[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Wed Feb 2 08:31:50 EST 2005


[***] Results from Oinkmaster started Tue Feb  1 20:00:02 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-malware.rules (16):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Search Relevancy Spyware"; uricontent:"/SearchRelevancy/SearchRelevancy.dll"; nocase; flow:established,to_server; sid:2001696; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Flingstone Spyware Install"; uricontent:"/softwares/cxtpls_loader_ff.exe"; nocase; flow:established,to_server; sid:2001710; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Windupdates.com Spyware Install"; uricontent:"/cab/CDTInc/ie/"; nocase; uricontent:".cab"; nocase; flow:established,to_server; sid:2001700; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Config Download"; uricontent:"/agentprefs.sah" nocase; flow:established,to_server; sid:2001709; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Heartbeat"; uricontent:"/s.dll?MfcISAPICommand=heartbeat&param=" nocase; flow:established,to_server; sid:2001708; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Context Plus Spyware Install"; uricontent:"/AproposClientInstaller.exe"; nocase; flow:established,to_server; sid:2001704; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Context Plus Spyware Activity"; content:"User-Agent\: AproposClient AutoLoader"; nocase; flow:established,to_server; sid:2001703; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware YourSiteBar Activity"; classtype:trojan-activity; reference:url,www.ysbweb.com; content:"User-Agent\: istsvc"; nocase; flow:to_server,established; sid:2001699; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Activity"; content:"User-Agent\: SAH Agent" nocase; flow:established,to_server; sid:2001707; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware YourSiteBar Data Submision"; classtype:trojan-activity; reference:url,www.ysbweb.com; uricontent:"/ist/scripts/istsvc_ads_data.php?version="; nocase; flow:to_server,established; sid:2001698; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Shop at Home Select Spyware Activity"; content:"User-Agent\: Bundle" nocase; flow:established,to_server; sid:2001702; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Data Submission"; classtype:trojan-activity; reference:url,www.isearchtech.com; uricontent:"/ist/scripts/istsvc_ads_data.php?version="; nocase; flow:to_server,established; sid:2001697; rev:1;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE Malware Likely Spambot Web-based Control Traffic"; content:"User-Agent\: Godzilla"; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001711; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Flingstone Spyware Install"; uricontent:"/softwares/SportsInteraction.exe"; nocase; flow:established,to_server; sid:2001705; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Context Plus Spyware Activity"; uricontent:"User-Agent\: EnvoloAutoUpdater AutoLoader"; nocase; flow:established,to_server; sid:2001706; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Windupdates.com Spyware Loggin Data"; uricontent:"/logging.php?p="; nocase; content:"Host\: public.windupdates.com"; nocase; flow:established,to_server; sid:2001701; rev:2;)

     -> Added to bleeding-virus.rules (1):
        alert TCP $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Bagle.BJ [alias .AY, .BC] - download attempt"; content:"GET /error.jpg"; nocase; reference:url,secunia.com/virus_information/14877/; classtype:trojan-activity; flow:established; sid: 2001695; rev:1;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-dos.rules (2):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE DOS squ1rt Apache DoS"; flow: to_server,established; flowbits: isset,http.get; dsize: 1448; content:"|20202020|"; depth: 4; content: "|20202020|"; offset: 1436; depth: 4; sid:2001636; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE DOS squ1rt Apache DoS"; flow: to_server,established; flowbits: isset,http.get; dsize: 1448; content:"|20202020|"; depth: 4; content: "|20202020|"; offset: 1436; depth: 4; classtype:attempted-dos; sid:2001636; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE DOS HTTP GET with newline appended"; content:"GET / HTTP/1.0|0a|"; flow:to_server,established; flowbits:set,http.get; flowbits:noalert; sid:2001635; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE DOS HTTP GET with newline appended"; content:"GET / HTTP/1.0|0a|"; flow:to_server,established; flowbits:set,http.get; flowbits:noalert; classtype:attempted-dos; sid:2001635; rev:2;)

     -> Modified active in bleeding-exploit.rules (16):
        old: alert tcp any $HTTP_PORTS -> any any ( msg:"BLEEDING-EDGE EXPLOIT IE IFRAME Exploit"; pcre:"/(EMBED|FRAME|SRC)\s*=\s*["']*?(file|http)\://\w{578}|/W{578}/im"; pcre:"/(EMBED|FRAME|SRC|NAME)\s*=\s*["']\w{2086}|\W{2086}/im"; flow:from_server,established; sid:2001401; rev:10;)
        new: alert tcp any $HTTP_PORTS -> any any ( msg:"BLEEDING-EDGE EXPLOIT IE IFRAME Exploit"; pcre:"/(EMBED|FRAME|SRC)\s*=\s*["']*?(file|http)\://\w{578}|/W{578}/im"; pcre:"/(EMBED|FRAME|SRC|NAME)\s*=\s*["']\w{2086}|\W{2086}/im"; flow:from_server,established; classtype:misc-attack; sid:2001401; rev:11;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in"; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; flow:to_server,established; sid:2001667; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in"; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001667; rev:4;)
        old: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT NTDump Session Established Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; flow:to_server,established; sid:2001543; rev:3;)
        new: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT NTDump Session Established Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; flow:to_server,established; classtype:misc-activity; sid:2001543; rev:4;)
        old: alert tcp any any -> any 139 (msg:"BLEEDING-EDGE Pwdump3e Session Established Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; flow:to_server,established; sid:2000565; rev:2;)
        new: alert tcp any any -> any 139 (msg:"BLEEDING-EDGE Pwdump3e Session Established Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; flow:to_server,established; classtype:suspicious-login; sid:2000565; rev:3;)
        old: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE MS04011 Lsasrv.dll RPC exploit (WinXP)";content:"|95 14 40 00 03 00 00 00 7C 70 40 00 01|"; content:"|78 85 13 00 AB5B A6 E9 31 31|"; flow:to_server,established; sid:2000033; rev:2;)
        new: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE MS04011 Lsasrv.dll RPC exploit (WinXP)";content:"|95 14 40 00 03 00 00 00 7C 70 40 00 01|"; content:"|78 85 13 00 AB5B A6 E9 31 31|"; flow:to_server,established; classtype:misc-activity; sid:2000033; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE MS04-032 Bad EMF file"; content: "|01 00 00 00|"; depth: 4; content: "|20 45 4d 46|"; depth: 44; offset: 40; byte_test: 4, >, 256, 60, little; flow:from_server,established; sid:2001374; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE MS04-032 Bad EMF file"; content: "|01 00 00 00|"; depth: 4; content: "|20 45 4d 46|"; depth: 44; offset: 40; byte_test: 4, >, 256, 60, little; flow:from_server,established; classtype:misc-activity; sid:2001374; rev:3;)
        old: alert tcp $HOME_NET 139 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password Hash Retrieval port 139"; content:"\:|00|5|00|0|00|0"; flow:from_server,established; sid:2000568; rev:3;)
        new: alert tcp $HOME_NET 139 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password Hash Retrieval port 139"; content:"\:|00|5|00|0|00|0"; flow:from_server,established; classtype:misc-attack; sid:2000568; rev:4;)
        old: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT NTDump.exe Service Started port 445"; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; flow:to_server,established; sid:2001544; rev:3;)
        new: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE EXPLOIT NTDump.exe Service Started port 445"; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; flow:to_server,established; classtype:misc-activity; sid:2001544; rev:4;)
        old: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE EXPLOIT NTDump Session Established Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; flow:to_server,established; sid:2001052; rev:3;)
        new: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE EXPLOIT NTDump Session Established Reg-Entry port 139"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; flow:to_server,established; classtype:misc-activity; sid:2001052; rev:5;)
        old: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE MS04011 Lsasrv.dll RPC exploit (Win2k)";content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; flow:to_server,established; sid:2000046; rev:2;)
        new: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE MS04011 Lsasrv.dll RPC exploit (Win2k)";content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; flow:to_server,established; classtype:misc-activity; sid:2000046; rev:3;)
        old: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE Pwdump3e pwservice.exe Access port 139"; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; flow:to_server,established; sid:2000567; rev:3;)
        new: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE Pwdump3e pwservice.exe Access port 139"; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; flow:to_server,established; classtype:misc-attack; sid:2000567; rev:4;)
        old: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE Pwdump3e Session Established Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; flow:to_server,established; sid:2000566; rev:2;)
        new: alert tcp any any -> any 445 (msg:"BLEEDING-EDGE Pwdump3e Session Established Reg-Entry port 445"; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; flow:to_server,established; classtype:suspicious-login; sid:2000566; rev:3;)
        old: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE EXPLOIT NTDump.exe Service Started port 139"; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; flow:to_server,established; sid:2001053; rev:3;)
        new: alert tcp any any -> $HOME_NET 139 (msg:"BLEEDING-EDGE EXPLOIT NTDump.exe Service Started port 139"; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; flow:to_server,established; classtype:misc-activity; sid:2001053; rev:4;)
        old: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE Pwdump3e pwservice.exe Access port 445"; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; flow:to_server,established; sid:2000564; rev:4;)
        new: alert tcp any any -> $HOME_NET 445 (msg:"BLEEDING-EDGE Pwdump3e pwservice.exe Access port 445"; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; flow:to_server,established; classtype:misc-attack; sid:2000564; rev:5;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in (to blahot.com)"; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; content:"Host\: www.blahot.com"; nocase; flow:to_server,established; sid:2001671; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit Blahot Worm Infection Reporting in (to blahot.com)"; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; content:"Host\: www.blahot.com"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001671; rev:4;)
        old: alert tcp $HOME_NET 445 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password Hash Retrieval port 445"; content:"\:|00|5|00|0|00|0"; flow:from_server,established; sid:2000563; rev:4;)
        new: alert tcp $HOME_NET 445 -> any any (msg:"BLEEDING-EDGE Pwdump3e Password Hash Retrieval port 445"; content:"\:|00|5|00|0|00|0"; flow:from_server,established; classtype:misc-attack; sid:2000563; rev:5;)

     -> Modified active in bleeding-inappropriate.rules (10):
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-EDGE Inappropriate Sextracker Tracking Code Detected"; content:"BEGIN SEXLIST REFERRER-STATS CODE"; nocase; flow:from_server,established; sid:2001392; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-EDGE Inappropriate Sextracker Tracking Code Detected"; content:"BEGIN SEXLIST REFERRER-STATS CODE"; nocase; flow:from_server,established; classtype:kickass-porn; sid:2001392; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Kiddy Porn early teen"; content:"early teen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; flow:from_server,established; sid:2001348; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Kiddy Porn early teen"; content:"early teen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; flow:from_server,established; classtype:policy-violation; sid:2001348; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-EDGE INAPPROPRIATE Kiddy Porn zeps"; content:" zeps "; nocase; flow:from_server,established; sid:2001387; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-EDGE INAPPROPRIATE Kiddy Porn zeps"; content:" zeps "; nocase; flow:from_server,established; classtype:policy-violation; sid:2001387; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Inappropriate Likely Porn"; pcre:"/ (FREE XXX|dildo|masturbat|oral sex|ejaculat|up skirt|tits|bondage|lolita|clitoris|cock suck|hardcore (teen|anal|sex|porn)|raw sex|((fuck|sex|porn|xxx) (movies|dvd))|((naked|nude) (celeb|lesbian)))\b/i"; classtype:kickass-porn; sid:2001608; rev:1;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Inappropriate Likely Porn"; pcre:"/ (FREE XXX|dildo|masturbat|oral sex|ejaculat|up skirt|tits|bondage|lolita|clitoris|cock suck|hardcore (teen|anal|sex|porn)|raw sex|((fuck|sex|porn|xxx) (movies|dvd))|((naked|nude) (celeb|lesbian)))\b/i"; flow:established,from_server; classtype:kickass-porn; sid:2001608; rev:2;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-EDGE INAPPROPRIATE Kiddy Porn childlover"; content:" childlover "; nocase; flow:from_server,established; sid:2001389; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-EDGE INAPPROPRIATE Kiddy Porn childlover"; content:" childlover "; nocase; flow:from_server,established; classtype:policy-violation; sid:2001389; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-EDGE INAPPROPRIATE Kiddy Porn pthc"; content:" pthc "; nocase; flow:from_server,established; sid:2001386; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-EDGE INAPPROPRIATE Kiddy Porn pthc"; content:" pthc "; nocase; flow:from_server,established; classtype:policy-violation; sid:2001386; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-EDGE INAPPROPRIATE Kiddy Porn r at ...2850..."; content:" r at ...2850... "; nocase; flow:from_server,established; sid:2001388; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-EDGE INAPPROPRIATE Kiddy Porn r at ...2850..."; content:" r at ...2850... "; nocase; flow:from_server,established; classtype:policy-violation; sid:2001388; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Kiddy Porn pre-teen"; content:"pre-teen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; flow:from_server,established; sid:2001347; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Kiddy Porn pre-teen"; content:"pre-teen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; flow:from_server,established; classtype:policy-violation; sid:2001347; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-EDGE Inappropriate Sextracker Tracking Code Detected"; content:"BEGIN SEXTRACKER CODE"; nocase; flow:from_server,established; sid:2001393; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BLEEDING-EDGE Inappropriate Sextracker Tracking Code Detected"; content:"BEGIN SEXTRACKER CODE"; nocase; flow:from_server,established; classtype:kickass-porn; sid:2001393; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Kiddy Porn preteen"; content:"preteen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; flow:from_server,established; sid:2001346; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Kiddy Porn preteen"; content:"preteen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; flow:from_server,established; classtype:policy-violation; sid:2001346; rev:3;)

     -> Modified active in bleeding-malware.rules (86):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Oenji.com Install"; uricontent:"/Bundled/OemjiInstall"; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001538; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Oenji.com Install"; uricontent:"/Bundled/OemjiInstall"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001538; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware SurfAssistant.com Spyware Activity"; content:"User-Agent\: ML"; flow:to_server,established; sid:2001515; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware SurfAssistant.com Spyware Activity"; content:"User-Agent\: ML"; flow:to_server,established; classtype:trojan-activity; sid:2001515; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; uricontent:"/dkprogs/mstasks3.txt"; nocase; flow:to_server,established; sid:2001483; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; uricontent:"/dkprogs/mstasks3.txt"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001483; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Casalemedia Access, Likely Spyware"; pcre:"/Host\: \w*.ak-networks.com/im"; flow:to_server,established; sid:2001529; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Casalemedia Access, Likely Spyware"; pcre:"/Host\: \w*.ak-networks.com/im"; flow:to_server,established; classtype:trojan-activity; sid:2001529; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; uricontent:"/dkprogs/dktibs.php"; nocase; flow:to_server,established; sid:2001474; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; uricontent:"/dkprogs/dktibs.php"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001474; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install"; uricontent:"http\://pizdato.biz/gamma-test.htm"; nocase; flow:to_server,established; sid:2001476; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install"; uricontent:"http\://pizdato.biz/gamma-test.htm"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001476; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; uricontent:"/x30/d.exe"; nocase; flow:to_server,established; sid:2001484; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; uricontent:"/x30/d.exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001484; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Coolsearch Spyware Install"; content:"http\://coolsearch.biz/united.htm"; nocase; flow:to_server,established; sid:2001479; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Coolsearch Spyware Install"; content:"http\://coolsearch.biz/united.htm"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001479; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware"; pcre:"/Host\: \w*\.spyspotter.com/im"; flow:to_server,established; sid:2001537; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware"; pcre:"/Host\: \w*\.spyspotter.com/im"; flow:to_server,established; classtype:trojan-activity; sid:2001537; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware E2give Related Reporting"; uricontent:"/count/count.php?&mm2cpr"; nocase; flow:to_server,established; sid:2001423; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware E2give Related Reporting"; uricontent:"/count/count.php?&mm2cpr"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001423; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Smartpops.com Spyware Update"; uricontent:"/data/spv15.dat?v="; nocase; flow:to_server,established; sid:2001513; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Smartpops.com Spyware Update"; uricontent:"/data/spv15.dat?v="; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001513; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; uricontent:"/silent_install.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; nocase; flow:to_server,established; sid:2001534; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; uricontent:"/silent_install.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001534; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware E2give Related Downloading IeBHOs.dll"; uricontent:"/downloads/IeBHOs.dll"; nocase; flow:to_server,established; sid:2001415; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware E2give Related Downloading IeBHOs.dll"; uricontent:"/downloads/IeBHOs.dll"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001415; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware ak-networks.com Access, Likely Spyware"; content:"Host\: app.desktop.ak-networks.com"; nocase; flow:to_server,established; sid:2001528; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware ak-networks.com Access, Likely Spyware"; content:"Host\: app.desktop.ak-networks.com"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001528; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Install Report"; pcre:"//user\d+/counter.htm/im"; flow:to_server,established; sid:2001541; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Install Report"; pcre:"//user\d+/counter.htm/im"; flow:to_server,established; classtype:trojan-activity; sid:2001541; rev:4;)
        old: alert tcp $HOME_NET any -> any any (msg:"BLEEDING_EDGE Malware JoltID Agent P2P via Proxy Server"; content:"POST http\://"; nocase; content:"\:3531/.pkt"; within:20; nocase; flow:to_server,established; sid:2001679; rev:3;)
        new: alert tcp $HOME_NET any -> any any (msg:"BLEEDING_EDGE Malware JoltID Agent P2P via Proxy Server"; content:"POST http\://"; nocase; content:"\:3531/.pkt"; within:20; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001679; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Activity"; uricontent:"User-Agent\: NSISDL"; nocase; content:"medialoads.com"; nocase; flow:to_server,established; sid:2001504; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Activity"; uricontent:"User-Agent\: NSISDL"; nocase; content:"medialoads.com"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001504; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Comet Systems Spyware Traffic"; uricontent:"/context/1/up_context_1.xml"; nocase; flow:to_server,established; sid:2001655; rev:1;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Comet Systems Spyware Traffic"; uricontent:"/context/1/up_context_1.xml"; nocase; flow:to_server,established; classtype:policy-violation; sid:2001655; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Look2me Spyware Activity"; content:"Referer\: Look2Me"; nocase; flow:to_server,established; sid:2001499; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Look2me Spyware Activity"; content:"Referer\: Look2Me"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001499; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Casino on Net Install"; reference:url,www.888casino.net; uricontent:"/newdownload/newsetup/"; nocase; content:"casinone"; nocase; flow:to_server,established; sid:2001041; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Casino on Net Install"; reference:url,www.888casino.net; uricontent:"/newdownload/newsetup/"; nocase; content:"casinone"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001041; rev:3;)
        old: alert tcp $HOME_NET any -> 216.151.85.195 $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Unknown Suspicious PrintMe Suspected Spyware"; content:"PrintMe"; classtype:bad-unknown; sid:2001665; rev:1;)
        new: alert tcp $HOME_NET any -> 216.151.85.195 $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Unknown Suspicious PrintMe Suspected Spyware"; content:"PrintMe"; classtype:bad-unknown; flow:established; sid:2001665; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware ICQ-Update.biz Reporting Install"; uricontent:"log.php?IP="; nocase; content:"&Port1="; nocase; content:"Host\: www.icq-update.biz"; nocase; flow:to_server,established; sid:2001490; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware ICQ-Update.biz Reporting Install"; uricontent:"log.php?IP="; nocase; content:"&Port1="; nocase; content:"Host\: www.icq-update.biz"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001490; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmiracle.com Access, Likely Spyware"; pcre:"/Host\: \w*.searchmiracle.com/im"; flow:to_server,established; sid:2001532; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmiracle.com Access, Likely Spyware"; pcre:"/Host\: \w*.searchmiracle.com/im"; flow:to_server,established; classtype:trojan-activity; sid:2001532; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Media-Motor Related Downloading MediaMotor25.exe"; uricontent:"/soft/MediaMotor25.exe"; nocase; flow:to_server,established; sid:2001414; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Media-Motor Related Downloading MediaMotor25.exe"; uricontent:"/soft/MediaMotor25.exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001414; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Tibsystems Spyware Activity"; uricontent:"/d4.fcgi?v="; nocase; flow:to_server,established; sid:2001488; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Tibsystems Spyware Activity"; uricontent:"/d4.fcgi?v="; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001488; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Receiving Commands"; uricontent:"/xpsystem/commands.ini"; nocase; flow:to_server,established; sid:2001475; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Receiving Commands"; uricontent:"/xpsystem/commands.ini"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001475; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Spyspotter.com Install"; uricontent:"/SpySpotterInstall.cab"; nocase; classtype:trojan-activity; flow:to_server,established; sid:2001536; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Spyspotter.com Install"; uricontent:"/SpySpotterInstall.cab"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001536; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  (msg:"BLEEDING-EDGE Malware Mastermind Related Downloading Daily Executable"; content:"/soft/loads/"; nocase; within:5; content:".exe"; nocase; flow:to_server,established; sid:2001412; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  (msg:"BLEEDING-EDGE Malware Mastermind Related Downloading Daily Executable"; content:"/soft/loads/"; nocase; within:5; content:".exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001412; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Casino on Net Reporting Data"; reference:url,www.888casino.net; uricontent:"/logs.asp?MSGID=100"; nocase; flow:to_server,established; sid:2001031; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Casino on Net Reporting Data"; reference:url,www.888casino.net; uricontent:"/logs.asp?MSGID=100"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001031; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; uricontent:"/fa/xpl3.htm"; nocase; flow:to_server,established; sid:2001470; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; uricontent:"/fa/xpl3.htm"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001470; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; uricontent:"/dkprogs/toolbar.txt"; nocase; flow:to_server,established; sid:2001473; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; uricontent:"/dkprogs/toolbar.txt"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001473; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware SurfAssistant.com Spyware Install"; uricontent:"/distribution/questmod-1.dll"; nocase; flow:to_server,established; sid:2001510; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware SurfAssistant.com Spyware Install"; uricontent:"/distribution/questmod-1.dll"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001510; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Casino on Net Ping Hit"; reference:url,www.888casino.net; uricontent:"/Ping/Ping.txt"; nocase; flow:to_server,established; sid:2001032; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Casino on Net Ping Hit"; reference:url,www.888casino.net; uricontent:"/Ping/Ping.txt"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001032; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"BLEEDING-EDGE Malware Mastermind Related Reporting 8081"; content:"/a?l=PeAyF1sgrZYw&i="; nocase; flow:to_server,established; sid:2001410; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"BLEEDING-EDGE Malware Mastermind Related Reporting 8081"; content:"/a?l=PeAyF1sgrZYw&i="; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001410; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Config"; uricontent:"/dw/cgi/download.cgi?sn=&pid="; nocase; content:"Host\:config.medialoads.com"; nocase; flow:to_server,established; sid:2001503; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Config"; uricontent:"/dw/cgi/download.cgi?sn=&pid="; nocase; content:"Host\:config.medialoads.com"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001503; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Spyware Install Reporting"; uricontent:"/xpsystem/report.php?user_id="; nocase; uricontent:"&status=0&country_id="; nocase; flow:to_server,established; sid:2001472; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Spyware Install Reporting"; uricontent:"/xpsystem/report.php?user_id="; nocase; uricontent:"&status=0&country_id="; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001472; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Reporting"; uricontent:"/dw/cgi/download.cgi?sn="; nocase; content:"Host\:config.medialoads.com"; nocase; flow:to_server,established; sid:2001508; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Reporting"; uricontent:"/dw/cgi/download.cgi?sn="; nocase; content:"Host\:config.medialoads.com"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001508; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Spyware Stormer Reporting Data"; uricontent:"/showme.aspx?keyword="; nocase; content:"ecomdata1="; nocase; reference:url,www.spywarestormer.com; flow:established,to_server; sid:2001570; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Spyware Stormer Reporting Data"; uricontent:"/showme.aspx?keyword="; nocase; content:"ecomdata1="; nocase; reference:url,www.spywarestormer.com; flow:established,to_server; classtype:trojan-activity; sid:2001570; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Spygalaxy.ws Activity"; uricontent:"/install.php?id="; nocase; content:"Host\: spygalaxy.ws"; nocase; flow:to_server,established; sid:2001489; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Spygalaxy.ws Activity"; uricontent:"/install.php?id="; nocase; content:"Host\: spygalaxy.ws"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001489; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Reporting"; uricontent:"/dw/cgi/register.cgi?v="; nocase; content:"Host\:config.medialoads.com"; nocase; flow:to_server,established; sid:2001509; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Reporting"; uricontent:"/dw/cgi/register.cgi?v="; nocase; content:"Host\:config.medialoads.com"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001509; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware E2give Related Reporting Install"; uricontent:"/count/count.php?&mm"; nocase; flow:to_server,established; sid:2001416; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware E2give Related Reporting Install"; uricontent:"/count/count.php?&mm"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001416; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware ak-networks.com Spyware Code Download"; uricontent:"/SyncAkSoft.da_"; nocase; flow:to_server,established; sid:2001530; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware ak-networks.com Spyware Code Download"; uricontent:"/SyncAkSoft.da_"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001530; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; uricontent:"/dl/adv121/x.chm"; nocase; flow:to_server,established; sid:2001467; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; uricontent:"/dl/adv121/x.chm"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001467; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; uricontent:"/protector.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; nocase; flow:to_server,established; sid:2001535; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; uricontent:"/protector.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001535; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Spywaremover Activity"; uricontent:"/spywareremovers.php?"; content:"Host\: topantispyware.com"; nocase; flow:to_server,established; sid:2001520; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Spywaremover Activity"; uricontent:"/spywareremovers.php?"; content:"Host\: topantispyware.com"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001520; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Avres.net Downloading cpr_mm2.exe"; uricontent:"/tt/cpr_mm2.exe"; nocase; flow:to_server,established; sid:2001419; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Avres.net Downloading cpr_mm2.exe"; uricontent:"/tt/cpr_mm2.exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001419; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs CHM Exploit"; uricontent:"/fa/ied_s7m.chm"; nocase; flow:to_server,established; sid:2001468; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs CHM Exploit"; uricontent:"/fa/ied_s7m.chm"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001468; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Overpro Spyware Games"; uricontent:"/blocks/blasterblocks"; nocase; flow:to_server,established; sid:2001459; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Overpro Spyware Games"; uricontent:"/blocks/blasterblocks"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001459; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Install Code Download"; uricontent:"/install.gz"; nocase; content:"Host\: xpire.info"; nocase; flow:to_server,established; sid:2001491; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Install Code Download"; uricontent:"/install.gz"; nocase; content:"Host\: xpire.info"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001491; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; content:"src=http\://xpire.info/i.exe"; nocase; flow:to_server,established; sid:2001463; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; content:"src=http\://xpire.info/i.exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001463; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; uricontent:"/dl/adv121.php"; nocase; flow:to_server,established; sid:2001466; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; uricontent:"/dl/adv121.php"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001466; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Tibsystems Spyware Activity"; content:"User-Agent\: TIBS Loader"; nocase; flow:to_server,established; sid:2001487; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Tibsystems Spyware Activity"; content:"User-Agent\: TIBS Loader"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001487; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Spywaremover Activity"; uricontent:"/download/cabs/THNALL1L/thnall1l.exe"; content:"Host\: static.callinghome.biz"; nocase; flow:to_server,established; sid:2001521; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Spywaremover Activity"; uricontent:"/download/cabs/THNALL1L/thnall1l.exe"; content:"Host\: static.callinghome.biz"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001521; rev:3;)
        old: alert tcp any !20 -> $HOME_NET !25 (msg:"BLEEDING-EDGE Malware Possible Windows executable sent when remote host claims to send an image"; content: "Content-Type\: image"; content: "MZ"; within:12; flow: established; sid:2001685; rev:1;)
        new: alert tcp any !20 -> $HOME_NET !25 (msg:"BLEEDING-EDGE Malware Possible Windows executable sent when remote host claims to send an image"; content: "Content-Type\: image"; content: "MZ"; within:12; flow: established; classtype:trojan-activity; sid:2001685; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; uricontent:"/dkprogs/systime.txt"; nocase; flow:to_server,established; sid:2001480; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Install"; uricontent:"/dkprogs/systime.txt"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001480; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Mastermind Related Downloading mm20.ocx"; uricontent:"/soft/mm20.ocx"; nocase; flow:to_server,established; sid:2001411; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Mastermind Related Downloading mm20.ocx"; uricontent:"/soft/mm20.ocx"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001411; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware ICQ-Update.biz Reporting Install"; uricontent:"/update.exe"; nocase; content:"Host\: update.icq-update.biz"; nocase; flow:to_server,established; sid:2001519; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware ICQ-Update.biz Reporting Install"; uricontent:"/update.exe"; nocase; content:"Host\: update.icq-update.biz"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001519; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Avres.net Downloading ab1.exe"; uricontent:"/tt/ab1.exe"; nocase; flow:to_server,established; sid:2001420; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Avres.net Downloading ab1.exe"; uricontent:"/tt/ab1.exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001420; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Spyware Exploit"; uricontent:"/2DimensionOfExploitsEnc.php"; nocase; flow:to_server,established; sid:2001471; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Spyware Exploit"; uricontent:"/2DimensionOfExploitsEnc.php"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001471; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware E2give Related Downloading Code"; uricontent:"/soft/unstall.exe"; nocase; flow:to_server,established; sid:2001418; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware E2give Related Downloading Code"; uricontent:"/soft/unstall.exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001418; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Look2me Spyware Activity"; uricontent:"/cgi-bin/BW.exe"; content:"Host\: www.look2me.com"; nocase; flow:to_server,established; sid:2001502; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Look2me Spyware Activity"; uricontent:"/cgi-bin/BW.exe"; content:"Host\: www.look2me.com"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001502; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs Occuring"; uricontent:"/fa/?d=get"; nocase; flow:to_server,established; sid:2001462; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs Occuring"; uricontent:"/fa/?d=get"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001462; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  (msg:"BLEEDING-EDGE Malware Medis-Motor Related Downloading ast_4_mm.exe"; uricontent:"/dist/ast_4_mm.exe"; nocase; flow:to_server,established; sid:2001413; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS  (msg:"BLEEDING-EDGE Malware Medis-Motor Related Downloading ast_4_mm.exe"; uricontent:"/dist/ast_4_mm.exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001413; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Casino on Net Data Download"; reference:url,www.888casino.net; uricontent:"/sdl/casinov"; nocase; flow:to_server,established; sid:2001033; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Casino on Net Data Download"; reference:url,www.888casino.net; uricontent:"/sdl/casinov"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001033; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware SurfAssistant.com Spyware Reporting"; uricontent:"/sa/?a="; nocase; content:"Host\: sa-001.com"; nocase; flow:to_server,established; sid:2001514; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware SurfAssistant.com Spyware Reporting"; uricontent:"/sa/?a="; nocase; content:"Host\: sa-001.com"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001514; rev:3;)
        old: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Windows executable sent when remote host claims to send image, Win32"; content: "Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: "This program must be run under Win32"; flow: established; sid:2001684; rev:3;)
        new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Windows executable sent when remote host claims to send image, Win32"; content: "Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: "This program must be run under Win32"; flow: established; classtype:trojan-activity; sid:2001684; rev:4;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Installer silent.exe Download"; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; nocase; flow:from_server,established; sid:2001533; rev:3;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Installer silent.exe Download"; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; nocase; flow:from_server,established; classtype:trojan-activity; sid:2001533; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Smartpops.com Spyware Install"; uricontent:"/install/RH/rh.exe"; nocase; flow:to_server,established; sid:2001505; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Smartpops.com Spyware Install"; uricontent:"/install/RH/rh.exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001505; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Avres.net Downloading tvm_bundle.exe"; uricontent:"/tt/tvm_bundle.exe"; nocase; flow:to_server,established; sid:2001421; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Avres.net Downloading tvm_bundle.exe"; uricontent:"/tt/tvm_bundle.exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001421; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware"; pcre:"/Host\: \w*\.oemji.com/im"; flow:to_server,established; sid:2001539; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware"; pcre:"/Host\: \w*\.oemji.com/im"; flow:to_server,established; classtype:trojan-activity; sid:2001539; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Sexmaniack Install Tracking"; uricontent:"/counted.php?ref="; nocase; content:"Host\: counter.sexmaniack.com"; nocase; flow:to_server,established; sid:2001460; rev:3;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Sexmaniack Install Tracking"; uricontent:"/counted.php?ref="; nocase; content:"Host\: counter.sexmaniack.com"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001460; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware C4tdoanload.com Access, Likely Spyware"; pcre:"/Host\: \w*\.c4tdownload.com/im"; flow:to_server,established; sid:2001531; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware C4tdoanload.com Access, Likely Spyware"; pcre:"/Host\: \w*\.c4tdownload.com/im"; flow:to_server,established; classtype:trojan-activity; sid:2001531; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Smartpops.com Spyware Activity"; uricontent:"User-Agent\: NSISDL"; nocase; content:"Host\:download.smartpops.com"; nocase; flow:to_server,established; sid:2001506; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Smartpops.com Spyware Activity"; uricontent:"User-Agent\: NSISDL"; nocase; content:"Host\:download.smartpops.com"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001506; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; uricontent:"/fa/x.chm"; nocase; flow:to_server,established; sid:2001469; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; uricontent:"/fa/x.chm"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001469; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Overpro Spyware Bundle Install"; content:"GET /WildApp.cab"; offset:0; depth:16; nocase; content:"Host\: download.overpro.com"; nocase; reference:url,www.wildarcade.com; classtype:trojan-activity; flow:to_server,established; sid:2001444; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Overpro Spyware Bundle Install"; content:"GET /WildApp.cab"; offset:0; depth:16; nocase; content:"Host\: download.overpro.com"; nocase; reference:url,www.wildarcade.com; flow:to_server,established; classtype:trojan-activity; sid:2001444; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; uricontent:"/i.exe"; nocase; content:"xpire.info"; nocase; flow:to_server,established; sid:2001464; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; uricontent:"/i.exe"; nocase; content:"xpire.info"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001464; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Spyware Stormer/Error Guard Activity"; uricontent:"/sell.cgi?errorguard/1/errorguard"; nocase; reference:url,www.spywarestormer.com; flow:established,to_server; sid:2001571; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Spyware Stormer/Error Guard Activity"; uricontent:"/sell.cgi?errorguard/1/errorguard"; nocase; reference:url,www.spywarestormer.com; flow:established,to_server; classtype:trojan-activity; sid:2001571; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware E2give Related Receiving Config"; uricontent:"/config/?v=5&n=mm2&i="; nocase; flow:to_server,established; sid:2001417; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware E2give Related Receiving Config"; uricontent:"/config/?v=5&n=mm2&i="; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001417; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install"; uricontent:"http\://newiframe.biz/ysb.exe.eeexe.exe"; nocase; flow:to_server,established; sid:2001478; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install"; uricontent:"http\://newiframe.biz/ysb.exe.eeexe.exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001478; rev:3;)
        old: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Windows executable sent when remote host claims to send an image"; content: "Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: "This program cannot be run in DOS mode"; flow: established; sid:2001683; rev:3;)
        new: alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Windows executable sent when remote host claims to send an image"; content: "Content-Type\: image"; content: "MZ"; isdataat:76,relative; content: "This program cannot be run in DOS mode"; flow: established; classtype:trojan-activity; sid:2001683; rev:4;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; uricontent:"/fa/evil.html"; nocase; sid:2001461; flow:to_server,established; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs"; uricontent:"/fa/evil.html"; nocase; classtype:trojan-activity; sid:2001461; flow:to_server,established; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Identifying Country of Origin"; uricontent:"/dw/cgi/country.cgi"; nocase; content:"User-Agent\: NSISDL"; nocase; flow:to_server,established; sid:2001507; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Medialoads.com Spyware Identifying Country of Origin"; uricontent:"/dw/cgi/country.cgi"; nocase; content:"User-Agent\: NSISDL"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001507; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Mastermind Related Reporting"; uricontent:"/bundle.php?aff="; nocase; flow:to_server,established; sid:2001409; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Mastermind Related Reporting"; uricontent:"/bundle.php?aff="; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001409; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install"; uricontent:"http\://www.coolsearch.biz/c.htm"; nocase; flow:to_server,established; sid:2001477; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install"; uricontent:"http\://www.coolsearch.biz/c.htm"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001477; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Smartpops.com Spyware Install"; uricontent:"/install/SE/sed.exe"; nocase; flow:to_server,established; sid:2001516; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Smartpops.com Spyware Install"; uricontent:"/install/SE/sed.exe"; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001516; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Avres.net Reporting Data"; uricontent:"/log3.php?c={"; nocase; uricontent:"what="; nocase; uricontent:"avatar="; nocase; flow:to_server,established; sid:2001422; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Avres.net Reporting Data"; uricontent:"/log3.php?c={"; nocase; uricontent:"what="; nocase; uricontent:"avatar="; nocase; flow:to_server,established; classtype:trojan-activity; sid:2001422; rev:3;)

     -> Modified active in bleeding-p2p.rules (6):
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE P2P Morpheus Install"; reference:url,www.morpheus.com; uricontent:"/morpheus/morpheus.exe"; nocase; flow:to_server,established; sid:2001035; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE P2P Morpheus Install"; reference:url,www.morpheus.com; uricontent:"/morpheus/morpheus.exe"; nocase; flow:to_server,established; classtype:policy-violation; sid:2001035; rev:3;)
        old: alert tcp $HOME_NET any -> 38.115.131.0/24 5534 (msg:"BLEEDING-EDGE P2P Soulseek traffic"; classtype:policy-violation; sid:2001186; rev:2;)
        new: alert tcp $HOME_NET any -> 38.115.131.0/24 5534 (msg:"BLEEDING-EDGE P2P Soulseek traffic"; flow:established; classtype:policy-violation; sid:2001186; rev:3;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE P2P Morpheus Update Request"; reference:url,www.morpheus.com; uricontent:"/gwebcache/gcache.asg?hostfile="; nocase; flow:to_server,established; sid:2001037; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE P2P Morpheus Update Request"; reference:url,www.morpheus.com; uricontent:"/gwebcache/gcache.asg?hostfile="; nocase; flow:to_server,established; classtype:policy-violation; sid:2001037; rev:3;)
        old: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE P2P Soulseek"; content:"slsknet"; classtype:policy-violation; sid:2001188; rev:2;)
        new: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE P2P Soulseek"; content:"slsknet"; flow:established; classtype:policy-violation; sid:2001188; rev:2;)
        old: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE P2P Morpheus Install ini Download"; reference:url,www.morpheus.com; uricontent:"/morpheus/morpheus_sm.ini"; nocase; flow:to_server,established; sid:2001036; rev:2;)
        new: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE P2P Morpheus Install ini Download"; reference:url,www.morpheus.com; uricontent:"/morpheus/morpheus_sm.ini"; nocase; flow:to_server,established; classtype:policy-violation; sid:2001036; rev:3;)
        old: alert tcp $HOME_NET any -> 38.115.131.0/24 2234 (msg:"BLEEDING-EDGE P2P Soulseek traffic"; classtype:policy-violation; sid:2001185; rev:2;)
        new: alert tcp $HOME_NET any -> 38.115.131.0/24 2234 (msg:"BLEEDING-EDGE P2P Soulseek traffic"; flow:established; classtype:policy-violation; sid:2001185; rev:3;)

     -> Modified active in bleeding-policy.rules (1):
        old: alert tcp $HOME_NET any -> 66.151.158.177 any (msg:"BLEEDING-EDGE GotoMyPC Polling Client"; threshold: type limit, track by_src, count 1, seconds 360; sid:2000309; rev:4;)
        new: alert tcp $HOME_NET any -> 66.151.158.177 any (msg:"BLEEDING-EDGE GotoMyPC Polling Client"; threshold: type limit, track by_src, count 1, seconds 360; flow:established; classtype:policy-violation; sid:2000309; rev:5;)

     -> Modified active in bleeding-scan.rules (2):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH Scan"; flags:S; threshold:type threshold, track by_src, count 5, seconds 120; flowbits:set,ssh.brute.attempt; classtype:attempted-dos; sid:2001219; rev:8;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH Scan"; flags:S; threshold:type threshold, track by_src, count 5, seconds 120; flowbits:set,ssh.brute.attempt; classtype:suspicious-login; sid:2001219; rev:9;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"BLEEDING-EDGE Scan Possible SSL Brute Force attack or Site Crawl"; flags:S; flow:established; threshold: type threshold, track by_src, count 100, seconds 60; sid:2001553; rev:3;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"BLEEDING-EDGE Scan Possible SSL Brute Force attack or Site Crawl"; flags:S; flow:established; threshold: type threshold, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2001553; rev:4;)

     -> Modified active in bleeding-virus.rules (5):
        old: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagle.AY worm [.cpl extension] - OUTBOUND"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:misc-activity; sid:2001693; rev:1;)
        new: alert TCP $HOME_NET any -> any 25 (msg:"Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - outbound"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001693; rev:2;)
        old: alert TCP $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Virus Bagle.AY worm [.com extension] - OUTBOUND"; content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:misc-activity; sid:2001691; rev:1;)
        new: alert TCP $HOME_NET any -> any 25 (msg:"Bagle.BJ [alias .AY, .BC] worm [.com, exe extensions] - outbound"; content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001691; rev:3;)
        old: alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Bagle.AY worm [.cpl extension] - inbound"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:misc-activity; sid:2001694; rev:1;)
        new: alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - incoming"; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001694; rev:2;)
        old: alert tcp $HOME_NET any -> any 25 (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE VIRUS Netsky base64 port 25"; classtype:trojan-activity; sid:2001283; rev:3;)
        new: alert tcp $HOME_NET any -> any 25 (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE VIRUS Netsky base64 port 25"; classtype:trojan-activity; flow:established,to_server; sid:2001283; rev:4;)
        old: alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE Virus Bagle.AY worm [.com extension] - inbound"; content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:misc-activity; sid:2001692; rev:1;)
        new: alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Bagle.BJ [alias .AY, .BC] worm [.com, .exe extensions] - incoming"; content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn"; nocase; flow:established; reference:url,secunia.com/virus_information/14902/; classtype:trojan-activity; sid:2001692; rev:3;)

     -> Modified active in bleeding-web.rules (8):
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting SQL Injection"; flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.mysql_query("; nocase; reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; sid:2001557; rev:3;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting SQL Injection"; flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.mysql_query("; nocase; reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; classtype:web-application-attack; sid:2001557; rev:4;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"BLEEDING-EDGE WEB-MISC LINK Method"; content:"LINK "; offset:0; depth:5; flow:to_server,established; tag:host,10,packets; sid:2001546; rev:1;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"BLEEDING-EDGE WEB-MISC LINK Method"; content:"LINK "; offset:0; depth:5; flow:to_server,established; tag:host,10,packets; classtype:web-application-activity; sid:2001546; rev:2;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Exploit phpBB Highlight Exploit Attempt"; content:"&highlight=%2527%252Esystem("; nocase; flow:to_server,established; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001605; rev:2;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Exploit phpBB Highlight Exploit Attempt"; content:"&highlight=%2527%252Esystem("; nocase; flow:to_server,established; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; classtype:web-application-attack; sid:2001605; rev:3;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC Alternate Data Stream source view attempt"; uricontent:"|3A 3A 24|$DATA"; flow:to_server,established; reference:url,support.microsoft.com/kb/q188806/; reference:cve,1999-0278; sid:2001365; rev:2;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-MISC Alternate Data Stream source view attempt"; uricontent:"|3A 3A 24|$DATA"; flow:to_server,established; reference:url,support.microsoft.com/kb/q188806/; reference:cve,1999-0278; classtype:web-application-activity; sid:2001365; rev:3;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization"; flow:to_server,established; content:"GET"; nocase; content:"|5C|"; nocase; depth:100; content:"aspx"; distance:100; nocase; sid:2001342; rev:11;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization"; flow:to_server,established; content:"GET"; nocase; content:"|5C|"; nocase; depth:100; content:"aspx"; distance:100; nocase; classtype:web-application-attack; sid:2001342; rev:12;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution - Santy.A Worm"; flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.fwrite(fopen("; nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001604; rev:4;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution - Santy.A Worm"; flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.fwrite(fopen("; nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; classtype:web-application-attack; sid:2001604; rev:5;)
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization % 5 C"; flow:to_server,established; content:"GET"; nocase; content:"%5C"; depth:100; content:"aspx"; distance:100; sid:2001343; rev:10;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB-IIS ASP.net Auth Bypass / Canonicalization % 5 C"; flow:to_server,established; content:"GET"; nocase; content:"%5C"; depth:100; content:"aspx"; distance:100; classtype:web-application-attack; sid:2001343; rev:11;)
        old: alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"BLEEDING-EDGE THCIISLame IIS SSL Exploit Attempt"; reference:url,www.thc.org/exploits/THCIISSLame.c; reference:url,isc.sans.org/diary.php?date=2004-07-17; content:"THCOWNZIIS!"; flow:to_server,established; sid:2000559; rev:5;)
        new: alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"BLEEDING-EDGE THCIISLame IIS SSL Exploit Attempt"; reference:url,www.thc.org/exploits/THCIISSLame.c; reference:url,isc.sans.org/diary.php?date=2004-07-17; content:"THCOWNZIIS!"; flow:to_server,established; classtype:web-application-attack; sid:2000559; rev:6;)

[///]    Modified inactive rules:    [///]

     -> Modified inactive in bleeding-custom.rules (6):
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001579; rev:2;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; classtype:misc-activity; sid:2001579; rev:3;)
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001583; rev:2;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; classtype:misc-activity; sid:2001583; rev:3;)
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001580; rev:2;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; classtype:misc-activity; sid:2001580; rev:3;)
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001569; rev:2;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; classtype:misc-activity; sid:2001569; rev:3;)
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001582; rev:2;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; classtype:misc-activity; sid:2001582; rev:3;)
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; sid:2001581; rev:2;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or Infection"; flags:S; threshold: type limit, track by_src, count 50 , seconds 60; classtype:misc-activity; sid:2001581; rev:3;)

     -> Modified inactive in bleeding-virus.rules (1):
        old: #alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg:"BLEEDING-EDGE Virus Possible Sober.j Outbound"; reference:url,vil.mcafeesecurity.com/vil/content/v_130130.htm; classtype:trojan-activity; sid:2001542; rev:2;)
        new: #alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg:"BLEEDING-EDGE Virus Possible Sober.j Outbound"; reference:url,vil.mcafeesecurity.com/vil/content/v_130130.htm; classtype:trojan-activity; flow:established; sid:2001542; rev:3;)

[---]         Removed rules:         [---]

     -> Removed from bleeding-malware.rules (3):
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; uricontent:"/cab/v3cab.cab"; reference:url,www.searchmiracle.com; nocase; flow:to_server,established; sid:2001540; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware pool.Westpop.com Spyware Install"; uricontent:"/vcgi/magh/update.cgi?magic="; nocase; flow:to_server,established; sid:2001512; rev:2;)
        #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Casalemedia Access, Likely Spyware"; pcre:"/Host\: \w*\.casalemedia.com/im"; flow:to_server,established; sid:2001527; rev:2;)

     -> Removed from bleeding-web.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution Attempt"; flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.system("; nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; sid:2001457; rev:7;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-inappropriate.rules (1):
        # Info for these sigs from Gary Kalbfleisch

     -> Added to bleeding-malware.rules (4):
        #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Casalemedia Access, Likely Spyware"; pcre:"/Host\: \w*\.casalemedia.com/im"; flow:to_server,established; classtype:trojan-activity; id:2001527; rev:3;)
        #matt Jonkman
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware Searchmiracle.com Spyware Install"; uricontent:"/cab/v3cab.cab"; reference:url,www.searchmiracle.com; nocase; flow:to_server,established; classtype:trojan-activity; id:2001540; rev:3;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware pool.Westpop.com Spyware Install"; uricontent:"/vcgi/magh/update.cgi?magic="; nocase; flow:to_server,established; classtype:trojan-activity; id:2001512; rev:3;)

     -> Added to bleeding-sid-msg.map (21):
        2001691 || Bagle.BJ [alias .AY, .BC] worm [.com, exe extensions] - outbound || url,secunia.com/virus_information/14902/
        2001692 || Bagle.BJ [alias .AY, .BC] worm [.com, .exe extensions] - incoming || url,secunia.com/virus_information/14902/
        2001693 || Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - outbound || url,secunia.com/virus_information/14902/
        2001694 || Bagle.BJ [alias .AY, .BC] worm [.cpl extension] - incoming || url,secunia.com/virus_information/14902/
        2001695 || Bagle.BJ [alias .AY, .BC] - download attempt || url,secunia.com/virus_information/14877/
        2001696 || BLEEDING-EDGE Malware Search Relevancy Spyware
        2001697 || BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Data Submission || url,www.isearchtech.com
        2001698 || BLEEDING-EDGE Malware YourSiteBar Data Submision || url,www.ysbweb.com
        2001699 || BLEEDING-EDGE Malware YourSiteBar Activity || url,www.ysbweb.com
        2001700 || BLEEDING-EDGE Malware Windupdates.com Spyware Install
        2001701 || BLEEDING-EDGE Malware Windupdates.com Spyware Loggin Data
        2001702 || BLEEDING-EDGE Malware Shop at Home Select Spyware Activity
        2001703 || BLEEDING-EDGE Malware Context Plus Spyware Activity
        2001704 || BLEEDING-EDGE Malware Context Plus Spyware Install
        2001705 || BLEEDING-EDGE Malware Flingstone Spyware Install
        2001706 || BLEEDING-EDGE Malware Context Plus Spyware Activity
        2001707 || BLEEDING-EDGE Malware Shop at Home Select Spyware Activity
        2001708 || BLEEDING-EDGE Malware Shop at Home Select Spyware Heartbeat
        2001709 || BLEEDING-EDGE Malware Shop at Home Select Spyware Config Download
        2001710 || BLEEDING-EDGE Malware Flingstone Spyware Install
        2001711 || BLEEDING-EDGE Malware Likely Spambot Web-based Control Traffic

     -> Added to bleeding-virus.rules (1):
        #added by Mark Scott 01/27/2005 - Bagle.AY, .BJ - Updated 1/31/2005

     -> Added to bleeding-web.rules (1):
        alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit phpBB Highlighting Code Execution Attempt"; flow:to_server,established; uricontent:"/viewtopic.php?"; nocase; uricontent:"&highlight='.system("; nocase; reference:url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513; classtype:web-application-attack; id:2001457; rev:8;)

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-inappropriate.rules (1):
        #Info for these sigs from Gary Kalbfleisch

     -> Removed from bleeding-sid-msg.map (8):
        2001457 || BLEEDING-EDGE Exploit phpBB Highlighting Code Execution Attempt || url,www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
        2001512 || BLEEDING-EDGE Malware pool.Westpop.com Spyware Install
        2001527 || BLEEDING-EDGE Malware Casalemedia Access, Likely Spyware
        2001540 || BLEEDING-EDGE Malware Searchmiracle.com Spyware Install || url,www.searchmiracle.com
        2001691 || BLEEDING-EDGE Virus Bagle.AY worm [.com extension] - OUTBOUND || url,secunia.com/virus_information/14902/
        2001692 || BLEEDING-EDGE Virus Bagle.AY worm [.com extension] - inbound || url,secunia.com/virus_information/14902/
        2001693 || BLEEDING-EDGE Virus Bagle.AY worm [.cpl extension] - OUTBOUND || url,secunia.com/virus_information/14902/
        2001694 || BLEEDING-EDGE Virus Bagle.AY worm [.cpl extension] - inbound || url,secunia.com/virus_information/14902/

     -> Removed from bleeding-virus.rules (1):
        #added by Mark Scott 01/27/2005 - Bagle.AY

[*] Added files: [*]
    None.





More information about the Snort-sigs mailing list