Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/exploit.php?id="; nocase; classtype:misc-activity; reference:url,www.milw0rm.com; reference:url,doc.emergingthreats.net/2009586; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Milw0rm.com; sid:2009586; rev:3;) #Submitted by Joseph Gama #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Mozilla XPI install files download"; flow: from_server,established; content:"content-type\: application/x-xpinstall"; nocase; classtype: bad-unknown; reference:url,doc.emergingthreats.net/2001114; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Mozilla_XPI_Install; sid: 2001114; rev:6;) #by dajackman, updated by Mike Wall at BLCPro, LLC alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Myspace Login Attempt"; flow:established,to_server; content:"secure.myspace.com"; uricontent:"/index.cfm?fuseaction=login"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002872; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Myspace; sid:2002872; rev:5;) #by Matt Jonkman #These sigs aren't signs of hostile activity, just something of interest in some places alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Nagios HTTP Monitoring Connection"; flow:established,to_server; content:"User-Agent\: check_http/"; nocase; content:"(nagios-plugins "; nocase; within:30; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2006779; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Nagios; sid:2006779; rev:4;) #by Kevin Ross alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Nessus Vulnerability Scanner Plugins Update"; flow:to_client,established; content:"plugins.nessus.org"; content:"https|3a|//www.thawte.com/repository/index.html"; offset:432; depth:88; distance:10; classtype:misc-activity; reference:url,www.nessus.org/nessus/; reference:url,www.nessus.org/plugins/; reference:url,doc.emergingthreats.net/2009706; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Nessus; sid:2009706; rev:4;) #by Will Metcalf, Netflix on demand UA alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Netflix On-demand User-Agent"; flow:to_server,established; content:"User-Agent\: WmpHostInternetConnection"; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007638; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Netflix; sid:2007638; rev:3;) #Submitted by Lance Boon alert udp any any -> any any (msg:"ET POLICY Netop Remote Control Usage"; content:"|554b30303736305337473130|"; reference:url,www.netop.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001597; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Netop_Remote_Control; sid: 2001597; rev:5;) #by Jamian Mason of Deepnines.com alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Netvacy.com Anonymizing Proxy Access"; flow:established,to_server; content:"Host\: www.netvacy.com"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003453; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Netvacy.com; sid:2003453; rev:3;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Netviewer.com Remote Control Proxy Test"; flow:established,to_server; content:"POST /nvserver HTTP"; depth:19; content:"|0d 0a 0d 0a|cmd="; content:"¶ms="; distance:0; content:"Netviewer Proxy Test"; distance:0; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008472; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Netviewer.com; sid:2008472; rev:3;) #by James Pledger alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Newzbin Usenet Reader License Check"; flow:established,to_server; uricontent:"/internal/internal_loader.v2.php?"; uricontent:"prodID=nl&licID="; uricontent:"&prodVer="; content:"|0d 0a|Host|3A| www.newsleecher.com"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009095; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Newzbin; sid:2009095; rev:2;) #by matt jonkman #nginx is an open http server. It's quite good, but seems an extremely high number of it's # installs are malicious. Storm, rbn, etc. Use this rule if you are interested # disabling by default, falses a lot but may be of interest to some folks #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Nginx Server in use - Often Hostile Traffic"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a|Server\: nginx"; nocase; distance:4; within:300; threshold:type limit, seconds 60, count 3, track by_src; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2008054; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Nginx; sid:2008054; rev:3;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Nginx Server with no version string - Often Hostile Traffic"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a|Server\: nginx|0d 0a|"; nocase; distance:4; within:300; threshold:type limit, seconds 60, count 3, track by_src; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2008064; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Nginx; sid:2008064; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Nginx Server with modified version string - Often Hostile Traffic"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a|Server\: nginx/"; nocase; pcre:"/Server\: nginx/[a-zA-Z]/i"; threshold:type limit, seconds 60, count 3, track by_src; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2008065; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Nginx; sid:2008065; rev:2;) #New way to do ssh. First to detect legit ssh sessions on normal ports. Enable these ONLY if you need to know about # normal ssh sessions #Written by Erik Fichtner, adapted some #alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Expected Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byte_test:1,<,51,0,relative;byte_test:1,=,46,1,relative;flowbits: set,is_ssh_server_banner; classtype:misc-activity; reference:url,doc.emergingthreats.net/2001973; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Non-Standard_SSH_Port; sid: 2001973; rev:7;) #alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Expected Port"; flowbits:isset,is_ssh_server_banner; flowbits:noalert; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byte_test:1,<,51,0,relative;byte_test:1,=,46,1,relative;flowbits: set,is_ssh_client_banner; classtype:misc-activity; reference:url,doc.emergingthreats.net/2001974; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Non-Standard_SSH_Port; sid: 2001974; rev:7;) #alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Expected Port"; flowbits:isset,is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; classtype:misc-activity; reference:url,doc.emergingthreats.net/2001975; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Non-Standard_SSH_Port; sid: 2001975; rev:7;) #alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Expected Port"; flowbits:isset,is_ssh_server_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,20,5;flowbits: set,is_ssh_client_kex; classtype:misc-activity; reference:url,doc.emergingthreats.net/2001976; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Non-Standard_SSH_Port; sid: 2001976; rev:8;) #alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSHv2 Client New Keys detected on Expected Port"; flowbits:noalert; flowbits:isset,is_ssh_client_kex; flow: from_client,established; byte_test:1,=,21,5;flowbits: set,is_proto_ssh; classtype:misc-activity; reference:url,doc.emergingthreats.net/2001977; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Non-Standard_SSH_Port; sid: 2001977; rev:8;) #alert tcp any any <> any $SSH_PORTS (msg:"ET POLICY SSH session in progress on Expected Port"; flowbits: isset,is_proto_ssh; threshold: type both, track by_src, count 2, seconds 300; classtype:misc-activity; reference:url,doc.emergingthreats.net/2001978; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Non-Standard_SSH_Port; sid: 2001978; rev:6;) #And now to detect Non-standard port usage alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Unusual Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byte_test:1,<,51,0,relative;byte_test:1,=,46,1,relative;flowbits: set,is_ssh_server_banner; classtype:misc-activity; reference:url,doc.emergingthreats.net/2001979; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Non-Standard_SSH_Port; sid: 2001979; rev:7;) alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Unusual Port"; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byte_test:1,<,51,0,relative;byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; classtype:misc-activity; reference:url,doc.emergingthreats.net/2001980; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Non-Standard_SSH_Port; sid: 2001980; rev:9;) alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Unusual Port"; flowbits:isset,is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5;flowbits: set,is_ssh_server_kex; classtype:misc-activity; reference:url,doc.emergingthreats.net/2001981; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Non-Standard_SSH_Port; sid: 2001981; rev:7;) alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_kex; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,is_ssh_client_kex; classtype:misc-activity; reference:url,doc.emergingthreats.net/2001982; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Non-Standard_SSH_Port; sid: 2001982; rev:8;) alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client New Keys Detected on Unusual Port"; flowbits:isset,is_ssh_client_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,21,5; flowbits: set,is_proto_ssh; classtype:misc-activity; reference:url,doc.emergingthreats.net/2001983; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Non-Standard_SSH_Port; sid: 2001983; rev:8;) alert tcp any !$SSH_PORTS -> any !$SSH_PORTS (msg:"ET POLICY SSH session in progress on Unusual Port"; flowbits: isset,is_proto_ssh; threshold: type both, track by_src, count 2, seconds 300; classtype:misc-activity; reference:url,doc.emergingthreats.net/2001984; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Non-Standard_SSH_Port; sid: 2001984; rev:7;) #by Kevin Ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY External Unencrypted Connection to Ossec WUI"; flow:established,to_server; uricontent:"/ossec/"; uricontent:"js/calendar-setup.js"; classtype:misc-activity; reference:url,www.ossec.net; reference:url,doc.emergingthreats.net/2008569; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_OSSEC; sid:2008569; rev:2;) #by evilghost alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"ET POLICY Exchange 2003 OWA plain-text E-Mail message access, not SSL"; flow:established,from_server; content:"var g_szURL = \"http\://"; content:"var g_szFolder = \""; content:"varg_szVirtualRoot = \"http\://"; content:"Microsoft Corporation."; classtype:web-application-activity; reference:url,support.microsoft.com/kb/321832; reference:url,doc.emergingthreats.net/2010030; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_OWA; sid:2010030; rev:2;) #by Christopher Campesi alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 16680 (msg:"ET POLICY OperaUnite URL Registration";flow:to_server,established; content:"REGISTER"; offset:0; depth:8; content:"operaunite.com"; within:109; classtype:policy-violation; reference:url,unite.opera.com; reference:url,doc.emergingthreats.net/2009895; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_OperaUnite; sid:2009895; rev:2;) #by Jamian Mason of Deepnines.com alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Orkut.com Social Site Access"; flow:established,to_server; content:"Host\: www.orkut.com"; threshold: type both, track by_src, count 5, seconds 300; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003458; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Orkut.com; sid:2003458; rev:3;) #Submitted by Scott Melnick alert tcp $HOME_NET any -> any !$HTTP_PORTS (msg:"ET POLICY PCMesh Anonymous Proxy client connect"; flow: from_client,established; content:"http|3a|//www.pcmesh.com|3a|80/ip-check.cgi"; depth:37; offset:4; classtype: policy-violation; reference:url,doc.emergingthreats.net/2003040; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_PCMesh; sid:2003040; rev:4;) #Only enable if you do not use and internal Proxy server with your #clients or change your HTTP_PORTS to match your Proxy server port #alert tcp $HOME_NET any -> any !$HTTP_PORTS (msg:"ET POLICY Anonymous Proxy Traffic from Inside"; flow: from_client,established; flags: *AP,12; content:"GET http|3a|//"; depth:11; offset:0; content:"HTTP/1.0"; within:50; offset:11; classtype: policy-violation; reference:url,doc.emergingthreats.net/2003069; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_PCMesh; sid:2003069; rev:3;) #by kevin ross #Disabled by default as they may be high load #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Hex Obfuscated arguments.callee Javascript Method in PDF - Possibly Hostile PDF"; flow:established,to_client; content:"PDF-"; nocase; depth:300; content:"|61|"; distance:0; content:"|72|"; distance:1; within:2; content:"|67|"; distance:1; within:2; content:"|75|"; distance:1; within:2; content:"|6d|"; distance:1; within:2; content:"|65|"; distance:1; within:2; content:"|6e|"; distance:1; within:2; content:"|74|"; distance:1; within:2; content:"|73|"; distance:1; within:2; content:"|2e|"; distance:1; within:2; content:"|63|"; distance:1; within:2; content:"|61|"; distance:1; within:2; content:"|6c|"; distance:1; within:2; content:"|6c|"; distance:1; within:2; content:"|65|"; distance:1; within:2; content:"|65|"; distance:1; within:2; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010879; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_PDF; sid:2010879; rev:2;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Hex Obfuscation of Javascript Declaration Within PDF File - Likely Hostile"; flow:established,to_client; content:"PDF-"; nocase; depth:300; content:"|2f|"; distance:0; content:"|4a|"; distance:1; within:2; content:"|61|"; distance:1; within:2; content:"|76|"; distance:1; within:2; content:"|61|"; distance:1; within:2; content:"|73|"; distance:1; within:2; content:"|63|"; distance:1; within:2; content:"|72|"; distance:1; within:2; content:"|69|"; content:"|70|"; distance:1; within:2; content:"|74|"; distance:1; within:2; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010880; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_PDF; sid:2010880; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY .pdf File Download With Unescape Method Defined - Possibly Hostile"; flow:established,to_client; content:"PDF-"; nocase; depth:300; content:"unescape"; nocase; distance:0; classtype:misc-activity; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010881; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_PDF; sid:2010881; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY .pdf File Containing Javascript"; flow:established,to_client; content:"PDF-"; nocase; depth:300; content:"/Javascript"; nocase; distance:0; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010882; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_PDF; sid:2010882; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY .pdf File Containing arguments.callee in Cleartext - Likely Hostile"; flow:established,to_client; content:"PDF-"; nocase; depth:300; content:"arguments.callee"; nocase; distance:0; classtype:misc-activity; reference:url,isc.sans.org/diary.html?storyid=1519; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010883; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_PDF; sid:2010883; rev:2;) #disabled as it may be high load #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY .pdf File Possibly Containing Basic Hex Obfuscation"; flow:established,from_server; content:"PDF-"; nocase; depth:300; pcre:"/PDF-.+[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F]/si"; classtype:misc-activity; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010884; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_PDF; sid:2010884; rev:3;) #by Will Metcalf. These will detect a php proxy/anonymizer/content control evasion site in use alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY PHP Anonymizing/Evasion Proxy In Use"; flow: to_server,established; content:"GET "; depth: 4; uricontent:"/index.php?q="; nocase; pcre:"/index\.php\?q=(uggc|jjj|http|www|aHR0c|d3d3)/Ui"; reference:url,sourceforge.net/projects/php-proxy/; classtype:policy-violation; reference:url,doc.emergingthreats.net/2006410; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_PHP_Proxy; sid:2006410; rev:4;) #by Jaime Blasco #Needs tweaking ... aight, tweaked... needs testing now :) #alert tcp $HOME_NET 1723 -> $EXTERNAL_NET any (msg:"ET POLICY PPTP Requester is not authorized to establish a command channel"; flow:to_server,established,no_stream; content:"|00 01|"; offset:2; depth:4; content:"|00 02|"; offset:8; depth:10; content:"|04|"; offset:12; depth:13; classtype:attempted-admin; reference:url,tools.ietf.org/html/rfc2637; reference:url,doc.emergingthreats.net/2009387; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_PPTP; sid:2009387; rev:3;) #by jack pepper alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Login Credentials Possibly Passed in URI"; flow:established,to_server; uricontent:"username="; nocase; uricontent:"password="; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009001; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Pass_in_uri; sid:2009001; rev:3;) #disabled by default for possiblity of false positives. Use only if needed #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Login Credentials Possibly Passed in POST Data"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|"; content:"username="; distance:0; nocase; uricontent:"password="; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009004; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Pass_in_uri; sid:2009004; rev:3;) #by Jonathan Scheidell #Pingdom.com is an otherwise legitimate org that does free distributed ping monitoring # This sig will let you know if you're being monitored. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Pingdom.com Monitoring detected"; flow: to_server,established; content: "User-Agent\: Pingdom GIGRIB"; nocase; classtype:attempted-recon; reference:url,royal.pingdom.com/?p=46; reference:url,doc.emergingthreats.net/2003214; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Pingdom_Monitoring; sid:2003214; rev:4;) #This will tell you if a local host is signed up as a pingdom monitoring node alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Pingdom.com Monitoring Node Active"; flow: to_server,established; content: "User-Agent\: Pingdom GIGRIB"; nocase; classtype:attempted-recon; reference:url,royal.pingdom.com/?p=46; reference:url,doc.emergingthreats.net/2003215; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Pingdom_Monitoring; sid:2003215; rev:4;) # Added by Frank Knobbe alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Prospero Chat Session in Progress"; flow: established,to_server; content:"PCHAT2 "; offset: 0; depth: 7; content:"v='"; nocase; offset: 8; depth: 400; content:"jv='"; nocase; offset: 8; depth: 400; content:"u='"; nocase; offset: 8; depth: 400; reference:url,www.prospero.com/technology.htm; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001989; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Prospero_Chat; sid: 2001989; rev:5;) #From Adam Hogan alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy GET Request"; flow: to_server,established; content:"GET http\://"; nocase; depth: 11; classtype: bad-unknown; reference:url,doc.emergingthreats.net/2001669; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; sid: 2001669; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy HEAD Request"; flow: to_server,established; content:"HEAD http\://"; nocase; depth: 12; classtype: bad-unknown; reference:url,doc.emergingthreats.net/2001670; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; sid: 2001670; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy POST Request"; flow: to_server,established; content:"POST http\://"; nocase; depth: 12; classtype: bad-unknown; reference:url,doc.emergingthreats.net/2001674; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; sid: 2001674; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy CONNECT Request"; flow: to_server,established; content:"CONNECT "; nocase; depth: 8; classtype: bad-unknown; reference:url,doc.emergingthreats.net/2001675; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; sid: 2001675; rev:7;) #by Markus Manzke # HTTP-TRACE Request alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy TRACE Request - inbound"; flow: to_server,established; content:"TRACE "; nocase; depth: 6; classtype: bad-unknown; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; reference:url,doc.emergingthreats.net/2010766; sid:2010766; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TRACE Request - outbound"; flow: to_server,established; content:"TRACE "; nocase; depth: 6; classtype: bad-unknown; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; reference:url,doc.emergingthreats.net/2010767; sid:2010767; rev:9;) #Seeing some bots and proxy evasion apps use these proxy judges to find their way out #by Scotty Melnick alert tcp any any -> any $HTTP_PORTS (msg:"ET POLICY Proxy Judge Discovery/Evasion (prxjdg.cgi)"; flow: established,to_server; uricontent:"/prxjdg.cgi"; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003047; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy_Judge; sid:2003047; rev:3;) alert tcp any any -> any $HTTP_PORTS (msg:"ET POLICY Proxy Judge Discovery/Evasion (proxyjudge.cgi)"; flow: established,to_server; uricontent:"/proxyjudge.cgi"; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003048; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy_Judge; sid:2003048; rev:3;) #by Jeremy at sudosecure alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Set flow on rar file get"; flow:established,to_server; content:"GET "; depth:4; uricontent:".rar"; content:".rar HTTP/1."; flowbits:set,ET.rar_seen; flowbits:noalert; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008781; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_RAR_Files; sid:2008781; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Trojan File Download bad rar file header (not a valid rar file)"; flow:established,from_server; content:"Content-Type|3a| application|2f|octet-stream"; content:"|0d 0a 0d 0a 52 61 72 21|"; distance:0; content:!"|1A 07|"; within:2; classtype:trojan-activity; reference:url,www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162; reference:url,doc.emergingthreats.net/2008782; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_RAR_Files; sid:2008782; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Trojan File Download - Rar Requested but not received"; flow:established,from_server; flowbits:isset,ET.rar_seen; flowbits:unset,ET.rar_seen; content:"200 OK"; content:"Content-Type|3a| application|2f|octet-stream"; content:!"|0d 0a 0d 0a 52 61 72 21 1A 07|"; classtype:trojan-activity; reference:url, www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162; reference:url,doc.emergingthreats.net/2008783; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_RAR_Files; sid:2008783; rev:3;) #Submitted by James Ashton alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY RDP connection request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|E0|"; offset: 5; depth: 1; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001329; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_RDP_Connections; sid: 2001329; rev:8;) alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg:"ET POLICY RDP connection confirm"; flow: from_server,established; content:"|03|"; offset: 0; depth: 1; content:"|D0|"; offset: 5; depth: 1; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001330; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_RDP_Connections; sid: 2001330; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY RDP disconnect request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|80|"; offset: 5; depth: 1; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001331; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_RDP_Connections; sid: 2001331; rev:8;) #By Scott Melnick #Users can connect to remote machines by port forwarding 3389 through personal routers. alert tcp $HOME_NET any -> $EXTERNAL_NET !3389 (msg:"ET POLICY Remote Desktop Connection via non RDP Port"; flow:established,to_server; content:"|03|"; offset: 0; depth: 1; content:"|E0|"; offset: 5; depth: 1; content:"Cookie\:"; offset: 11; depth: 7; classtype: policy-violation; reference:url,doc.emergingthreats.net/2007571; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_RDP_Connections; sid:2007571; rev:4;) #Matt Jonkman alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Setup Initiate"; flow:established,to_server; content:"|01 00 00 00 01 00 00 00 08 08|"; flowbits:set,BE.Radmin.Challenge; classtype:not-suspicious; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003479; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Radmin; sid:2003479; rev:4;) alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; flowbits:noalert; classtype:not-suspicious; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Radmin; sid:2003480; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Authentication Initiate"; flow:established,to_server; dsize:<20; content:"|01 00 00 00 05 00 00 02 27 27 02 00 00 00|"; flowbits:set,BE.Radmin.Auth.Challenge; classtype:not-suspicious; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003481; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Radmin; sid:2003481; rev:4;) alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Authentication Response"; flowbits:isset,BE.Radmin.Auth.Challenge; flow:established,from_server; dsize:<20; content:"|01 00 00 00 05 00 00 00 27 27 00 00 00 00|"; flowbits:noalert; classtype:not-suspicious; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003482; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Radmin; sid:2003482; rev:4;) #Matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Real.com Game Arcade Install (User agent)"; flow: established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+ARCADE_BUNDLE_DOWNLOADER/i"; classtype: policy-violation; reference:url,doc.emergingthreats.net/2003045; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Real.com_Game_Installs; sid: 2003045; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Real.com Game Arcade Install"; flow: established,to_server; content:"/gameconsole/bundlescripts/"; classtype: policy-violation; reference:url,doc.emergingthreats.net/2003046; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Real.com_Game_Installs; sid:2003046; rev:3;) #part of the state machine sigs in EXPLOIT/RealVNC alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY VNC Authentication Successful"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:4; content:"|00 00 00 00|"; depth:4; flowbits:unset,BSvnc.auth.agreed; flowbits:unset,BSis.vnc.setup; classtype:not-suspicious; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002922; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_RealVNC; sid:2002922; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY VNC Authentication Failure"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:<50; content:"|00 00 00 01|"; depth:4; classtype:attempted-admin; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002920; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_RealVNC; sid:2002920; rev:5;) #by marcus at unsober #ref: 0d805713a6f969a3675d5776c7b2c4df alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY RemoteSpy.com Upload Detect"; flow:established,to_server; content:"POST "; depth:5; uricontent:"upload.php"; content:"|0d 0a|Host\: www.remotespy.com|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008406; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Remotespy.com; sid:2008406; rev:5;) #Matt Jonkman, modified by jholguin (tb-security) # This is a commercial product, but we see it very often used in malware. Send this email on install alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET POLICY SC-KeyLog Keylogger Installed - Sending Initial Email Report"; flow:established,to_server; content:"Installation of SC-KeyLog on host "; nocase; content:"

You will receive a log report every "; nocase; classtype:trojan-activity; reference:url,www.soft-central.net/keylog.php; reference:url,doc.emergingthreats.net/2002979; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SC-KeyLog; sid:2002979; rev:4;) #by jholguin (tb-security), re d5d466779b27cfc8e68c73145c5f3b36 alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET POLICY SC-KeyLog Keylogger Installed - Sending Log Email Report"; flow:established,to_server; content:"SC-KeyLog log report"; nocase; content:"See attached file"; nocase; content:".log"; nocase; classtype:trojan-activity; reference:url,www.soft-central.net/keylog.php; reference:url,doc.emergingthreats.net/2008348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SC-KeyLog; sid:2008348; rev:2;) #by matt Jonkman #TLS/SSL State Machine for 8081 and up #if you have sessions that do NOT trip this please let me know. #I only know this will work for sslv2, sslv3, and most TLS. #Adding these sigs to prevent known ssl ports from being included. You may need to duplicate some of these # to exclude known ssl traffic in your environment. # You can also avoid falses by suppressing sigs 2003002-5 for the hosts that you expect unusual port SSL to/from # alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2003026; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003026; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 9001 (msg:"ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2004598; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2004598; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2003027; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003027; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2003028; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003028; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8200 (msg:"ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2003029; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003029; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8443 (msg:"ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2003030; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003030; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET POLICY Known SSL traffic on port 5222 (Jabber) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2003031; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003031; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5223 (msg:"ET POLICY Known SSL traffic on port 5223 (Jabber) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2003032; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003032; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 2967 (msg:"ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2003033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003033; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 3128 (msg:"ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2003035; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003035; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2003036; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003036; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8292 (msg:"ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2003037; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003037; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8294 (msg:"ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2003038; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003038; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1521 (msg:"ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2003934; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003934; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 995 (msg:"ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2008543; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2008543; rev:2;) #Client Hello alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port TLS"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established,to_server; content:"|16 03 01|"; depth:3; content:"|01|"; within:6; content:"|03 01|"; within:5; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003002; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003002; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established,to_server; content:"|16 03 00|"; depth:3; content:"|01|"; within:2; content:"|03 00|"; within:3; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003003; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003003; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port Case 2"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established; content:"|01 03 01|"; depth:5; offset:2; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003004; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003004; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established; content:"|01 03 00|"; depth:5; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003005; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003005; rev:9;) #Client Key exch and setup #disabled the first two, unnecessary. Can remove these once we're sure they're not needed #alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Key Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|10|"; within:6; flowbits:set,BS.SSL.Client.Key; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003006; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003006; rev:7;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|10|"; within:6; flowbits:set,BS.SSL.Client.Key; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003007; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003007; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Cipher Set on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|14 03 01 00 01 01|"; flowbits:set,BS.SSL.Client.Cipher; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003008; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003008; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|14 03 00 00 01 01|"; flowbits:set,BS.SSL.Client.Cipher; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003009; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003009; rev:7;) #Server Hello #also setting a flowbit no longer used. Can be removed in a few weeks once we're sure it's unused #alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Hello on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; depth:3; content:"|02|"; within:6; content:"|03 01|"; within:6; flowbits:set,BS.SSL.Server.Hello; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003010; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003010; rev:7;) #alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; depth:3; content:"|02|"; within:6; content:"|03 00|"; within:6; flowbits:set,BS.SSL.Server.Hello; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003011; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003011; rev:7;) #Server cert and key exchange #Setting a flowbit no longer used. Can be removed in a few weeks #alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|0b|"; within:6; flowbits:set,BS.SSL.Server.Cert; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003012; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003012; rev:7;) #alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|0b|"; within:6; flowbits:set,BS.SSL.Server.Cert; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003013; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003013; rev:6;) alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Key Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|0c|"; within:6; flowbits:set,BS.SSL.Server.Key; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003014; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003014; rev:7;) alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|0c|"; within:6; flowbits:set,BS.SSL.Server.Key; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003015; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003015; rev:6;) alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Hello Done on Unusual Port"; flowbits:isset,BS.SSL.Server.Key; flow:established; content:"|16 03 01|"; content:"|0e|"; within:6; flowbits:set,BS.SSL.Server.Hello.Done; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003016; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003016; rev:7;) alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Hello Done on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Server.Key; flow:established; content:"|16 03 00|"; content:"|0e|"; within:6; flowbits:set,BS.SSL.Server.Hello.Done; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003017; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003017; rev:6;) #Server Cipher set alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Cipher Set on Unusual Port"; flowbits:isset,BS.SSL.Client.Cipher; flow:established; content:"|14 03 01 00 01|"; flowbits:set,BS.SSL.Established; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003018; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003018; rev:7;) alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Cipher; flow:established; content:"|14 03 00 00 01|"; flowbits:set,BS.SSL.Established; flowbits:noalert; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003019; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003019; rev:7;) #Application data stream alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003020; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003020; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 00|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003021; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003021; rev:8;) #Submitted by Patrick Harper. pcre by Matt Jonkman #This rule is disabled by default. It should generally be run on the outside of your network, not internally. Enable it where useful. #alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (dashed)"; pcre:"/ ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])-\d{2}-\d{4} /"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2001328; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSN_in_the_Clear; sid: 2001328; rev:13;) #alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (spaced)"; pcre:"/ ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2]) \d{2} \d{4} /"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2001384; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSN_in_the_Clear; sid: 2001384; rev:13;) #alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (SSN )"; content:"SSN "; nocase; pcre:"/SSN ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])\d{6} /i"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007971; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSN_in_the_Clear; sid:2007971; rev:3;) #alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (SSN# )"; content:"SSN# "; nocase; pcre:"/SSN# ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])\d{6} /i"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007972; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSN_in_the_Clear; sid:2007972; rev:3;) #by rich rumble #PsExec for lan alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY PsExec service created"; flow:to_server,established; content:"|5c 00 50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; reference:url,xinn.org/Snort-psexec.html;classtype:suspicious-filename-detect; reference:url,doc.emergingthreats.net/2010781; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SecTools; sid:2010781; rev:2;) #RctrlX alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY RemoteControlX rctrlx service created"; flow:to_server,established; content:"|5c 00 72 00 63 00 74 00 72 00 6c 00 78 00 73 00 72 00 76 00 2e 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-rctrlx.html;classtype:suspicious-filename-detect; reference:url,doc.emergingthreats.net/2010782; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SecTools; sid:2010782; rev:2;) #By Chich Thierry alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype VOIP Checking Version (Startup)"; flow: to_server,established; uricontent:"/ui/"; nocase; uricontent:"/getlatestversion?ver="; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001595; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Skype; sid: 2001595; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype VOIP Reporting Install"; flow: to_server,established; uricontent:"/ui/"; nocase; uricontent:"/installed"; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001596; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Skype; sid: 2001596; rev:9;) #By Robert Grabowsky alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"|0d 0a|User-Agent\: "; content:"Skype"; distance:0; within:100; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002157; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Skype; sid:2002157; rev:5;) #by Reg Quinton alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 33033 (msg:"ET POLICY Skype Bootstrap Node (udp)"; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003022; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Skype; sid:2003022; rev:4;) #Idea by Martin Holste, sigs by Matt Jonkman # The idea here is that most legitimate exe downloads are more than 1meg, most malicious are far less than 1 meg. # This is evadable of course, and doesn't work with non-compliant web servers, but this will catch many... #First we qualify this as a packet containing the header return info from the get request and is likely binary content alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Likely Binary in HTTP by Type Flowbit"; flow:established,from_server; flowbits:isnotset,ET.http.binary; content:"HTTP/1"; depth:6; content:"|0d 0a|Content-Type\: application/"; nocase; flowbits:noalert; flowbits:set,ET.http.binary; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2007670; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Small_Binary_Downloads; sid:2007670; rev:4;) #next we check that the content-length is less than 7 digits, thus under 1,000,000 bytes. # note: I re-check for the leading HTTP/1 to make sure we're still in the header packet, not in the rest of the binary stream alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; flowbits:isset,ET.http.binary; content:"HTTP/1"; depth:6; content:"MZ"; isdataat: 76,relative; content:"This program "; distance: 0; pcre:"/\x0d\x0aContent-Length\: \d{0,6}\x0d\x0a/"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007671; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Small_Binary_Downloads; sid:2007671; rev:9;) #by evilghost alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Smilebox Spyware Download"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/download/smilebox/SmileboxInstaller.exe"; nocase; reference:url,www.smilebox.com/info/privacy.html; reference:url,doc.emergingthreats.net/2009998; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Smilebox; classtype:policy-violation; sid:2009998; rev:7;) #re 60fa2ff79411dd1cb829e8a966aa86fc alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET POLICY Unknown Trojan P2P Initial Checkin"; flow:established,to_server; dsize:<30; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 01 00 00|"; distance:1; within:9; threshold:type both, count 5, seconds 120, track by_src; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008768; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Storm3_Media; sid:2008768; rev:5;) alert tcp $EXTERNAL_NET 3000:8000 -> $HOME_NET any (msg:"ET POLICY Unknown Trojan P2P Initial Checkin Response"; flow:established,from_server; dsize:<100; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 07 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_dst; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008769; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Storm3_Media; sid:2008769; rev:5;) #moves to 7090 in samples alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET POLICY Unknown Trojan P2P Download Request"; flow:established,to_server; dsize:<100; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 08 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Storm3_Media; sid:2008771; rev:5;) alert tcp $EXTERNAL_NET 3000:8000 -> $HOME_NET any (msg:"ET POLICY Unknown Trojan P2P Data Download"; flow:established,from_server; dsize:>1000; content:"|00 00 00|"; depth:5; offset:2; content:"|00 01 01 00 00 05 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_dst; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008770; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Storm3_Media; sid:2008770; rev:5;) #moved to 5622 in samples alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET POLICY Unknown Trojan P2P Request"; flow:established,to_server; dsize:<60; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 03 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008772; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Storm3_Media; sid:2008772; rev:5;) #by Will Metcalf alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY CBS Streaming Video"; flow:established,to_server; content:"GET "; depth:4; content:"Host\:"; nocase; content:"cbs.com"; nocase; within:40; uricontent:"/innertube/player.php?"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007763; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Streaming_News; sid:2007763; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY NBC Streaming Video"; flow:established,to_server; content:"GET "; depth:4; content:"Host\:|20|video.nbcuni.com"; nocase; pcre:"/(\.smil)$/Ui"; classtype: policy-violation; reference:url,doc.emergingthreats.net/2007764; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Streaming_News; sid:2007764; rev:3;) #by Nathaniel Richmond alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Read Request"; content:"|00 01|"; depth:2; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008120; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_TFTP; sid:2008120; rev:3;) alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Write Request"; content:"|00 02|"; depth:2; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008116; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_TFTP; sid:2008116; rev:3;) alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Data Transfer"; content:"|00 03|"; depth:2; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008117; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_TFTP; sid:2008117; rev:3;) alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP ACK"; content:"|00 04|"; depth:2; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008118; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_TFTP; sid:2008118; rev:3;) alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Error Message"; content:"|00 05|"; depth:2; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008119; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_TFTP; sid:2008119; rev:3;) #Matt Jonkman, major updates by Chris Byrd #Experimenting with this idea. When a bot comes up live and starts spamming, it # does a massive number of dns queries. This may be an extra way to identify infections alert udp ![$DNS_SERVERS,$SMTP_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET POLICY Possible Spambot Host DNS MX Query High Count"; content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|"; distance: 8; threshold:type both, count 30, seconds 10, track by_src; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2003330; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_TROJAN_DNS_Lookups; sid:2003330; rev:6;) # 2008-11-19 added by Frank Knobbe # The following two sigs were created based on the findings of SIDs 2008779 # and 2008780. That particular keep-alive matched the TeamViewer application. # The 'unknown trojan' rules are still present in case something else uses # this pattern, but will likely be removed shortly. The trojan sigs won't # alert if the rules below match. alert tcp $HOME_NET any -> $EXTERNAL_NET 5938 (msg:"ET POLICY TeamViewier Keep-alive outbound"; flow:established,to_server; dsize:5; content:"|17 24 1B 00 00|"; flowbits:set,ET.teamviewerkeepaliveout; flowbits:noalert; reference:url,www.teamviewer.com; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:misc-activity; reference:url,doc.emergingthreats.net/2008794; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_TeamViewer; sid:2008794; rev:2;) alert tcp $EXTERNAL_NET 5938 -> $HOME_NET any (msg:"ET POLICY TeamViewier Keep-alive inbound"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isset,ET.teamviewerkeepaliveout; reference:url,www.teamviewer.com; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:misc-activity; reference:url,doc.emergingthreats.net/2008795; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_TeamViewer; sid:2008795; rev:2;) #by jim #These will false positive a LOT, but use them if you need them. They should be useful. #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...)"; flow: to_client,established; content:"Moderate Islam is a Prostration to the West"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010570; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010570; rev:2;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...)"; flow: to_client,established; content:"Jihad, Martyrdom and the Killing of Innocents"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010571; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010571; rev:2;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET POLICY Possible Reference to Terrorist Literature (The Call to Global...)"; flow: to_client,established; content:"The Call to Global Islamic Resistance"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010572; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010572; rev:2;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET POLICY Possible Reference to Terrorist Literature (Knights under the...)"; flow: to_client,established; content:"Knights under the Prophet’s Banner"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010573; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010573; rev:2;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET POLICY Possible Reference to Terrorist Literature (Jihad against...)"; flow: to_client,established; content:"Jihad Against Jews and Crusaders World Islamic Front Statement"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010574; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010574; rev:2;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...)"; flow: to_client,established; content:"Declaration of War against the Americans Occupying the Land of the Two Holy Places"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010575; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010575; rev:2;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...)"; flow: to_client,established; content:"Join the Caravan of Martyrs"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010576; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010576; rev:2;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...)"; flow: to_client,established; content:"Sharia and Democracy"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010577; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010577; rev:2;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain)"; flow: to_client,established; content:"fardh ain"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010578; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010578; rev:2;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir)"; flow: to_client,established; content:"Takfir"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010579; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010579; rev:2;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala’ Wal Bara)"; flow: to_client,established; content:"Al-Wala' Wal Bara"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010580; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010580; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...) SMTP"; flow: to_client,established; content:"Moderate Islam is a Prostration to the West"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010581; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...) SMTP"; flow: to_client,established; content:"Jihad, Martyrdom and the Killing of Innocents"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010582; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010582; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "ET POLICY Possible Reference to Terrorist Literature (The Call to Global...) SMTP"; flow: to_client,established; content:"The Call to Global Islamic Resistance"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010583; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010583; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "ET POLICY Possible Reference to Terrorist Literature (Knights under the...) SMTP"; flow: to_client,established; content:"Knights under the Prophet’s Banner"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010584; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010584; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "ET POLICY Possible Reference to Terrorist Literature (Jihad against...) SMTP"; flow: to_client,established; content:"Jihad Against Jews and Crusaders World Islamic Front Statement"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010585; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010585; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...) SMTP"; flow: to_client,established; content:"Declaration of War against the Americans Occupying the Land of the Two Holy Places"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010586; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010586; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...) SMTP"; flow: to_client,established; content:"Join the Caravan of Martyrs"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010587; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010587; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...) SMTP"; flow: to_client,established; content:"Sharia and Democracy"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010588; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010588; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain) SMTP"; flow: to_client,established; content:"fardh ain"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010589; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010589; rev:2;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir) SMTP"; flow: to_client,established; content:"Takfir"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010590; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010590; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala’ Wal Bara) SMTP"; flow: to_client,established; content:"Al-Wala' Wal Bara"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/2010591; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Terririst_Literature; sid:2010591; rev:2;) #Submitted by an anonymous researcher alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY TOR 1.0 Server Key Retrieval"; flow:established,to_server; content:"GET /tor/server/"; depth:16; threshold:type limit, track by_src, count 1, seconds 30; classtype:policy-violation; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002950; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Tor; sid:2002950; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY TOR 1.0 Status Update"; flow:established,to_server; content:"GET /tor/status/"; depth:16; threshold:type limit, track by_src, count 1, seconds 60; classtype:policy-violation; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002951; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Tor; sid:2002951; rev:5;) #this sig is good as long as the client isn't recompiled to use an identifier other than TOR.. alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET POLICY TOR 1.0 Inbound Circuit Traffic"; flow:established; content:"TOR"; content:""; rawbytes; distance:10; within:35; threshold:type limit, track by_src, count 1, seconds 120; classtype:policy-violation; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002952; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Tor; sid:2002952; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY TOR 1.0 Outbound Circuit Traffic"; flow:established; content:"TOR"; content:""; rawbytes; distance:10; within:35; threshold:type limit, track by_src, count 1, seconds 120; classtype:policy-violation; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002953; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Tor; sid:2002953; rev:5;) #by Nathaniel Richmond alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Tor Get Server Request"; flow:established,to_server; uricontent:"/tor/server/"; nocase; reference:url,tor.eff.org; classtype: policy-violation; reference:url,doc.emergingthreats.net/2008113; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Tor; sid:2008113; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Tor Get Status Request"; flow:established,to_server; uricontent:"/tor/status/"; nocase; reference:url,tor.eff.org; classtype: policy-violation; reference:url,doc.emergingthreats.net/2008115; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Tor; sid:2008115; rev:2;) #by Mike Cox alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Twitter Status Update"; flow:to_server,established; content:"POST "; depth:5; uricontent:"/status/update"; content:"twitter.com"; nocase; content:"authenticity_token="; nocase; content:"status="; nocase; classtype:policy-violation; reference:url,twitter.com; reference:url,doc.emergingthreats.net/2010797; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Twitter; sid:2010797; rev:2;) # from Rodrigo Montoro(Sp0oKeR). This isn't a hostile app, but may be interesting to know who's using it # Rule by SERPRO-Recife Security Team alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External Ultrasurf Anonymizer DNS Query"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 1, seconds 60; reference:url,doc.emergingthreats.net/2008533; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Ultrasurf; sid:2008533; rev:3;) #Submitted by Erik Vincent #alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET POLICY Proxy Connection detected"; flow: established; content:"Proxy-Connection"; classtype: attempted-user; reference:url,doc.emergingthreats.net/2001449; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Unauthorized_Proxying; sid: 2001449; rev:5;) # #You MUST add the SMTP_SERVERS var to your snort.conf!!!! alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2000328; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Unauthorized_SMTP; sid: 2000328; rev:11;) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg: "ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 60; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002087; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Unauthorized_SMTP; sid: 2002087; rev:9;) #Seeing some bots use 587 as an outbound mail stream. Use this if you do NOT use 587 locally alert tcp !$SMTP_SERVERS any -> !$HOME_NET 587 (msg: "ET POLICY Outbound SMTP on port 587"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 1, seconds 60; classtype: misc-activity; reference:url,doc.emergingthreats.net/2003864; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Unauthorized_SMTP; sid: 2003864; rev:3;) #by Matt Jonkman, sandnetted binary # App on port 20000 for this casino stuff. Not malicious, but likely not allowed in most environments alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET POLICY Gold VIP Club Casino Client in Use"; flow:established,to_server; dsize:25; content:"Gold VIP Club Casino"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2007746; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_VIP_Gold_Casino; sid:2007746; rev:5;) # Submitted by Jason Alvarado alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] 443 (msg:"ET POLICY MyWebEx Server Traffic"; flow: to_server,established; dsize: <50; content:"|17|"; offset: 0; depth: 1; threshold: type limit,track by_src, count 1, seconds 360; reference:url,www.mywebexpc.com/how.php; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001712; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_WebEx_Traffic; sid: 2001712; rev:5;) alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] $HTTP_PORTS (msg:"ET POLICY MyWebEx Installation"; flow: to_server,established; content:"/pc/r.php?AT=RS"; nocase; threshold: type limit, track by_src, count 1, seconds 30; reference:url,www.mywebexpc.com/how.php; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001713; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_WebEx_Traffic; sid: 2001713; rev:5;) alert tcp [208.8.81.0/24,64.68.96.0/19] 443 -> $HOME_NET any (msg:"ET POLICY MyWebEx Incoming Connection"; flow: to_client,established; content:"|16 03|"; offset: 0; depth: 2; content:"Comodo"; nocase; depth: 240; content:"accessanywhere.com"; nocase; offset: 592; depth: 48; reference:url,www.mywebexpc.com/how.php; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001714; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_WebEx_Traffic; sid: 2001714; rev:5;) #By Robert Grabowsky alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY WebshotsNetClient"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WebshotsNetClient/i"; reference:url,www.webshots.com; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002407; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_WebShots; sid:2002407; rev:4;) #by Jacob Kitchel of infotex #These are of particular use in detecting recon for phishing, etc. #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Wget User Agent"; flow:established,to_server; content:"Wget"; nocase; pcre:"/User-Agent\:[^\n]+Wget/i"; reference:url,www.gnu.org/software/wget; classtype: attempted-recon; reference:url,doc.emergingthreats.net/2002822; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002822; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY POSSIBLE Web Crawl using Wget"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| "; nocase; content:"Wget"; nocase; within:50; threshold: type both, track by_src, count 10, seconds 60; classtype: attempted-recon; reference:url,www.gnu.org/software/wget/; reference:url,doc.emergingthreats.net/2002823; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002823; rev:4;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY CURL User Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:"curl"; nocase; distance:0; within:100; reference:url,curl.haxx.se; classtype: attempted-recon; reference:url,doc.emergingthreats.net/2002824; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002824; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY POSSIBLE Web Crawl using Curl"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:"curl"; nocase; distance:0; within:100; threshold: type both, track by_src, count 10, seconds 60; classtype:attempted-recon; reference:url,curl.haxx.se; reference:url,doc.emergingthreats.net/2002825; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002825; rev:6;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY fetch User Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:"fetch"; nocase; distance:0; within:50; reference:url,gobsd.com/code/freebsd/lib/libfetch; classtype: attempted-recon; reference:url,doc.emergingthreats.net/2002826; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002826; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY POSSIBLE Crawl using Fetch"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:"fetch"; nocase; distance:0; within:50; threshold: type both, track by_src, count 10, seconds 60; classtype: attempted-recon; reference:url,gobsd.com/code/freebsd/lib/libfetch; reference:url,doc.emergingthreats.net/2002827; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002827; rev:5;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY libwww-perl User Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:"libwww-perl/"; nocase; distance:0; within:50; reference:url,www.linpro.no/lwp/; classtype: attempted-recon; reference:url,doc.emergingthreats.net/2002934; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002934; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY libwww-perl User Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:"libwww-perl/"; nocase; distance:0; within:50; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.linpro.no/lwp/; classtype: attempted-recon; reference:url,doc.emergingthreats.net/2002935; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002935; rev:5;) #These aren't security issues necessarily, but you may be interested in seeing how often these crawlers hit you #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY googlebot User Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:"googlebot"; within:50; nocase; reference:url,www.google.com/webmasters/bot.html; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2002828; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002828; rev:5;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Googlebot Crawl"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:"googlebot"; within:50; nocase; threshold: type both, track by_src, count 10, seconds 60; classtype: attempted-recon; reference:url,www.google.com/webmasters/bot.html; reference:url,doc.emergingthreats.net/2002829; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002829; rev:4;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY msnbot User Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:"msnbot"; nocase; within:30; reference:url,search.msn.com/msnbot.htm; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2002830; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002830; rev:5;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot Crawl"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:"msnbot"; nocase; within:30; threshold: type both, track by_src, count 10, seconds 60; classtype: attempted-recon; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002831; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002831; rev:5;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Crawler User Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:"Yahoo-MMCrawler"; nocase; within:50; reference:url,mms-mmcrawler-support@yahoo-inc.com; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2002832; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002832; rev:6;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Crawler Crawl"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:"Yahoo-MMCrawler"; within:50; nocase; threshold: type both, track by_src, count 10, seconds 60; classtype: attempted-recon; reference:url,mms-mmcrawler-support@yahoo-inc.com; reference:url,doc.emergingthreats.net/2002833; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002833; rev:4;) #by Jacob Kitchel #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY python.urllib User Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:"python.urllib/"; nocase; within:50; reference:url,docs.python.org/lib/module-urllib.html; classtype: attempted-recon; reference:url,doc.emergingthreats.net/2002944; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002944; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY python.urllib User Agent Web Crawl"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:"python.urllib/"; nocase; within:50; threshold: type both, track by_src, count 10, seconds 60; reference:url,docs.python.org/lib/module-urllib.html; classtype: attempted-recon; reference:url,doc.emergingthreats.net/2002943; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002943; rev:6;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\:"; nocase; content:"Java/"; nocase; within:50; pcre:"/User-Agent\:[^\n]+Java/\d\.\d+/i"; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; classtype: attempted-recon; reference:url,doc.emergingthreats.net/2002946; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002946; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent Web Crawl"; flow:established,to_server; content:"|0d 0a|User-Agent\:"; nocase; content:"Java/"; nocase; within:50; pcre:"/User-Agent\:[^\n]+Java/\d\.\d+/i"; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; classtype: attempted-recon; reference:url,doc.emergingthreats.net/2002945; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Web_Crawling; sid:2002945; rev:6;) #Originally posted by Matt Jonkman, major tweaks by Matt Watchinski. #Less useful rules are disabled, feel free to enable if you require the information. They are functional and accurate #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Yahoo Mail Inbox View"; flow: to_server,established; uricontent:"/ym/ShowFolder"; nocase; content:"rb=Inbox"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2000041; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Webmail; sid: 2000041; rev:11;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Yahoo Mail Message View"; flow: to_server,established; uricontent:"/ym/ShowLetter"; nocase; content:"MsgId"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2000042; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Webmail; sid: 2000042; rev:11;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Yahoo Mail Message Compose Open"; flow: to_server,established; uricontent:"/ym/Compose"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2000043; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Webmail; sid: 2000043; rev:10;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Yahoo Mail Message Send"; flow: to_server,established; uricontent:"/ym/Compose"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2000044; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Webmail; sid: 2000044; rev:9;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Yahoo Mail Message Send Info Capture"; flow: to_server,established; content:"crumb="; nocase; content:"Subject="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2000045; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Webmail; sid: 2000045; rev:10;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Yahoo Mail General Page View"; flow: to_server,established; uricontent:"/ym/login"; nocase; content:".rand="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2000341; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Webmail; sid: 2000341; rev:8;) #Submitted by Jonathan Miner alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET Yahoo Briefcase Upload"; flow: to_server,established; content:"briefcase.yahoo.com"; uricontent:"/process_bcmultipart_form"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001044; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Webmail; sid: 2001044; rev:6;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gmail Inbox Access"; flow: to_server,established; uricontent:"/gmail?view=tl&search=inbox&start="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001424; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Webmail; sid: 2001424; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gmail File Send"; flow: to_server,established; content:"Content-Disposition\: form-data\; name=\"msgbody\""; nocase; content:"name=\"form-data\; file0\"\; filename=\""; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001425; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Webmail; sid: 2001425; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gmail Message Send"; flow: to_server,established; content:"Content-Disposition\: form-data\; name=\"to\""; nocase; content:"Content-Disposition\: form-data\; name=\"msgbody\""; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/2001426; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Webmail; sid: 2001426; rev:6;) #by Andrew Wood alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Winamp Streaming User Agent"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+WinampMPEG/i"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003168; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Winamp; sid: 2003168; rev:3;) #by evilghost #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Microsoft Windows 7 User-Agent detected"; flow:established,to_server; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible; "; nocase; content:"|3b 20|Windows NT 6.1|3b 20|"; distance:0; within:40; threshold:type limit, track by_src, seconds 60, count 1; reference:url,www.microsoft.com/windows/windows-7/default.aspx; classtype:policy-violation; reference:url,doc.emergingthreats.net/2010228; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Windows_7; sid:2010228; rev:2;) #this sig is to catch HTTP User agents that specify Windows 98 as the platform # Mostly to catch spyware and auto-downloaders that still use these as fake User Agent strings # You may also use this to catch any local win98 machines if they're no longer supposed to be in production # (which for goodness sake they shouldn't!! Haven't been patched for years!) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:"Windows 98"; within:200; pcre:"/User-Agent\:[^\n]+Windows 98/i"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Windows_98; sid:2007695; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (Win98)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:"Win98"; within:200; pcre:"/User-Agent\:[^\n]+Win98/i"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Windows_98; sid:2008070; rev:2;) #by Jacob Kitchel of infotex #Windows update operates over port 80 or 443 (443 not detected here). It uses this user #agent with the hostname. This sig can be used to identify internal hosts that are #not using an internal patching server, #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; content:"Host\:"; nocase; within:20; pcre:"/User-Agent\:[^\n]+Windows-Update-Agent/i"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002948; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Windows_Updates; sid:2002948; rev:6;) #this sig can be used to track internal updates, or updates in general #alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; content:"Host\:"; nocase; within:20; pcre:"/User-Agent\:[^\n]+Windows-Update-Agent/i"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; classtype:policy-violation; reference:url,doc.emergingthreats.net/2002949; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Windows_Updates; sid:2002949; rev:6;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Winpcap Installation in Progress"; flow:established,to_server; uricontent:"/install/banner/"; nocase; pcre:"/\d/\d+.jpg/Ui"; content:"Host\: www.winpcap.org"; nocase; content:"User-Agent\: NSISDL"; nocase; reference:url,www.winpcap.org; classtype: policy-violation; reference:url,doc.emergingthreats.net/2002866; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Winpcap_Install; sid:2002866; rev:3;) #moving to policy, it's just a sign of an install. You should note if that was authoried or not alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow: to_server,established; content:"|0d 0a|User-Agent\: Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002167; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Wise; sid:2002167; rev:13;) #by Mark Tombaugh alert udp $HOME_NET any -> $EXTERNAL_NET 88 (msg:"ET POLICY X-Box Live Connecting"; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo 360 Social Site Access"; flow:established,to_server; content:"Host\: 360.yahoo.com"; threshold: type both, track by_src, count 5, seconds 300; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003454; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Yahoo360; sid:2003454; rev:3;) #Submitted by Joel Esler #alert tcp any any -> any any (msg:"ET POLICY ZIPPED DOC in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".doc"; nocase; classtype: not-suspicious; reference:url,doc.emergingthreats.net/2001402; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Zip_Contents; sid: 2001402; rev:5;) #alert tcp any any -> any any (msg:"ET POLICY ZIPPED XLS in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".xls"; nocase; classtype: not-suspicious; reference:url,doc.emergingthreats.net/2001403; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Zip_Contents; sid: 2001403; rev:5;) #alert tcp any any -> any any (msg:"ET POLICY ZIPPED EXE in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".exe"; nocase; classtype: not-suspicious; reference:url,doc.emergingthreats.net/2001404; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Zip_Contents; sid: 2001404; rev:5;) #alert tcp any any -> any any (msg:"ET POLICY ZIPPED PPT in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".ppt"; nocase; classtype: not-suspicious; reference:url,doc.emergingthreats.net/2001405; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Zip_Contents; sid: 2001405; rev:5;) #From David Glosser alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY Possible hidden zip extension .cpl"; flow:established; flowbits:isnotset,tagged; content:"|20 20 2E 63 70 6C 50 4B|"; nocase; tag: host,1,packets,src; flowbits:set,tagged; classtype: suspicious-filename-detect; reference:url,doc.emergingthreats.net/2001406; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Zip_Contents; sid: 2001406; rev:8;) alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY Possible hidden zip extension .pif"; flow:established; flowbits:isnotset,tagged; content:"|20 20 2E 70 69 66 50 4B|"; nocase; tag: host,1,packets,src; flowbits:set,tagged; classtype: suspicious-filename-detect; reference:url,doc.emergingthreats.net/2001407; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Zip_Contents; sid: 2001407; rev:8;) alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY Possible hidden zip extension .scr"; flow:established; flowbits:isnotset,tagged; content:"|20 20 2E 73 63 72 50 4B|"; nocase; tag: host,1,packets,src; flowbits:set,tagged; classtype: suspicious-filename-detect; reference:url,doc.emergingthreats.net/2001408; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Zip_Contents; sid: 2001408; rev:8;) # Submitted 2006-09-17 by Mark Warren # This signature was designed to detect access to http://www.bodog.com # This website contains pornography, gambling, sports and sports related betting # The commercials for this website state that portions of the site were designed # to bypass security filters. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Porn-Sports-Gambling site designed to bypass restrictions"; flow:to_server,established; content:"Host\:"; nocase; pcre:"/Host\:[^\n]+\.(bodog|bodogbeat|bodognation|bodogmusic|bodogconference|bodogpokerchampionships)\.com/i"; reference:url,www.bodog.com; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003100; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_bodog.com; sid:2003100; rev:4;) # Submitted 2006-08-30 by Russ McRee alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY iMesh 6 User Agent"; flow:established,to_server; content:"/kiss"; nocase; content:"|0d 0a|User-Agent\: "; pcre:"/User-Agent\:[^\n]+MusicNet/i"; classtype:policy-violation; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2003093; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_iMesh; sid:2003093; rev:3;)