alert tcp $HOME_NET any -> any 25 (content:"|54|VqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAA"; msg:"VIRUS SWEN.A Worm detected"; classtype:trojan-activity; sid:1000000; rev:2; )

alert tcp $HOME_NET any -> any 80 (content:"User-Agent\: beagle_beagle"; flags:ap; dsize:< 150; msg:"VIRUS Bagle Worm"; classtype:trojan-activity; sid:1000001; rev:4; )

alert tcp $HOME_NET any -> any 25 (content:"7Ff8i30Ii00MwekCM8DjAvOri00Mg+ED4wLzql/JwggAVYvsV1OLXQyLfQhqGeh1AgAAg8Bh"; flags:ap; msg:"VIRUS Beagle Worm"; classtype:trojan-activity; sid:1000002; rev:2; )

alert udp $HOME_NET 53 -> 212.5.86.163 any (msg:"VIRUS MiMail.P Worm - DNS Query"; classtype:trojan-activity; sid:1000003; rev:2; )

alert tcp $HOME_NET any -> any 25 (content:"pp-app.zip"; msg:"VIRUS MiMail.P Worm - Mail Attachment"; classtype:trojan-activity; sid:1000004; rev:2; )

alert icmp $HOME_NET any -> any 25 (content:"TVqQAAMAAAAEAAAA"; content:"8AALgAAAAAAAAAQ"; distance:2; within:20; content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; distance:16; within:40; content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; distance:16; within:30; msg:"VIRUS Outbound W32.Novarg.A worm"; classtype:trojan-activity; sid:1000005; rev:4; )

alert tcp $HOME_NET any -> any 25 (content:"represented in 7-bit ASCII"; nocase; content:"Content-Type\: application/octet-stream"; nocase; content:"Content-Transfer-Encoding\: base64"; nocase; msg:"VIRUS MyDoom/MIMAIL.R Outbound 1"; classtype:trojan-activity; sid:1000006; rev:2; )

alert tcp $HOME_NET any -> any 25 (content:"Mail transaction failed"; nocase; content:"Content-Type\: application/octet-stream"; nocase; content:"Content-Transfer-Encoding\: base64"; nocase; msg:"VIRUS MyDoom/MIMAIL.R Outbound 2"; classtype:trojan-activity; sid:1000007; rev:3; )

alert tcp $HOME_NET any -> any 25 (content:"The message contains Unicode characters"; nocase; content:"Content-Type\: application/octet-stream"; nocase; content:"Content-Transfer-Encoding\: base64"; nocase; msg:"VIRUS MyDoom/MIMAIL.R Outbound 3"; classtype:trojan-activity; sid:1000008; rev:2; )

alert tcp $HOME_NET any -> any 25 (content:"We are sorry your UTF-8 encoding is not supported by the server"; nocase; msg:"VIRUS MyDoom/MIMAIL.R Variant Outbound"; classtype:trojan-activity; sid:1000009; rev:2; )

alert tcp any any -> any 80 (content:"GET HTTP/1.1|0d0a|Host\: www.sco.com|0d0a0d0a|"; offset:0; dsize:37; msg:"VIRUS W32.Novarg.A SCO DOS"; classtype:trojan-activity; sid:1000010; rev:1; )

alert tcp $HOME_NET any -> any any (content:"gICAgICAgICAgICAgICAgICAg"; content:"|57 69 6E 64 6F 77 73 2D 31 32 35 32|"; msg:"VIRUS MyDoom.F Worm"; classtype:trojan-activity; sid:1000011; rev:2; )

alert tcp $HOME_NET any -> any 139 (content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; msg:"VIRUS Netsky message.zip HEX port 139"; classtype:trojan-activity; sid:1000013; rev:2; )

alert tcp $HOME_NET any -> any 445 (content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; msg:"VIRUS Netsky message.zip HEX port 445"; classtype:trojan-activity; sid:1000014; rev:2; )

alert tcp $HOME_NET any -> any 1352 (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"VIRUS Netsky base64 port 1352"; classtype:trojan-activity; sid:1000015; rev:2; )

alert icmp $HOME_NET any -> any 25 (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"VIRUS Netsky base64 port 25"; classtype:trojan-activity; sid:1000016; rev:2; )

alert tcp $HOME_NET any -> any 25 (content:"Content-Disposition\: attachment\; filename="; content:"NlJhIn5GWj4mcjUifkZaMmpGejZpImom"; nocase; within:1280; flow:established,to_server; msg:"VIRUS Sober.F Outbound"; classtype:trojan-activity; sid:1000017; rev:2; )

alert tcp $HOME_NET any -> any 25 (content:"Content-Disposition\: attachment\; filename="; content:"dllygSJ+Rlp2YjEiblZtIm4uJlVtaSJu"; nocase; within:1280; flow:established,to_server; msg:"VIRUS Sober.F Outbound"; classtype:trojan-activity; sid:1000018; rev:2; )

alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"VIRUS Sasser/Korgo Worm"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:1000019; rev:7;)

alert icmp $HOME_NET any -> any any (content:"|28 0E 49 8D B5 17 B9 6C 4C 70 B5 41 7B 72 C0 EF 24 35 8D 31 F6 8B 25 40 B4 1C EC 75 C9 A7 BF 93|"; msg:"VIRUS W32/Stdbot.worm.a"; classtype:trojan-activity; sid:1000020; rev:2; )

alert icmp $HOME_NET any -> any any (content:"|FE 26 B9 92 CB 12 FC FA FF 8E 01 3B D0 05 0B 39 BC 6D 61 57 58 C2 89 D9 C2 DA 22 0F 86 74 03 76|"; msg:"VIRUS W32/Stdbot.worm.b"; classtype:trojan-activity; sid:1000021; rev:2; )

alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"VIRUS Nachi/Phatbot Worm"; flow:to_server,established; content:"|05|"; distance:0; within:1; byte_test:1,&,16,3,relative; content:"|5c 00 5c 00|"; byte_test:4,>,256,-8,little,relative; reference:cve,CAN-2003-0352; reference:bugtraq,8205; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.asp; classtype:attempted-admin; sid:2351; rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"VIRUS Nachi/Phatbot Worm"; flow:to_server,established; content:"|05|"; distance:0; within:1; byte_test:1,<,16,3,relative; content:"|5c 00 5c 00|"; byte_test:4,>,256,-8,relative; reference:cve,CAN-2003-0352; reference:bugtraq,8205; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.asp; classtype:attempted-admin; sid:2352; rev:3;)

alert tcp $HOME_NET any -> [217.29.87.254,62.235.13.228,129.27.9.248] 6667 (msg:"VIRUS Korgo Worm IRC Connection"; sid:1000050; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS Possible Evaman Worm"; content:"filename="; pcre:"m/(body|message|email|returned|text|document).(scr|txt.scr|html.scr|outlook.scrtxt.exe)/"; content:"formart"; reference:url,secunia.com/virus_information/10429/evaman; rev:3; sid:1000052;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS Possible Atak.mm Worm"; content:"Authorized Resear cher Only"; pcre:"m/(Read\ the\ Result\!|Important\ Data\!)/"; content:"filename="; content:".zip"; rev:1; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak@mm.html; sid:1000053;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS Possible Bagle.AI Worm"; content:"filename="; pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|exe|com)/"; pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\ MP3|fotoinfo|Screen\ and\ Music|Lovely\ animals|Predators|The\ snake)/"; rev:3; sid:1000054;)

#alert tcp $EXTERNAL_NET -> $HOME_NET 445 (msg:"Possible Randex, Failed Windows Authentication Port 445"; flags: AP; content:"SMBsm"; flow:established; sid:1000055;)

#alert $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Webber/Berbew Trojan keystroke log upload"; flow:established; content:"id=crutop|26|vvpupkin0="; depth:20; classtype:trojan-activity; reference:url,www.lurhq.com/berbew.html; sid:1000056; rev:1;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .scr - Possible Bagle Variant"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".scr|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:1000057; rev:4;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"VIRUS RBOT Exploit Report"; content:"|5D 3A 20|Exploiting|20|IP|3A 20|"; nocase; classtype:trojan-activity;  reference:url,www.nitroguard.com/rxbot.html; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL; sid:1000058; rev:1;)
        
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"VIRUS RBOT Vulnerability Scan"; content:"|2E|advscan|20|"; nocase; classtype: trojan-activity; reference:url,www.nitroguard.com/rxbot.html; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL; reference:url,www.muzzleflash.org/readarticle.php?article_id=5#scanning; sid:1000059; rev: 1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"VIRUS RBOT ANS.1 Overflow"; content:"|A1 05 23 03 03 01 07|"; flow:to_server,established; reference:url,www.microsoft.com/technet/security/bulletin/ms04-007.asp; classtype:bad-unknown; sid:1000060; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DoS Possible SYN Flood, 30 SYN pps"; flags:S,12; threshold: type both, track by_dst, count 30 seconds 60; sid:1000061; rev:1;)

# The following are support rules, so we can use flowbits to reduce false positives
#
#

alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2513; rev:7;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2526; rev:6;)