Rules
ptopen-all.rules
138.45 KBModified 2024-11-18 13:26
1alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Mikrotik RouterOS unauthenticated DNS cache poisoning (CVE-2019-3978)"; flow: established, to_server, no_stream; content: "M2"; offset: 4; depth: 2; content: "|01 00 00 08|"; content: "|07 00 FF 09 03|"; content: "|03 00 00 21|"; content: "|01 00 FF 88 01 00 0E 00 00 00|"; reference: cve, 2019-3978; reference: url, medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005475; rev: 4;)
2
3alert http any any -> any any (msg: "ATTACK [PTsecurity] Spring Core RCE aka Spring4Shell Attempt"; flow: established; content: "pipeline.first.pattern"; nocase; content: "getRuntime"; nocase; distance: 0; content: "exec"; nocase; pcre: "/(?:%25|%)(?:%7B|{)/i"; pcre: "/(?:%7D|})i/i"; reference: url, rules.ptsecurity.com; reference: url, www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html; classtype: attempted-admin; sid: 10007107; rev: 1;)
4
5alert http any any -> any any (msg: "ATTACK [PTsecurity] vBulletin <= 5.6.9 pre-auth RCE (CVE-2023-25135)"; flow: established, to_server; http.method; content: "POST"; http.request_body; content: "googlelogin_vendor_autoload"; nocase; content: "Monolog"; distance: 0; content: "Handler"; distance: 0; content: "SyslogUdpHandler"; distance: 0; content: "Monolog"; distance: 0; content: "Handler"; distance: 0; content: "BufferHandler"; distance: 0; content: "current"; distance: 0; reference: cve, 2023-25135; reference: url, rules.ptsecurity.com; reference: url, ambionics.io/blog/vbulletin-unserializable-but-unreachable; classtype: attempted-admin; sid: 10008756; rev: 1;)
6
7alert http any any -> any any (msg: "ATTACK [PTsecurity] GitLab Arbitrary File Read (CVE-2023-2825)"; flow: established, to_server; http.uri.raw; content: "/uploads/"; nocase; content: "%2f..%2f"; nocase; distance: 0; pcre: "/\/+([a-zA-Z0-9_-]+\/+){5,}uploads\/+/I"; reference: url, rules.ptsecurity.com; reference: url, labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis; reference: cve, 2023-2825; classtype: attempted-admin; sid: 10008999; rev: 2;)
8
9alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Possible Ivanti Avalanche RCE (CVE-2023-32560)"; flow: established, to_server; content: "|00 00 00 02 00 00 00 05|"; content: "h.mid"; distance: 4; within: 5; pcre: "/^.{20}\x00\x00\x00[\x03\x65]/R"; byte_test: 4, >, 340, 4, relative; reference: url, rules.ptsecurity.com; reference: url, www.tenable.com/security/research/tra-2023-27; reference: cve, 2023-32560; classtype: attempted-admin; sid: 10010882; rev: 2;)
10
11alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Possible Ivanti Avalanche RCE (CVE-2023-32560)"; flow: established, to_server; content: "|00 00 00 02 00 00 00 05|"; content: "h.mid"; distance: 4; within: 5; content: "|00 00 00 09|"; distance: 20; within: 4; byte_test: 4, >, 149, 4, relative; reference: url, rules.ptsecurity.com; reference: url, www.tenable.com/security/research/tra-2023-27; reference: cve, 2023-32560; classtype: attempted-admin; sid: 10010958; rev: 1;)
12
13alert http any any -> any any (msg: "ATTACK [PTsecurity] Cookieless string in ASP.NET (CVE-2023-36899)"; flow: established, to_server; http.uri; content: "/("; fast_pattern; content: "))"; distance: 0; pcre: "/\/\([A-Z]\(.*?\)\).*?\)\)/"; reference: url, rules.ptsecurity.com; reference: url, soroush.me/blog/2023/08/cookieless-duodrop-iis-auth-bypass-app-pool-privesc-in-asp-net-framework-cve-2023-36899; reference: cve, 2023-36899; classtype: attempted-admin; sid: 10009357; rev: 3;)
14
15alert http any any -> any any (msg: "ATTACK [PTsecurity] Ivanti Sentry RCE attempt (CVE-2023-38035)"; flow: established, to_server; http.uri; content: "/mics/services/MICSLogService"; http.header; content: "application/x-hessian"; http.request_body; content: "uploadFileUsingFileInput"; content: "command"; distance: 0; content: "isRoot"; reference: cve, 2023-38035; reference: url, rules.ptsecurity.com; reference: url, horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/; classtype: attempted-admin; sid: 10010662; rev: 1;)
16
17alert http any any -> any any (msg: "ATTACK [PTsecurity] Fortra FileCatalyst RCE (CVE-2024-25153)"; flow: established, to_server; http.uri; content: "/servlet/ftpservlet"; nocase; content: "PUT"; nocase; distance: 0; content: "sid"; nocase; pcre: "/^[^\&]*=[^\&]*[\\\/]\.{2}[\\\/]/RU"; reference: cve, 2024-25153; reference: url, rules.ptsecurity.com; reference: url, labs.nettitude.com/blog/cve-2024-25153-remote-code-execution-in-fortra-filecatalyst/; classtype: attempted-admin; sid: 10011291; rev: 1;)
18
19alert http any any -> any any (msg: "ATTACK [PTsecurity] Veeam Backup Manager Authentication Bypass (CVE-2024-29849). XB set CVE-2024-29849.POST"; flow: established, to_server; http.uri; content: "/api/sessionMngr"; http.request_body; content: "VMwareSSOToken"; pcre: "/(?:PHNhbWwyOklzc3Vlcj|xzYW1sMjpJc3N1ZXI+|c2FtbDI6SXNzdWVyPg)/RP"; xbits: set, CVE-2024-29849.POST, track ip_src, expire 15; flowbits: noalert; reference: cve, 2024-29849; reference: url, rules.ptsecurity.com; reference: url, summoning.team/blog/veeam-enterprise-manager-cve-2024-29849-auth-bypass/; classtype: attempted-admin; sid: 10011480; rev: 1;)
20
21alert http any any -> any any (msg: "ATTACK [PTsecurity] Veeam Backup Manager Authentication Bypass (CVE-2024-29849)"; flow: established, from_server; http.response_body; content: "RequestSecurityTokenResponse"; content: "urn:oasis:names:tc:SAML:2.0:assertion"; distance: 0; content: "<Code>"; distance: 0; content: "status/valid"; distance: 0; xbits: isset, CVE-2024-29849.POST, track ip_src; reference: cve, 2024-29849; reference: url, rules.ptsecurity.com; reference: url, summoning.team/blog/veeam-enterprise-manager-cve-2024-29849-auth-bypass/; classtype: attempted-admin; sid: 10011481; rev: 1;)
22
23alert udp $HOME_NET any -> $HOME_NET 138 (msg: "SPYWARE [PTsecurity] Buhtrap"; content: "|5C|MAILSLOT|5C|"; content: !"|00|"; within: 16; pcre: "/^[0-9A-F]{16,32}\x00/R"; pcre: "/[\x0e-\x19\x80-\xff]{5}/R"; threshold: type both, track by_src, count 4, seconds 3600; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003304; rev: 4;)
24
25alert smb $HOME_NET any -> $HOME_NET 445 (msg: "SPYWARE [PTsecurity] Buhtrap"; flow: established, to_server, no_stream; content: "SMB"; content: "|0B 00|"; distance: 8; within: 2; content: "|00 00 18 00 11 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; distance: 0; pcre: "/([0-9A-F]\x00){16,32}$/R"; threshold: type threshold, track by_src, count 8, seconds 2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003305; rev: 4;)
26
27alert smb $HOME_NET any -> $HOME_NET 445 (msg: "SPYWARE [PTsecurity] Buhtrap FB set SMB.TreeConnect.ADMIN"; flow: established, to_server, no_stream; content: "SMB"; content: "|03 00|"; distance: 8; within: 2; content: "|5c 00 41 00 44 00 4d 00 49 00 4e 00 24 00|"; distance: 48; isdataat: !1, relative; flowbits: noalert; flowbits: set, SMB.TreeConnect.ADMIN; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003306; rev: 4;)
28
29alert smb $HOME_NET any -> $HOME_NET 445 (msg: "SPYWARE [PTsecurity] Buhtrap FB set Pegasus.arch_probe"; flow: established, to_server, no_stream; content: "SMB"; content: "|05 00|"; distance: 8; within: 2; content: "r|00|e|00|g|00|e|00|d|00|i|00|t|00|.|00|e|00|x|00|e|00|"; nocase; distance: 96; flowbits: noalert; flowbits: isset, SMB.TreeConnect.ADMIN; flowbits: set, Pegasus.arch_probe; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003307; rev: 4;)
30
31alert smb $HOME_NET any -> $HOME_NET 445 (msg: "SPYWARE [PTsecurity] Buhtrap FB set Pegasus.arch_probe"; flow: established, to_server, no_stream; content: "SMB"; content: "|05 00|"; distance: 8; within: 2; content: "n|00|o|00|t|00|e|00|p|00|a|00|d|00|.|00|e|00|x|00|e|00|"; nocase; distance: 96; flowbits: noalert; flowbits: isset, SMB.TreeConnect.ADMIN; flowbits: set, Pegasus.arch_probe; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003308; rev: 4;)
32
33alert smb $HOME_NET any -> $HOME_NET 445 (msg: "SPYWARE [PTsecurity] Buhtrap"; flow: established, to_server, no_stream; content: "SMB"; content: "|05 00|"; distance: 8; within: 2; content: ".|00|e|00|x|00|e|00|"; nocase; distance: 96; pcre: "/([0-9A-F]\x00){8,15}\x2e\x00e\x00x\x00e\x00/"; flowbits: isset, Pegasus.arch_probe; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003309; rev: 3;)
34
35alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "BACKDOOR [PTsecurity] Buhtrap/Ratopak"; flow: established, to_server; content: "POST"; http_method; content: ".php"; http_uri; content: "Cache-Control: no-cache"; http_header; content: "Connection: Keep-Alive"; http_header; distance: 0; content: "Pragma: no-cache"; http_header; distance: 0; content: "Content-Type: multipart/form-data|3b| boundary="; http_header; distance: 0; content: "User-Agent: "; http_header; distance: 0; content: "Content-Length: "; http_header; distance: 0; content: "Host: "; http_header; distance: 0; content: !"Referer|3a|"; http_header; content: "Content-Disposition: form-data|3b| name=|22|"; http_client_body; fast_pattern; pcre: "/^(?:[a-z]){4,32}\x22/RP"; content: "Content-Type: application/octet-stream"; http_client_body; within: 100; pcre: "/(?:[\x0e-\x19]|[\x80-\xff]){4}/RP"; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003294; rev: 5;)
36
37alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg: "SPYWARE [PTsecurity] Buhtrap"; flow: established, to_server; content: "POST"; http_method; content: ".php"; http_uri; content: "Content-Type: multipart/form-data|3b| boundary="; http_header; pcre: "/^[0-9a-f]{12}\r\n/RH"; content: "Content-Type: application/octet-stream"; http_client_body; content: "Content-Disposition: form-data|3b| name=|22|"; http_client_body; pcre: "/^[a-z]{8,14}\x22\r\nContent-Type: application/octet-stream\r\n\r\n(.{192}){1,2}\r\n--[0-9a-z]{12}--/RPs"; pcre: "/[\x0e-\x19\x80-\xff]{4}/P"; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003298; rev: 4;)
38
39alert tcp any any -> any any (msg: "TOOLS [PTsecurity] xfreerdp/vinagre/remmina RDP client"; flow: established, to_server, no_stream; content: "|03 00|"; depth: 2; content: "Duca"; distance: 0; content: "|01 C0|"; distance: 2; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|04 C0|"; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|02 C0|"; within: 2; byte_extract: 2, 0, CLIENTNETWORKDATALEN, relative, little; isdataat: !CLIENTNETWORKDATALEN, relative; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 10005928; rev: 3;)
40
41alert tcp any any -> any any (msg: "TOOLS [PTsecurity] xfreerdp/remmina RDP client"; flow: established, to_server, no_stream; content: "|03 00|"; depth: 2; content: "Duca"; distance: 0; content: "|01 C0|"; distance: 2; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|04 C0|"; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|02 C0|"; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|03 C0|"; within: 2; byte_extract: 2, 0, CLIENTNETWORKDATALEN, relative, little; isdataat: !CLIENTNETWORKDATALEN, relative; pcre: "/(?:^.{4}cliprdr.{5}$|^.{4}drdynvc.{5}$|^.{4}rdpdr.{7}rdpsnd.{6}(?:drdynvc.{5}$|cliprdr|$))/R"; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 10005952; rev: 3;)
42
43alert dns any any -> any any (msg: "TOOLS [PTsecurity] Burp Suite tool activity. polling.portswigger.net resolve"; dns_query; content: "polling.portswigger.net"; reference: url, rules.ptsecurity.com; classtype: bad-unknown; sid: 10006023; rev: 3;)
44
45alert dns any any -> any any (msg: "TOOLS [PTsecurity] Burp Suite tool activity. burpcollaborator.net resolve"; dns_query; content: "burpcollaborator.net"; reference: url, rules.ptsecurity.com; classtype: bad-unknown; sid: 10006024; rev: 3;)
46
47alert tcp any any -> any any (msg: "TOOLS [PTsecurity] Croc file transfer tool activity"; flow: established, to_server; content: "croc"; depth: 4; content: !"|00|"; within: 1; content: "|00 00|"; distance: 2; within: 2; threshold: type both, track by_src, count 10, seconds 120; reference: url, github.com/schollz/croc; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10011012; rev: 1;)
48
49alert udp any any -> any any (msg: "TOOLS [PTsecurity] Croc file transfer tool activity (UDP multicast)"; content: "croc90"; dsize: 8; threshold: type limit, track by_src, count 1, seconds 120; reference: url, rules.ptsecurity.com; reference: url, github.com/schollz/croc; classtype: attempted-admin; sid: 10011013; rev: 1;)
50
51alert dns any any -> any any (msg: "TOOLS [PTsecurity] Croc file transfer tool domain resolve"; dns_query; content: "croc"; content: "schollz.com"; pcre: "/^croc.?\.schollz\.com$/"; reference: url, rules.ptsecurity.com; reference: url, github.com/schollz/croc; classtype: attempted-admin; sid: 10011014; rev: 1;)
52
53alert dns any any -> any any (msg: "TOOLS [PTsecurity] getCroc domain resolve (file transfer tool download)"; dns_query; content: "getcroc.schollz.com"; reference: url, rules.ptsecurity.com; reference: url, github.com/schollz/croc; classtype: attempted-admin; sid: 10011015; rev: 1;)
54
55alert tls any any -> any any (msg: "TOOLS [PTsecurity] Croc file transfer tool download"; tls_sni; content: "getcroc.schollz.com"; reference: url, rules.ptsecurity.com; reference: url, github.com/schollz/croc; classtype: attempted-admin; sid: 10011016; rev: 1;)
56
57alert tcp any any -> any any (msg: "TOOLS [PTsecurity] gsocket client activity"; flow: to_server, established, no_stream; dsize: 128; stream_size: client, <, 500; stream_size: server, <, 100; content: "|02|"; depth: 1; offset: 0; content: !"|00|"; within: 2; content: "|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance: 3; within: 28; content: !"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within: 16; content: "|00 00 00 00|"; distance: 16; within: 4; content: "|00 00 00 00|"; isdataat: !1, relative; reference: url, gsocket.io; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10009304; rev: 4;)
58
59alert tcp any any -> any any (msg: "TOOLS [PTsecurity] gsocket server activity"; flow: to_server, established, no_stream; dsize: 128; stream_size: client, <, 500; stream_size: server, <, 100; content: "|01|"; depth: 1; offset: 0; content: !"|00|"; within: 2; content: "|00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; distance: 3; within: 12; content: !"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within: 16; content: !"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance: 16; within: 16; content: "|00 00 00 00|"; distance: 32; within: 4; content: "|00 00 00 00|"; isdataat: !1, relative; reference: url, rules.ptsecurity.com; reference: url, gsocket.io; classtype: attempted-admin; sid: 10009305; rev: 5;)
60
61alert dns any any -> any any (msg: "TOOLS [PTsecurity] .gs.thc.org domain resolve. Probably gsocket activity"; dns_query; content: ".gs.thc.org"; reference: url, rules.ptsecurity.com; reference: url, gsocket.io; classtype: attempted-admin; sid: 10009306; rev: 1;)
62
63alert tcp any any -> any any (msg: "ATTACK AD [PTsecurity] Remote WMI Win32_Process create"; flow: established, to_server; content: "|05 00 00|"; depth: 3; content: "W|00|i|00|n|00|3|00|2|00|_|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00 00 00|"; fast_pattern; content: "c|00|r|00|e|00|a|00|t|00|e|00|"; distance: 16; within: 12; nocase; flowbits: set, WMI.Win32_Process.Create; threshold: type limit, track by_src, count 1, seconds 10; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001999; rev: 3;)
64
65alert tcp any any -> any any (msg: "ATTACK AD [PTsecurity] Suspicious Remote WMI Win32_Process create"; flow: established, to_server; content: "__PARAMETERS|00 00|"; content: "http://"; distance: 0; pcre: "/__PARAMETERS\x00\x00[^\x00]+?(?:cmd|powershell)[^\x00]+?http:\/\//"; flowbits: isset, WMI.Win32_Process.Create; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002000; rev: 2;)
66
67alert tcp !$DC_SERVERS any -> $DC_SERVERS [1024:] (msg: "ATTACK AD [PTsecurity] DCShadow Replication Attempt"; flow: established, to_server; content: "|05 00 0B|"; depth: 3; content: "|35 42 51 E3 06 4B D1 11 AB 04 00 C0 4F C2 DC D2|"; distance: 0; flowbits: set, RPC.Bind.DRSUAPI; flowbits: noalert; reference: url, rules.ptsecurity.com; reference: url, dcshadow.com; classtype: attempted-admin; sid: 10002557; rev: 3;)
68
69alert tcp !$DC_SERVERS any -> $DC_SERVERS [1024:] (msg: "ATTACK AD [PTsecurity] DCShadow Replication Attempt - DsAddEntry from non-DC"; flow: established, to_server, no_stream; content: "|05 00 00 03|"; depth: 4; content: "|11 00|"; distance: 18; within: 2; flowbits: isset, RPC.Bind.DRSUAPI; flowbits: set, RPC.DsAddEntry; flowbits: noalert; reference: url, rules.ptsecurity.com; reference: url, dcshadow.com; classtype: attempted-admin; sid: 10009196; rev: 1;)
70
71alert tcp !$DC_SERVERS any -> $DC_SERVERS [1024:] (msg: "ATTACK AD [PTsecurity] DCShadow Replication Attempt - DRSUAPI_REPLICA_ADD from non-DC"; flow: established, to_server, no_stream; content: "|05 00 00 03|"; depth: 4; content: "|05 00|"; distance: 18; within: 2; flowbits: isset, RPC.DsAddEntry; reference: url, rules.ptsecurity.com; reference: url, dcshadow.com; classtype: attempted-admin; sid: 10002558; rev: 2;)
72
73alert tcp !$DC_SERVERS any -> any any (msg: "ATTACK AD [PTsecurity] DCShadow: Fake DC Creation"; flow: established, to_server; content: "|68 84 00|"; content: "CN="; distance: 5; within: 3; content: "CN=Servers,CN="; distance: 0; content: ",CN=Sites,CN=Configuration,DC="; distance: 0; content: "objectClass"; distance: 0; content: "server"; distance: 0; reference: url, rules.ptsecurity.com; reference: url, blog.alsid.eu/dcshadow-explained-4510f52fc19d; classtype: attempted-admin; sid: 10002559; rev: 3;)
74
75alert tcp-pkt any any -> any any (msg: "ATTACK AD [PTsecurity] IREMOTEWINSPOOL Bind"; flow: established, to_server; content: "|96 3F F0 76 FD CD FC 44 A2 2C 64 95 0A 00 12 09|"; flowbits: set, DCERPC.IREMOTEWINSPOOL.Bind; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10006624; rev: 3;)
76
77alert tcp-pkt any any -> any any (msg: "ATTACK AD [PTsecurity] SPOOLSS Bind"; flow: established, to_server; content: "|78 56 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB|"; flowbits: set, DCERPC.SPOOLSS.Bind; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10006626; rev: 3;)
78
79alert tcp any any -> any any (msg: "ATTACK AD [PTsecurity] PrintNightmare attempt (CVE-2021-1675)"; flow: established, to_server; content: "|05 00 00|"; depth: 119; content: "|00 00|"; distance: 15; within: 2; content: "|00 27 00|"; distance: 1; within: 3; flowbits: isset, DCERPC.IREMOTEWINSPOOL.Bind; threshold: type limit, track by_dst, count 1, seconds 60; reference: url, rules.ptsecurity.com; reference: url, github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210709; reference: cve, 2021-1675; classtype: attempted-admin; sid: 10006625; rev: 5;)
80
81alert tcp any any -> any any (msg: "ATTACK AD [PTsecurity] PrintNightmare attempt (CVE-2021-1675)"; flow: established, to_server; content: "|05 00 00|"; depth: 119; content: "|00 00|"; distance: 15; within: 2; content: "|00 59 00|"; distance: 1; within: 3; flowbits: isset, DCERPC.SPOOLSS.Bind; threshold: type limit, track by_dst, count 1, seconds 60; reference: url, rules.ptsecurity.com; reference: cve, 2021-1675; classtype: attempted-admin; sid: 10006627; rev: 5;)
82
83alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Possible SystemNightmare LPE"; flow: established; content: "|63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 00 00 77 00 69 00 6E 00 73 00 74 00 61 00 30 00 5C 00 64 00 65 00 66 00 61 00 75 00 6C 00 74 00 00 00|"; reference: url, rules.ptsecurity.com; reference: url, github.com/gentilkiwi/mimikatz/blob/master/mimispool/README.md; classtype: attempted-admin; sid: 10006770; rev: 2;)
84
85alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] HTTP-to-SMB NTLM Relay attack (SMBv1)"; flow: established, to_server; content: "|FF|SMB|73|"; content: "NTLMSSP|00 03 00 00 00|"; distance: 0; content: "|09 00|"; distance: 0; within: 600; content: "H|00|T|00|T|00|P|00 2F|"; distance: 2; within: 9; isdataat: 200, relative; reference: url, rules.ptsecurity.com; reference: url, byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html; classtype: attempted-admin; sid: 10005230; rev: 3;)
86
87alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] HTTP-to-SMB NTLM Relay attack (SMBv2)"; flow: established, to_server; content: "|FE|SMB"; content: "|01 00|"; distance: 8; within: 2; content: "NTLMSSP|00 03 00 00 00|"; distance: 0; content: "|09 00|"; distance: 0; within: 600; content: "H|00|T|00|T|00|P|00 2F|"; distance: 2; within: 9; isdataat: 200, relative; reference: url, rules.ptsecurity.com; reference: url, byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html; classtype: attempted-admin; sid: 10005231; rev: 3;)
88
89alert http any any -> any any (msg: "ATTACK [PTsecurity] Mismatch URI and Host header. Possible Squid cache poisoning"; content: "GET"; http_method; content: "://"; fast_pattern; distance: 0; http_raw_uri; pcre: "/^\w+\s+\w+:\/\/\S+\s+.*?[\r\n].*?Host:[ \t]+[\w\.:]+\b/is"; pcre: ! "/^\w+\s+\w+:\/\/([^\/\s:#]+)[\/\s:#]\S*.+?Host:[ \t]*\1\S*\b/is"; reference: url, bugs.squid-cache.org/show_bug.cgi?id=4501; reference: cve, 2016-4554; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000035; rev: 5;)
90
91alert http any any -> any any (msg: "ATTACK [PTsecurity] Magento < 2.0.6 Arbitrary write file"; content: "rest/V1/guest-carts/"; http_raw_uri; content: "set-payment-information"; http_raw_uri; fast_pattern; content: "|5C 75 30 30 30 30|"; content: "Magento\\\\Sales\\\\Model\\\\Order\\\\Payment\\\\Transaction"; reference: cve, 2016-4010; reference: url, netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000042; rev: 2;)
92
93alert http any any -> any any (msg: "ATTACK [PTsecurity] GraphicsMagick popen shell vulnerability"; flow: established,to_server; content: "<?xml"; http_client_body; content: "<svg"; http_client_body; fast_pattern; pcre: "/xlink:href\s*=\s*\x22\|/RPi"; reference: url, permalink.gmane.org/gmane.comp.security.oss.general/19669; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000044; rev: 2;)
94
95alert http any any -> any any (msg: "ATTACK [PTsecurity] GraphicsMagick popen shell vulnerability"; flow: established,to_server; content: "viewbox "; nocase; http_client_body; fast_pattern; pcre: "/image\s+copy\s+\d+\s*,\s*\d+\s+\d+\s*,\s*\d+\s*\x22\|/RPi"; reference: url, permalink.gmane.org/gmane.comp.security.oss.general/19669; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000045; rev: 2;)
96
97alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache Continuum <= v1.4.2 CMD Injection"; content: "POST"; http_method; content: "/continuum/saveInstallation.action"; offset: 0; depth: 34; http_uri; content: "installation.varValue="; nocase; http_client_body; pcre: "/^[^&]*(?:\x60|%60|\x7c|%7c|\x3b|%3b|\x24\x28|%24%28|\x24\x7b|%24%7b|%0a)/iRP"; flow: to_server, established; reference: url, exploit-db.com/exploits/39886; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000048; rev: 3;)
98
99alert http any any -> any any (msg: "ATTACK [PTsecurity] FreePBX 13/14 Malicious Filename Upload attempt"; flow: to_server; content: "POST"; http_method; nocase; content: "/admin/ajax.php?"; http_uri; content: "module=recordings"; http_uri; content: "command=savebrowserrecording"; http_uri; content: "Content-Type: multipart/form-data"; nocase; http_header; pcre: "/Content-Disposition: form-data\; name=\x22filename\x22\r\n\r\n[^\r\n]*\x60[^\r\n]*\x60.*\r\n/P"; xbits: set, FreePBXMaliciousFilenameUpload, track ip_dst, expire 30; reference: exploitdb, 40232; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000082; rev: 3;)
100
101alert http any any -> any any (msg: "ATTACK [PTsecurity] FreePBX 13/14 Remote Command Execution"; flow: to_server; content: "POST"; http_method; nocase; content: "/admin/ajax.php"; http_uri; content: "Content-Type: application/x-www-form-urlencoded"; nocase; http_header; pcre: "/file=[^&]*\x60[^&]*\x60/P"; pcre: "/module=recordings/P"; xbits: isset, FreePBXMaliciousFilenameUpload, track ip_dst; reference: exploitdb, 40232; reference: url, rules.ptsecurity.com; classtype: successful-admin; sid: 10000083; rev: 3;)
102
103alert http any any -> any any (msg: "ATTACK [PTsecurity] FreePBX 13/14 Remote Command Execution attempt"; flow: to_server; content: "POST"; http_method; content: "/admin/ajax.php"; http_uri; content: "Content-Type: application/x-www-form-urlencoded"; nocase; http_header; pcre: "/file=[^&]*\x60[^&]*\x60/P"; pcre: "/module=recordings/P"; xbits: isnotset, FreePBXMaliciousFilenameUpload, track ip_dst; reference: exploitdb, 40232; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000084; rev: 3;)
104
105alert udp any any -> any 161 (msg: "ATTACK [PTsecurity] Cisco Adaptive Security Appliance 8.x SNMP overflow RCE Probe"; content: "|a035020100020100020100302a300c06082b060102010101000500300c06082b060102010103000500300c06082b060102010105000500|"; isdataat: !1, relative; reference: url, blogs.cisco.com/security/shadow-brokers; reference: cve, 2016-6366; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000098; rev: 2;)
106
107alert udp any any -> any 161 (msg: "ATTACK [PTsecurity] Cisco Adaptive Security Appliance 8.x SNMP overflow RCE Attempt"; byte_jump: 1, 6; content: "|A5|"; content: "|2B 06 01 02 01 01 01|"; distance: 0; content: "|2B 06 01 04 01 09 09 83 6B 01 03 03 01 01 05 09|"; isdataat: 30,relative; reference: url, blogs.cisco.com/security/shadow-brokers; reference: cve, 2016-6366; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000099; rev: 2;)
108
109alert tcp any any -> any any (msg: "ATTACK [PTsecurity] EpicBanana Exploitation"; content: "|50 16 60 16 b8 16 82 16 aa 16 aa 16 aa 16 35 16 aa 16 aa 16 aa 16 aa|"; depth: 24; reference: url, tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-cli; reference: cve, 2016-6367; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000125; rev: 1;)
110
111alert tcp any any -> any any (msg: "ATTACK [PTsecurity] MySQL <= 5.7.15, 5.6.33, 5.5.53 root RCE/Privilege Escalation attempt"; content: "|03|"; offset: 4; depth: 1; content: "736574"; distance: 0; content: "6c6f675f66696c65"; distance: 0; content: "6d79"; distance: 0; content: "2e636e66"; distance: 0; within: 14; reference: url, legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; reference: cve, 2016-6662; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000128; rev: 1;)
112
113alert tcp any any -> any any (msg: "ATTACK [PTsecurity] MySQL <= 5.7.15, 5.6.33, 5.5.53 root RCE/Privilege Escalation attempt"; content: "|03|"; offset: 4; depth: 1; content: "set"; distance: 0; content: "log_file"; distance: 0; content: "my"; distance: 0; content: ".cnf"; distance: 0; within: 7; reference: url, legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; reference: cve, 2016-6662; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000129; rev: 1;)
114
115alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Omnivista 8770 UnAuth RCE (AddJobSet)"; flow: established, no_stream; content: "GIOP"; depth: 4; content: "SchedulerInterface"; distance: 0; content: "AddJobSet"; distance: 0; flowbits: set, Omnivista.SchedulerInterface.AddJobSet; flowbits: noalert; reference: url, blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000677; rev: 1;)
116
117alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Omnivista 8770 UnAuth RCE (AddJob)"; flow: established, no_stream; content: "GIOP"; depth: 4; byte_jump: 4,24; content: "|00 00 00 07|AddJob|00|"; within: 11; flowbits: isset, Omnivista.SchedulerInterface.AddJobSet; flowbits: set, Omnivista.SchedulerInterface.AddJob; flowbits: noalert; reference: url, blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000678; rev: 1;)
118
119alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Omnivista 8770 UnAuth RCE (ExecuteNow)"; flow: established, no_stream; content: "GIOP"; depth: 4; byte_jump: 4,24; content: "|00 00 00 0B|ExecuteNow|00|"; within: 15; flowbits: isset, Omnivista.SchedulerInterface.AddJob; reference: url, blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000679; rev: 1;)
120
121alert http any any -> any any (msg: "ATTACK [PTsecurity] Nagios Core < 4.2.2 Curl Command Injection (CVE-2016-9565) RSS Request"; flow: established, to_server; content: "/nagios/rss-"; http_uri; content: ".php"; http_uri; distance: 0; content: "User-Agent: magpie"; http_header; nocase; flowbits: set, CVE.2016-9565.RSSRequest; reference: url, legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html; reference: cve, 2016-9565; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000777; rev: 1;)
122
123alert http any any -> any any (msg: "ATTACK [PTsecurity] Nagios Core < 4.2.2 Curl Command Injection (CVE-2016-9565) Attempt"; flow: established, from_server; content: "302"; http_stat_code; content: "nagios"; http_header; flowbits: isset, CVE.2016-9565.RSSRequest; reference: url, legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html; reference: cve, 2016-9565; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000778; rev: 1;)
124
125alert http any any -> any any (msg: "ATTACK [PTsecurity] Nagios Core < 4.2.2 Curl Command Injection (CVE-2016-9565) Remote Script Execution"; flow: established, from_server; content: "302"; http_stat_code; content: "--trace-ascii"; http_header; content: " -F"; http_header; pcre: "/Location\:(?:.*?\s+-F\S+\s+){2}/Hi"; flowbits: isset, CVE.2016-9565.RSSRequest; reference: url, legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html; reference: cve, 2016-9565; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000779; rev: 1;)
126
127alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache Struts < 2.3.32 < 2.5.10.1 RCE through Jakarta Multipart parser Attempt"; flow: established, to_server; content: "%{"; fast_pattern; http_header; content: "multipart/form-data"; http_header; content: "#_memberAccess"; http_header; content: "@java"; http_header; reference: cve, 2017-5638; reference: url, paper.seebug.org/241/; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001065; rev: 3;)
128
129alert http any any -> any any (msg: "ATTACK [PTsecurity] MS IIS 6.0 BO RCE (CVE-2017-7269)"; flow: to_server, established; content: "PROPFIND"; http_method; content: "If: <"; http_header; nocase; pcre: "/^If: <[^\r\n>]+[\x7F-\xFF]/Hmi"; reference: url, www.helpnetsecurity.com/2017/03/30/cve-2017-7269/; reference: cve, 2017-7269; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001195; rev: 2;)
130
131alert http any any -> any any (msg: "ATTACK [PTsecurity] Safari 10.0.3 UAF RCE (CVE-2017-2491)"; flow: established, from_server; file_data; content: "RegExp"; content: ".repeat"; within: 25; content: ".repeat"; within: 50; content: ".repeat"; within: 50; content: "ArrayBuffer"; within: 100; content: "Uint8Array"; within: 50; content: "Float64Array"; within: 50; content: "jsCellHeader"; distance: 0; content: "butterfly"; distance: 0; reference: cve, 2017-2491; reference: url, github.com/phoenhex/files/blob/master/exploits/cachedcall-uaf.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001322; rev: 2;)
132
133alert http any any -> any any (msg: "ATTACK [PTsecurity] Safari 10.0.3 UAF RCE (CVE-2017-2491)"; flow: established, from_server; file_data; content: "0x40000"; content: "0x1000"; content: "0x10000000"; content: "0x7ffff000"; content: "0x80"; content: "0x81"; content: "0x50"; reference: cve, 2017-2491; reference: url, github.com/phoenhex/files/blob/master/exploits/cachedcall-uaf.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001326; rev: 1;)
134
135alert smb any any -> any any (msg: "ATTACK [PTsecurity] Samba RCE exploitation attempt (SambaCry)"; flow: to_server, established, no_stream; content: "|ff 53 4d 42 a2|"; offset: 4; depth: 5; byte_extract: 2, 85, name_length, little; content: "|2f|"; within: name_length; pcre: "/(?:\.\x00s\x00o\x00|\.so\x00)(?:$|[^b])/Ri"; threshold: type limit, track by_src, count 1, seconds 30; reference: cve, 2017-7494; reference: url, www.samba.org/samba/security/CVE-2017-7494.html; reference: url, thehackernews.com/2017/05/samba-rce-exploit.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001356; rev: 8;)
136
137alert smb any any -> any any (msg: "ATTACK [PTsecurity] Samba RCE exploitation attempt (SambaCry)"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; fast_pattern; byte_extract: 2, 114, name_length, little; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|2f|"; within: name_length; pcre: "/(?:\.\x00s\x00o\x00|\.so\x00)(?:$|[^b])/Ri"; threshold: type limit, track by_src, count 1, seconds 30; reference: cve, 2017-7494; reference: url, www.samba.org/samba/security/CVE-2017-7494.html; reference: url, thehackernews.com/2017/05/samba-rce-exploit.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001357; rev: 9;)
138
139alert smb any any -> any any (msg: "ATTACK [PTsecurity] Samba RCE exploitation attempt (SambaCry)"; flow: to_server, established, no_stream; content: "|ff 53 4d 42 2d|"; offset: 4; depth: 5; byte_extract: 2, 67, name_length, little; content: "|2f|"; distance: 2; within: name_length; content: !"|04|"; distance: 0; within: 1; reference: cve, 2017-7494; reference: url, www.samba.org/samba/security/CVE-2017-7494.html; reference: url, thehackernews.com/2017/05/samba-rce-exploit.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001438; rev: 1;)
140
141alert smb any any -> any any (msg: "ATTACK [PTsecurity] Petya ransomware perfc component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; distance: 8; within: 2; content: "W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|p|00|e|00|r|00|f|00|c|00|"; nocase; distance: 106; within: 36; reference: url, rules.ptsecurity.com; reference: url, www.ptsecurity.com/ru-ru/about/news/vse-chto-vy-hoteli-uznat-o-notpetya-no-boyalis-sprosit/; classtype: successful-admin; sid: 10001443; rev: 3;)
142
143alert http any any -> any any (msg: "ATTACK [PTsecurity] SVN/Git Remote Code Execution through malicious (svn+,git+)ssh:// URL (Multiple CVEs)"; flow: established, from_server; content: "30"; http_stat_code; depth: 2; content: "Location:"; http_header; nocase; content: "ssh://"; nocase; http_header; distance: 0; pcre: "/ssh:\/\/(?:[^@\s]+@)?(?:[\w\:\.\-\[\]\@]+[^\w\:\.\-\[\]\@\/\ ]|[^\w\:\.\-\[\]\@\/\ ][\w\:\.\-\[\]\@])/Hi"; reference: cve, 2017-9800; reference: cve, 2017-12426; reference: cve, 2017-1000116; reference: cve, 2017-1000117; reference: url, subversion.apache.org/security/CVE-2017-9800-advisory.txt; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001763; rev: 2;)
144
145alert tcp any 5672 -> any any (msg: "ATTACK [PTsecurity] Spring AMQP <1.7.4, 1.6.11, 1.5.7 Java Object Deserialization RCE (CVE--2017-8045)"; flow: established, no_stream; content: "application/x-java-serialized-object"; nocase; content: "|03|"; distance: 1; within: 1; content: "java."; distance: 0; pcre: "/application/x-java-serialized-object.{0,110}(?:org\.(?:apache\.|springframework\.|jboss\.|hibernate\.)|java(?:x\.management\.|\.rmi\.)|com\.sun\.|sun\.reflect\.)/"; reference: cve, 2017-8045; reference: url, pivotal.io/security/cve-2017-8045; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002274; rev: 1;)
146
147alert smtp any any -> any any (msg: "ATTACK [PTsecurity] Exim 4.88, 4.89 UAF RCE Attempt (CVE-2017-16943)"; flow: established, to_server; content: "BDAT"; content: "BDAT"; within: 10; pcre: "/BDAT\s*\D[^\n\r]*[\n\r][^\n\r]{100}/"; reference: cve, 2017-16943; reference: url, bugs.exim.org/show_bug.cgi?id=2199; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002280; rev: 2;)
148
149alert http any any -> any any (msg: "ATTACK [PTsecurity] SAP NetWeaver AS Java UDDI 7.11-7.50 SQL Injection (CVE-2016-2386)"; flow: established, to_server; content: "POST"; http_method; content: "/UDDISecurityService/UDDISecurityImplBean"; http_uri; fast_pattern; content: "permissionId"; http_client_body; content: "|27|"; http_client_body; distance: 0; pcre: "/permissionId\s*>[^<]+?\x27/Pi"; reference: cve, 2016-2386; reference: url, github.com/vah13/SAP_exploit; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002408; rev: 1;)
150
151alert http any any -> any any (msg: "ATTACK [PTsecurity] GitStack Arbitrary PHP upload RCE (CVE-2018-5955)"; flow: established, to_server; content: "/web/index.php?"; http_uri; content: ".git"; distance: 0; http_uri; content: "Authorization:"; http_header; nocase; content: "Basic"; distance: 0; http_header; nocase; pcre: "/Basic\s+/i"; base64_decode: offset 0, relative; base64_data; pcre: "/&\s/"; reference: url, blogs.securiteam.com/index.php/archives/3557; reference: cve, 2018-5955; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002449; rev: 4;)
152
153alert http any any -> any any (msg: "ATTACK [PTsecurity] Mikrotik Router OS 6.38.4 Stack Clash RCE"; flow: established, to_server; content: "POST"; http_method; content: "/jsproxy"; http_uri; fast_pattern; content: "Content-Length: "; http_header; content: !"|0D|"; within: 5; http_header; xbits: set, RouterOS.StackClash.POST2, track ip_src, expire 10; flowbits: noalert; reference: url, github.com/BigNerd95/Chimay-Red/blob/master/StackClashMIPS.py; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002456; rev: 1;)
154
155alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Mikrotik Router OS 6.38.4 Stack Clash RCE"; flow: established, to_server, no_stream; content: "|24 50 00 00 26 04 00 40 AE 04 FF F0 26 11 00 50 AE 11 FF F4 26 11 00 60 AE 11 FF F8 22 05 FF F0 22 06 FF FC 24 02 0F AB 00 00 00 0C|"; content: "/bin"; within: 30; xbits: isset, RouterOS.StackClash.POST2, track ip_src; reference: url, github.com/BigNerd95/Chimay-Red/blob/master/StackClashMIPS.py; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002457; rev: 1;)
156
157alert http any any -> any any (msg: "ATTACK [PTsecurity] Possible Mikrotik Router OS 6.38.4 Stack Clash RCE"; flow: established, to_server; content: "POST"; http_method; content: "/jsproxy"; http_uri; fast_pattern; content: "Content-Length: "; http_header; content: !"|0D|"; within: 6; http_header; byte_test: 0, =, 167936, 0, relative, string; reference: url, github.com/BigNerd95/Chimay-Red/blob/master/StackClash_x86.py; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002459; rev: 7;)
158
159alert icmp any any -> any any (msg: "ATTACK [PTsecurity] Dnsmasq <2.78 Heap Based Buffer Overflow (CVE-2017-14492)"; itype: 133; icode: 0; content: "|01|"; offset: 4; depth: 1; byte_test: 1, >, 150, 0, relative; isdataat: 1500, relative; reference: cve, 2017-14492; reference: url, security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002469; rev: 2;)
160
161alert udp any any -> any 547 (msg: "ATTACK [PTsecurity] Possible Dnsmasq <2.78 DHCPv6 Link Layer Address Stack Overflow (CVE-2017-14493)"; flow: no_stream; content: "|0C|"; depth: 1; content: "|00 4F|"; distance: 33; within: 2; byte_test: 2, >, 16, 0, relative, big; isdataat: 18,relative; reference: cve, 2017-14493; reference: url, security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002473; rev: 1;)
162
163alert udp any any -> any 547 (msg: "ATTACK [PTsecurity] Possible Dnsmasq <2.78 DHCPv6 Sensitive info leak (CVE-2017-14494)"; flow: no_stream; content: "|0C|"; depth: 1; content: "|00 09|"; distance: 33; within: 2; content: "|00 01|"; distance: 24; within: 2; byte_test: 2, >, 2, 0, relative, big; isdataat: !3,relative; reference: cve, 2017-14494; reference: url, security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002475; rev: 1;)
164
165alert http any any -> any any (msg: "ATTACK [PTsecurity] GitHub Electron <1.8.2-beta.4, <1.7.11, <1.6.16 protocol handler RCE (CVE-2018-1000006)"; flow: established, from_server; content: "://"; content: "--gpu-launcher="; nocase; pcre: "/(powershell|cmd|python|bash|\.exe)/i"; reference: cve, 2018-1000006; reference: url, electronjs.org/blog/protocol-handler-fix; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002500; rev: 2;)
166
167alert http any any -> any any (msg: "ATTACK [PTsecurity] GitHub Electron <1.8.2-beta.4, <1.7.11, <1.6.16 protocol handler RCE (CVE-2018-1000006)"; flow: established, from_server; content: "://"; content: "-cmd-prefix="; nocase; pcre: "/(powershell|cmd|python|bash|\.exe)/i"; reference: cve, 2018-1000006; reference: url, electronjs.org/blog/protocol-handler-fix; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002501; rev: 3;)
168
169alert tcp any any -> any 139 (msg: "ATTACK [PTsecurity] Mikrotik <6.41.3 <6.42rc27 RCE Attempt (CVE-2018-7445)"; flow: established, to_server, no_stream; stream_size: client, <, 200; content: "|81 00|"; depth: 2; fast_pattern; byte_test: 1, >, 0x20, 2, relative; content: "|00 00 00|"; distance: 0; reference: cve, 2018-7445; reference: url, www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002680; rev: 2;)
170
171alert tcp any any -> any 139 (msg: "ATTACK [PTsecurity] ShellCode Upload Mikrotik <6.41.3 <6.42rc27 RCE (CVE-2018-7445)"; flow: established, to_server, only_stream; content: "|00 00 eb 02 00 00 eb 02|"; depth: 8; pcre: "/(?:\x00\x00\xeb\x02){10}/R"; reference: cve, 2018-7445; reference: url, www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002681; rev: 1;)
172
173alert tcp any 139 -> any any (msg: "ATTACK [PTsecurity] Successful Mikrotik <6.41.3 <6.42rc27 RCE (CVE-2018-7445)"; flow: established, from_server, no_stream; content: "sh: "; depth: 4; reference: cve, 2018-7445; reference: url, www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow; reference: url, rules.ptsecurity.com; classtype: successful-admin; sid: 10002682; rev: 1;)
174
175alert tcp any any -> any 4786 (msg: "ATTACK [PTsecurity] Cisco Smart Install 15.2(5)E RCE (CVE-2018-0171)"; flow: established, to_server, no_stream; content: "|00 00 00 01 00 00 00 07|"; offset: 4; depth: 8; content: "|00 00 00 01|"; distance: 4; within: 4; isdataat: 210, relative; reference: cve, 2018-0171; reference: url, embedi.com/blog/cisco-smart-install-remote-code-execution; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002774; rev: 1;)
176
177alert http any any -> any any (msg: "ATTACK [PTsecurity] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE through registration form (CVE-2018-7600)"; flow: established, to_server; content: "/user/register"; http_uri; content: "POST"; http_method; content: "drupal"; http_client_body; pcre: "/(%23|#)(access(?:_|%5f)callback|pre(?:_|%5f)render|post(?:_|%5f)render|lazy(?:_|%5f)builder)/Pi"; reference: cve, 2018-7600; reference: url, research.checkpoint.com/uncovering-drupalgeddon-2; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002808; rev: 3;)
178
179alert http any any -> any any (msg: "ATTACK [PTsecurity] Drupalgeddon2 <7.5.9 <8.4.8 <8.5.3 RCE (CVE-2018-7602)"; flow: established, to_server; content: "markup"; http_uri; pcre: "/(%2523|%23|#)markup/U"; pcre: "/(%2523|%23|#)type/U"; reference: cve, 2018-7602; reference: url, www.bleepingcomputer.com/news/security/hackers-dont-give-site-owners-time-to-patch-start-exploiting-new-drupal-flaw-within-hours/; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002866; rev: 1;)
180
181alert tcp any 3389 -> any any (msg: "ATTACK [PTsecurity] MS RDP CredSSP Remote Code Execution MitM (CVE-2018-0886)"; flow: established, from_server, only_stream; content: "|16 03|"; content: "|0B|"; distance: 3; within: 1; content: "|06 09 2a 86 48 86 f7 0d 01 01 01|"; distance: 0; content: "D|00|i|00|s|00|a|00|l|00|l|00|o|00|w|00|S|00|t|00|a|00|r|00|t|00|I|00|f|00|O|00|n|00|B|00|a|00|t|00|t|00|e|00|r|00|i|00|e|00|s|00|"; nocase; distance: 0; content: "E|00|x|00|e|00|c|00|"; nocase; distance: 0; content: "C|00|o|00|m|00|m|00|a|00|n|00|d|00|"; nocase; distance: 0; reference: cve, 2018-0886; reference: url, blog.preempt.com/how-we-exploited-the-authentication-in-ms-rdp; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002831; rev: 1;)
182
183alert udp any 67 -> any 68 (msg: "ATTACK [PTsecurity] DHCP Client Script WPAD option Exploit (CVE-2018-1111)"; content: "|63 82 53 63|"; fast_pattern; content: "|FC|"; distance: 0; byte_extract: 1, 0, length, relative; content: "'"; within: length; pcre: "/^[\x20-\x7E]+(sh|nc|wget|curl|echo|cat|id|uname)/Ri"; reference: cve, 2018-1111; reference: url, dynoroot.ninja; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002975; rev: 1;)
184
185alert http any any -> any any (msg: "ATTACK [PTsecurity] Modx Revolution CMS < 2.6.4 RCE by PoC (CVE-2018-1000207)"; flow: established, to_server; content: "POST"; http_method; content: "/connectors/system/phpthumb.php"; http_uri; content: "IMresizedData"; nocase; http_client_body; content: "cache_filename"; nocase; http_client_body; reference: cve, 2018-1000207; reference: url, rudnkh.me/posts/critical-vulnerability-in-modx-revolution-2-6-4; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003350; rev: 1;)
186
187alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache Portals Pluto 3.0.0 RCE (CVE-2018-1306)"; flow: established, to_server; content: "HEAD"; http_method; content: "/pluto/portal/File Upload"; http_uri; depth: 25; content: "<%"; http_client_body; content: ".jsp"; http_client_body; reference: cve, 2018-1306; reference: url, packetstormsecurity.com/files/149366/apacheportalspluto300-exec.txt; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003786; rev: 1;)
188
189alert udp any any -> any any (msg: "ATTACK [PTsecurity] Cisco Prime Infrastructure < 3.4.1 & 3.3.1 TFTP RCE (CVE-2018-15379)"; flow: established, from_server; content: "|00 03 00 01|"; depth: 4; content: "<%@"; flowbits: set, CVE.2018-15379.JSP1; flowbits: noalert; reference: cve, 2018-15379; reference: url, seclists.org/fulldisclosure/2018/Oct/19; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003907; rev: 1;)
190
191alert udp any any -> any any (msg: "ATTACK [PTsecurity] Cisco Prime Infrastructure < 3.4.1 & 3.3.1 TFTP RCE (CVE-2018-15379)"; flow: established, from_server; content: "|00 03 00|"; depth: 3; content: "/CSCOlumos/"; content: "runrshell"; distance: 0; flowbits: isset, CVE.2018-15379.JSP1; reference: cve, 2018-15379; reference: url, seclists.org/fulldisclosure/2018/Oct/19; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003908; rev: 1;)
192
193alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Mikrotik <6.42 Password disclosure path traversal (CVE-2018-14847)"; flow: established, to_server; content: "|01 00|"; offset: 1; depth: 2; content: "M2"; distance: 1; within: 2; content: "/../"; distance: 0; content: "/flash/rw/store/user.dat"; distance: 0; content: "|02 00 00 00 02 00 00 00|"; distance: 0; reference: cve, 2018-14847; reference: url, github.com/tenable/routeros/tree/master/poc/bytheway; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003917; rev: 1;)
194
195alert http any any -> any any (msg: "ATTACK [PTsecurity] MS Edge WScript Command Injection RCE (CVE-2018-8495)"; flow: established, from_server; content: "wshfile:"; nocase; http_server_body; fast_pattern; content: ".."; distance: 0; http_server_body; content: ".vbs"; distance: 0; nocase; http_server_body; pcre: "/wshfile:[^\x22\x27\s]+(\\|\/)\.\.(\\|\/)[^\x22\x27\s]+\.vbs/Qi"; reference: cve, 2018-8495; reference: url, leucosite.com/Microsoft-Edge-RCE; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003930; rev: 2;)
196
197alert tcp any any -> any 445 (msg: "ATTACK [PTsecurity] Webexservice Service Probe (CVE-2018-15442)"; flow: established, to_server, no_stream; content: "SMB"; depth: 8; content: "|05 00 00|"; distance: 0; content: "|10 00|"; distance: 19; within: 3; content: "w|00|e|00|b|00|e|00|x|00|s|00|e|00|r|00|v|00|i|00|c|00|e|000000|"; nocase; distance: 0; flowbits: set, CVE.2018-15442.Probe; reference: url, webexec.org; reference: cve, 2018-15442; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003982; rev: 1;)
198
199alert tcp any any -> any 445 (msg: "ATTACK [PTsecurity] Webexservice remote privileged command execution (CVE-2018-15442)"; flow: established, to_server, no_stream; content: "SMB"; depth: 8; content: "|05 00 00|"; distance: 0; content: "|13 00|"; distance: 19; within: 3; content: "s|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00|-|00|u|00|p|00|d|00|a|00|t|00|e|00|"; nocase; distance: 0; flowbits: isset, CVE.2018-15442.Probe; reference: url, webexec.org; reference: cve, 2018-15442; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003983; rev: 3;)
200
201alert http any any -> any any (msg: "ATTACK [PTsecurity] Kibana < 6.4.3 <5.6.13 Arbitrary File Inclusion/Disclosure/RCE attempt (CVE-2018-17245)"; flow: established, to_server; content: "/api/console/api_server"; http_uri; content: "SENSE_VERSION"; nocase; http_uri; distance: 0; pcre: "/apis\s*=\s*[^&]*(?:(?:%2e|\.)(?:%2e|\.)(?:%5c|%2f|\/|\\))/Ui"; reference: cve, 2018-17245; reference: url, www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004231; rev: 1;)
202
203alert http any any -> any any (msg: "ATTACK [PTsecurity] MS Exchange 2010-2019 Possible privilege escalation (CVE-2018-8581)"; flow: established, to_server; content: "POST"; http_method; content: "SOAPAction"; http_header; content: "Authorization: NTLM"; http_header; content: "m:SendNotificationResponseMessage"; http_client_body; reference: url, dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/; reference: cve, 2018-8581; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004420; rev: 1;)
204
205alert http any any -> any any (msg: "ATTACK [PTsecurity] Raisecom GPON RCE via command injection (CVE-2019-7385)"; flow: established, to_server; content: "POST"; http_method; content: "/boaform/formPasswordSetup"; http_uri; content: "confpass"; http_client_body; pcre: "/(newpass|confpass)\s*=\s*\x60/P"; reference: cve, 2019-7385; reference: url, s3curityb3ast.github.io/KSA-Dev-006.md; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004526; rev: 1;)
206
207alert http any any -> any any (msg: "ATTACK [PTsecurity] Raisecom GPON RCE via command injection (CVE-2019-7384)"; flow: established, to_server; content: "POST"; http_method; content: "/boaform/admin/formgponConf"; http_uri; content: "fmgpon_loid"; http_client_body; pcre: "/fmgpon_loid\s*=\s*(\x7c|%7c)/P"; reference: cve, 2019-7384; reference: url, s3curityb3ast.github.io/KSA-Dev-005.md; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004527; rev: 1;)
208
209alert http any any -> any any (msg: "ATTACK [PTsecurity] Jenkins sandbox bypassing RCE (CVE-2019-1003000/1/2)"; flow: established, to_server; content: "POST"; http_method; nocase; content: "/job/"; http_uri; depth: 5; content: "/config.xml"; http_uri; content: "script"; http_client_body; pcre: "/<\s*script\s*>.*?@(Grab|ASTTest)/Ps"; reference: url, github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc; reference: cve, 2019-1003000; reference: cve, 2019-1003001; reference: cve, 2019-1003002; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004529; rev: 2;)
210
211alert tcp any any -> any 8291 (msg: "ATTACK [PTsecurity] MikroTik Firewall & NAT Bypass (CVE-2019-3924)"; flow: established, no_stream, to_server; content: "|01 00|"; depth: 4; content: "M2"; depth: 8; content: "|68 00 00 00|"; isdataat: !1, relative; content: "|07 00 FF 09 01|"; content: "|03 00 00 08|"; content: "|04 00 00 09|"; content: "|07 00 00 21|"; content: "|08 00 00 21|"; reference: cve, 2019-3924; reference: url, www.tenable.com/security/research/tra-2019-07; reference: url, github.com/tenable/routeros/blob/master/poc/cve_2019_3924; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004547; rev: 1;)
212
213alert http any any -> any any (msg: "ATTACK [PTsecurity] Arbitrary PHP RCE in Drupal 8 < 8.5.11,8.6.10 (CVE-2019-6340)"; flow: established, to_server; content: "GET"; http_method; content: "hal_json"; http_uri; content: "link"; http_client_body; content: "options"; distance: 0; content: "O:"; distance: 0; http_client_body; pcre: "/\x22options\x22\s*:\s*\x22O:\d+:/P"; reference: cve, 2019-6340; reference: url, www.ambionics.io/blog/drupal8-rce; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004555; rev: 3;)
214
215alert http any any -> any any (msg: "ATTACK [PTsecurity] PHPMyAdmin web shell planting with log redirection"; flow: established, to_server; content: "POST"; http_method; content: "import.php"; http_uri; content: "application/x-www-form-urlencoded"; http_header; content: "general_log_file"; http_client_body; fast_pattern; content: ".php"; http_client_body; distance: 0; pcre: "/general_log_file[^&]+\.php(\x22|\x27|\s|%27|%22|%20)/P"; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004566; rev: 1;)
216
217alert http any any -> any any (msg: "ATTACK [PTsecurity] Possible Apache Axis RCE via SSRF (CVE-2019-0227)"; flow: established, to_client; content: "30"; http_stat_code; content: "Location:"; http_header; content: "method"; distance: 0; http_header; pcre: "/(!|%21)(-|%2D|)+(>|%3E)/RHi"; content: "deployment"; distance: 0; http_header; reference: cve, 2019-0227; reference: url, rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004698; rev: 1;)
218
219alert http any any -> any any (msg: "ATTACK [PTsecurity] Confluence <6.14.2,6.13.3,6.12.3 Unauthorized RCE (CVE-2019-3396)"; flow: established, to_server; content: "/rest/tinymce/"; http_uri; content: "/macro/preview"; http_uri; distance: 0; content: "contentId"; http_client_body; content: "_template"; http_client_body; content: "url"; http_client_body; reference: url, paper.seebug.org/886; reference: cve, 2019-3396; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004699; rev: 1;)
220
221alert http any any -> any any (msg: "ATTACK [PTsecurity] Oracle Weblogic file upload RCE (CVE-2019-2618)"; flow: established, to_server; content: "POST"; nocase; http_method; content: "/bea_wls_deployment_internal/DeploymentService"; http_uri; content: "app_upload"; http_header; content: "_WL_internal"; http_header; content: "bea_wls_"; http_header; distance: 0; reference: cve, 2019-2618; reference: url, github.com/jas502n/cve-2019-2618/blob/master/cve-2019-2618.py; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004781; rev: 2;)
222
223alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #1)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 00 20|"; depth: 5; fast_pattern; content: "|17 03 01|"; distance: 32; within: 3; byte_test: 2, >, 450, 0, relative, big; flowbits: set, BlueKeep.pkt1; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004861; rev: 5;)
224
225alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #1)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01|"; depth: 3; byte_test: 2, >, 450, 0, relative, big; flowbits: set, BlueKeep.pkt1; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005396; rev: 2;)
226
227alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #2)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 00 20|"; depth: 5; content: "|17 03 01 00 30|"; distance: 32; within: 5; fast_pattern; flowbits: isset, BlueKeep.pkt1; flowbits: set, BlueKeep.pkt2; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004862; rev: 5;)
228
229alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #2)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 00 30|"; depth: 5; fast_pattern; flowbits: isset, BlueKeep.pkt1; flowbits: set, BlueKeep.pkt2; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005397; rev: 2;)
230
231alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #3)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 00 20|"; depth: 5; content: "|17 03 01 00 20|"; distance: 32; within: 5; fast_pattern; flowbits: isset, BlueKeep.pkt2; flowbits: set, BlueKeep.pkt3; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004863; rev: 5;)
232
233alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #3)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 00 20|"; depth: 5; flowbits: isset, BlueKeep.pkt2; flowbits: set, BlueKeep.pkt3; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005398; rev: 2;)
234
235alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (MCS Channel Join Requests)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 00 20|"; depth: 5; content: "|17 03 01 00 30|"; distance: 32; within: 5; fast_pattern; flowbits: isset, BlueKeep.pkt3; flowint: JoinReq, +, 1; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004864; rev: 5;)
236
237alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (MCS Channel Join Requests)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 00 30|"; depth: 5; flowbits: isset, BlueKeep.pkt3; flowint: JoinReq, +, 1; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005399; rev: 2;)
238
239alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #12)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 00 20|"; depth: 5; content: "|17 03 01 01 80|"; distance: 32; within: 5; flowint: JoinReq, >=, 7; flowbits: set, BlueKeep.pkt12; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004865; rev: 8;)
240
241alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #12)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 01 80|"; depth: 5; flowint: JoinReq, >=, 7; flowbits: set, BlueKeep.pkt12; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005400; rev: 2;)
242
243alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708"; flow: established, from_server; app-layer-protocol: !tls; stream_size: client, <, 3500; stream_size: server, <, 3000; content: "|17 03 01 01 d0|"; depth: 5; flowbits: isset, BlueKeep.pkt12; flowbits: set, BlueKeep.pkt13; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004867; rev: 6;)
244
245alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Redis Master-Slave replication RCE successful"; flow: established, to_client; content: "FULLRESYNC"; nocase; depth: 20; content: "|7F|ELF"; within: 70; reference: url, paper.seebug.org/977; reference: url, rules.ptsecurity.com; classtype: successful-admin; sid: 10005212; rev: 2;)
246
247alert http any any -> any any (msg: "ATTACK [PTsecurity] vBulletin 5.x pre-auth RCE"; flow: established, to_server; content: "POST"; http_method; content: "routestring"; http_client_body; content: "widget_php"; within: 30; http_client_body; pcre: "/ajax.{1,6}render.{1,6}widget_php/P"; pcre: "/widgetConfig.{1,6}code/P"; reference: url, seclists.org/fulldisclosure/2019/Sep/31; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005417; rev: 3;)
248
249alert http any any -> any any (msg: "ATTACK [PTsecurity] rConfig ajaxServerSettingsChk.php unauth RCE (CVE-2019-16662)"; flow: established, to_server; content: "ajaxserversettingschk.php"; http_uri; nocase; pcre: "/(?:\x3b|\x26|\x7C|%3b|%7c|%26)/iRU"; reference: url, shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662; reference: cve, 2019-16662; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005501; rev: 5;)
250
251alert http any any -> any any (msg: "ATTACK [PTsecurity] rConfig search.crud.php unauth RCE (CVE-2019-16663)"; flow: established, to_server; content: "search.crud.php"; http_uri; nocase; pcre: "/(?:\x3b|\x26|\x7C|%3b|%7c|%26)/iRU"; reference: url, shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662; reference: cve, 2019-16663; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005502; rev: 5;)
252
253alert smb any any -> any any (msg: "ATTACK [PTsecurity] CoronaBlue/SMBGhost DOS/RCE Attempt (CVE-2020-0796)"; flow: established; stream_size: both, <, 1000; content: "|FC|SMB"; depth: 8; byte_test: 4, >, 0x800134, 8, relative, little; reference: url, www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796; reference: cve, 2020-0796; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005777; rev: 6;)
254
255alert smb any any -> any any (msg: "ATTACK [PTsecurity] CoronaBlue/SMBGhost DOS/RCE Attempt (CVE-2020-0796)"; flow: established; content: "|FC|SMB"; depth: 8; byte_test: 4, >, 0x800134, 0, relative, little; reference: url, www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796; reference: cve, 2020-0796; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005778; rev: 5;)
256
257alert tcp any 53 -> any any (msg: "ATTACK [PTsecurity] Windows Server DNS RCE aka SIGRed (CVE-2020-1350) - Query response"; flow: established, from_server; content: "|FF|"; depth: 1; content: "|00 00 18 00 01 C0|"; within: 100; content: "|00 18 00 01|"; distance: 1; within: 4; content: "|FF|"; distance: 4; within: 1; reference: url, research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers; reference: cve, 2020-1350; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005977; rev: 2;)
258
259alert http any any -> any any (msg: "ATTACK [PTsecurity] Oracle Weblogic unauth RCE (CVE-2020-14882)"; flow: established, to_server; content: "%252E%252E"; http_raw_uri; content: "console.portal"; http_uri; content: "tangosol"; content: "coherence"; distance: 0; content: "ShellSession"; distance: 0; reference: url, twitter.com/jas502n/status/1321416053050667009; reference: url, testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf; reference: cve, 2020-14882; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10006254; rev: 1;)
260
261alert http any any -> any any (msg: "ATTACK [PTsecurity] Likely Apache HTTP Server 2.4.49 Directory Traversal (CVE-2021-41773)"; flow: established, to_server; content: "%2e/"; nocase; http_raw_uri; pcre: "/\/(\.|%2e)%2e\//Ii"; threshold: type limit, track by_src, count 1, seconds 60; reference: cve, 2021-41773; reference: url, twitter.com/lofi42/status/1445382059640434695; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10006811; rev: 2;)
262
263alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache HTTP Server 2.4.49 RCE attempt (CVE-2021-41773)"; flow: established, to_server; content: "%2e/"; nocase; http_raw_uri; content: "sh"; distance: 0; nocase; http_raw_uri; pcre: "/\/(\.|%2e)%2e\//Ii"; content: "POST"; nocase; http_method; reference: cve, 2021-41773; reference: url, twitter.com/lofi42/status/1445382059640434695; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10006813; rev: 1;)
264
265alert http any any -> any any (msg: "ATTACK [PTsecurity] log4j RCE aka Log4Shell HTTP URI URL-encoded attempt (CVE-2021-44228)"; flow: established; content: "${"; http_uri; content: "j"; http_uri; distance: 0; nocase; content: "n"; http_uri; distance: 0; nocase; content: "d"; http_uri; distance: 0; nocase; content: "i"; http_uri; distance: 0; nocase; content: ":"; http_uri; distance: 0; nocase; pcre: "/\${(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*j\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*n\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*d\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*i\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*:\'*}*(?:(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*l\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*d\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*a\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*p\'*}*|(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*d\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*n\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*s\'*}*|(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*r\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*m\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*i\'*}*|(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*i\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*i\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*o\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*p\'*}*)/Ui"; reference: cve, 2021-44228; reference: url, www.lunasec.io/docs/blog/log4j-zero-day; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10006897; rev: 7;)
266
267alert http any any -> any any (msg: "ATTACK [PTsecurity] Zabbix v5.4.x SSO/SALM Auth Bypass RCE (CVE-2022-23131)"; flow: established, to_server; content: "/index_sso.php"; http_uri; content: "zbx_session="; http_cookie; base64_decode: relative; base64_data; content: "saml_data"; content: "username_attribute"; distance: 0; pcre: "/^\{(?:(?!.*sessionid)|(?!.*sign)|(?!.*session_index)).+$/"; reference: url, blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference: cve, 2022-23131; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10007101; rev: 4;)
268
269#alert tcp any any -> any 445 (msg: "ATTACK [PTsecurity] LSASS Remote Memory Corruption Attempt (MS16-137)"; flow: established, no_stream; content: "|FF|SMB|73 00 00 00 00|"; offset: 4; depth: 9; content: "|FF 00|"; offset: 37; depth: 2; content: "|01 00 00 00 00 00|"; offset: 45; depth: 6; content: "|00 00 00 00 D4 00 00 A0|"; distance: 2; within: 8; content: "|A1 84|"; distance: 2; within: 2; byte_test: 1,!=,0xD1,0,relative; flowbits: set, CVE.2016-7237.Attempt; xbits: set,CVE.2016-7237.Attempt,track ip_dst,expire 15; reference: cve, 2016-7237; reference: url, g-laurent.blogspot.ru/2016/11/ms16-137-lsass-remote-memory-corruption.html; reference: url, rules.ptsecurity.com; classtype: attempted-dos; sid: 10000532; rev: 2;)
270
271#alert tcp any 445 -> any any (msg: "ATTACK [PTsecurity] LSASS Remote Memory Corruption Successful LSASS Inf. loop (MS16-137)"; flow: established, no_stream; content: "|FF|SMB|73 05 02 00 C0|"; offset: 4; depth: 9; flowbits: isset, CVE.2016-7237.Attempt; reference: cve, 2016-7237; reference: url, g-laurent.blogspot.ru/2016/11/ms16-137-lsass-remote-memory-corruption.html; reference: url, rules.ptsecurity.com; classtype: successful-dos; sid: 10000533; rev: 2;)
272
273#alert tcp any 445 -> any any (msg: "ATTACK [PTsecurity] LSASS Remote Memory Corruption Successful LSASS crashed (MS16-137)"; flow: established, no_stream; content: "|FF|SMB|72 01|"; offset: 4; depth: 6; xbits: isset,CVE.2016-7237.Attempt,track ip_src; reference: cve, 2016-7237; reference: url, g-laurent.blogspot.ru/2016/11/ms16-137-lsass-remote-memory-corruption.html; reference: url, rules.ptsecurity.com; classtype: successful-dos; sid: 10000545; rev: 1;)
274
275alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] iOS 10.1.x Remote memory corruption through certificate file Attempt"; flow: established, from_server; content: "-----BEGIN CERTIFICATE-----"; depth: 27; http_server_body; content: "BggrBgEFBQcwAoaD"; distance: 0; http_server_body; reference: url, cxsecurity.com/issue/WLB-2016110046; reference: url, rules.ptsecurity.com; classtype: attempted-dos; sid: 10000757; rev: 1;)
276
277alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] iOS 10.1.x Remote memory corruption through certificate file Attempt"; flow: established, from_server; content: "-----BEGIN CERTIFICATE-----"; depth: 27; http_server_body; content: "YIKwYBBQUHMAKGgw"; distance: 0; http_server_body; reference: url, cxsecurity.com/issue/WLB-2016110046; reference: url, rules.ptsecurity.com; classtype: attempted-dos; sid: 10000758; rev: 1;)
278
279alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] iOS 10.1.x Remote memory corruption through certificate file Attempt"; flow: established, from_server; content: "-----BEGIN CERTIFICATE-----"; depth: 27; http_server_body; content: "GCCsGAQUFBzAChoM"; distance: 0; http_server_body; reference: url, cxsecurity.com/issue/WLB-2016110046; reference: url, rules.ptsecurity.com; classtype: attempted-dos; sid: 10000759; rev: 1;)
280
281alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Apple macOS 10.12.1/iOS 10 OCSP DDoS Attempt (CVE-2016-7636)"; flow: established, from_server, only_stream; content: "|16 03|"; depth: 2; content: "|16 03|"; content: "|0B|"; distance: 3; within: 1; content: "|30 83|"; content: "|30|"; distance: 3; within: 1; content: "|06 08 2B 06 01 05 05 07 30 02 86|"; distance: 1; within: 11; byte_jump: 1, 0, relative; content: "|30|"; content: "|06 08 2B 06 01 05 05 07 30 02 86|"; distance: 1; within: 11; byte_jump: 1, 0, relative; content: "|30|"; pcre: "/(?:[^\x06]+\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x02\x86){10,}/"; reference: cve, 2016-7636; reference: url, cxsecurity.com/issue/WLB-2016100213; reference: url, rules.ptsecurity.com; classtype: attempted-dos; sid: 10000495; rev: 1;)
282
283alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ATTACK [PTsecurity] GNU Wget http request"; content: "wget"; http_user_agent; nocase; depth: 4; flowbits: set, 10000062; flowbits: noalert; reference: cve, 2016-4971; reference: url, legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000062; rev: 2;)
284
285alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] GNU Wget < 1.18 Arbitrary File Upload / Potential Remote Code Execution"; flowbits: isset, 10000062; content: "30"; http_stat_code; depth: 2; content: "Location: ftp://"; nocase; http_header; reference: cve, 2016-4971; reference: url, legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000063; rev: 2;)
286
287alert tcp any any -> any any (msg: "ATTACK [PTsecurity] PHP Object Deserialization RCE POP Chain (Guzzle/RCE1)"; flow: established; content: "GuzzleHttp"; content: "Psr7"; distance: 0; content: "FnStream"; distance: 0; content: "close"; distance: 0; content: "GuzzleHttp"; distance: 0; content: "HandlerStack"; distance: 0; content: "resolve"; distance: 0; reference: url, github.com/ambionics/phpggc; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003494; rev: 2;)
288
289alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] SMB2 Create PSEXESVC.EXE"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance: 0; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001444; rev: 1;)
290
291alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] SPOOLSS DCERPC/SMB Bind"; flow: to_server, established, no_stream; content: "SMB"; offset: 5; depth: 3; content: "|05 00 0B|"; distance: 0; content: "|78 56 34 12 34 12 cd ab ef 00 01 23 45 67 89 ab 01 00 00 00|"; distance: 29; flowbits: set, DCERPC.BIND.SPOOLSS; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: attempted-recon; sid: 10004152; rev: 1;)
292
293alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Possible MS-RPRN abuse (PrinterBug). Hash or Ticket theft"; flow: to_server, established, no_stream; content: "SMB"; offset: 5; depth: 3; content: "|05 00 00|"; distance: 0; byte_test: 1, &, 0x80, 0, relative; content: "|41 00|"; distance: 19; within: 2; content: "|00 01 00 00|"; distance: 36; within: 4; content: "|5C 00 5C 00|"; fast_pattern; distance: 0; flowbits: isset, DCERPC.BIND.SPOOLSS; xbits: set, CoercedAuth, track ip_dst, expire 10; reference: url, posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004153; rev: 5;)
294
295alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Possibly successful Coerce attack. Machine account NTLM Hash leak"; flow: established, to_server; content: "NTLMSSP|00 03 00 00 00|"; byte_jump: 4, 36, relative, little, post_offset -55; content: "|00 24 00|"; within: 3; xbits: isset, CoercedAuth, track ip_src; reference: url, github.com/p0dalirius/windows-coerced-authentication-methods; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10006670; rev: 2;)
296
297alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool (CVE-2017-0144)"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/s"; reference: cve, 2017-0144; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001254; rev: 5;)
298
299alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Flowbits for SMB NTTrans Request"; flow: established, to_server, no_stream; content: "|FF|SMB|A0|"; flowbits: set, SMB.NTTrans.Req; flowbits: unset, SMB.NTTrans2.Req; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001724; rev: 1;)
300
301alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Flowbits for SMB NTTrans2 Request"; flow: established, to_server, no_stream; content: "|FF|SMB|32|"; flowbits: set, SMB.NTTrans2.Req; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001725; rev: 1;)
302
303alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Metasploit MS17-010 ETERNALBLUE Exploitation (CVE-2017-0144)"; flow: established, to_server, no_stream; content: "|FF|SMB|33|"; byte_test: 2, >, 61000, 42, relative, little; flowbits: isset, SMB.NTTrans.Req; flowbits: isnotset, SMB.NTTrans2.Req; reference: cve, 2017-0144; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001726; rev: 1;)
304
305alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Metasploit MS17-010 ETERNALCHAMPION. Non-Fragmented NT Trans Request with command NT Rename (CVE-2017-0146)"; flow: established, to_server; content: "|FF|SMB|A0|"; offset: 4; depth: 5; byte_extract: 4, 35, NTTrans.TotalDataCount, relative, little; byte_test: 4, =, NTTrans.TotalDataCount, 16, relative, little; content: "|05 00|"; distance: 25; within: 2; isdataat: 300, relative; flowbits: set, EternalRomance.RaceCondition.Possible; flowbits: noalert; reference: cve, 2017-0146; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001717; rev: 2;)
306
307alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] NT Trans Response"; flow: established, from_server; content: "|FF|SMB|A0|"; offset: 4; depth: 5; flowbits: isset, EternalRomance.RaceCondition.Possible; flowbits: unset, EternalRomance.RaceCondition.Possible; flowbits: noalert; reference: cve, 2017-0146; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001718; rev: 1;)
308
309alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Metasploit MS17-010 ETERNALCHAMPION Race Condition Exploit. NT Trans Secondary packet follows NT Trans Req (CVE-2017-0146)"; flow: established, no_stream, to_server; content: "|FF|SMB|A1|"; flowbits: isset, EternalRomance.RaceCondition.Possible; flowbits: set, EternalRomance.RaceCondition.Attempt; threshold: type both, track by_src, count 1, seconds 60; reference: cve, 2017-0146; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001719; rev: 1;)
310
311alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Metasploit MS17-010 ETERNALCHAMPION Successful kernel data leak (CVE-2017-0146)"; flow: established, from_server; content: "|FF|SMB|A0|"; content: "Frag"; within: 115; flowbits: isset, EternalRomance.RaceCondition.Attempt; reference: cve, 2017-0146; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis; reference: url, rules.ptsecurity.com; classtype: successful-admin; sid: 10001720; rev: 1;)
312
313alert smb any any -> any any (msg: "ATTACK AD [PTsecurity] Metasploit MS17-010 ETERNALROMANCE exploitation (CVE-2017-0143)"; flow: established, to_server; content: "|FF|SMB|A1|"; content: "|FF|SMB|A0|"; distance: 0; content: "|05 00|"; distance: 64; within: 2; content: "|FF|SMB|25|"; distance: 13; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; content: "|FF|SMB|25|"; distance: 67; within: 5; threshold: type both, track by_src, count 1, seconds 60; reference: cve, 2017-0143; reference: url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference: url, www.crowdstrike.com/blog/badrabbit-ms17-010-exploitation-part-one-leak-and-control; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001723; rev: 2;)
314
315alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "TOOLS [PTsecurity] Empire Request"; flow: established, to_server; content: "POST"; http_method; content: "HTTP/1.1|0d0a|Cookie: session="; depth: 1000; fast_pattern; content: "=|0d0a|User-Agent: "; distance: 27; within: 400; content: "Host: "; within: 400; content: "Content-Length: 462|0d0a|"; within: 400; content: !"Referer|3a|"; http_header; content: !"Content-Type: "; http_header; reference: url, https://www.hybrid-analysis.com/sample/52404b26bb9fe6e27ea3efbcbfd66712d33ab5b7f62c27fb823c430eccb12cb3/?environmentId=100; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10002268; rev: 10;)
316
317alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "TOOLS [PTsecurity] Empire"; flow: established, to_client; content: "200"; http_stat_code; content: "If($PSVersionTable.PSVersion.Major -ge 3){"; http_server_body; nocase; depth: 1000; content: "$GPS=[ref].Assembly.GetType("; http_server_body; nocase; within: 100; content: "System.Management.Automation.Utils"; http_server_body; within: 100; reference: url, https://www.hybrid-analysis.com/sample/cbf244479304572782de8ab375671da632012777c7bcf0b0e252958bff03dca4/?environmentId=100; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10002269; rev: 7;)
318
319alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "BOTNET [PTsecurity] Neutrino Checkin"; flow: established, to_server; content: "msg=Y21kJ"; http_client_body; depth: 9; fast_pattern; reference: url, https://www.hybrid-analysis.com/sample/1035a5c5d73573788820d22539403da6165e6a2bc60800b7cdcfc5d1672cd6b8/?environmentId=100; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10002712; rev: 7;)
320
321alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "REMOTE [PTsecurity] Orcus"; flow: established, to_client; content: "|308201c730820130a00302010202|"; depth: 600; content: "|164F72637573536572766572436572746966696361746530|"; within: 600; fast_pattern; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003868; rev: 6;)
322
323alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BOTNET [PTsecurity] AESDDoS/Dofloo"; flow: established, to_server; stream_size: server, =, 1; content: "VERSONEX"; depth: 60; reference: url, https://app.any.run/tasks/81fdc653-6ce1-4512-9378-cfcda4495fbb; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10004700; rev: 6;)
324
325alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BOTNET [PTsecurity] AESDDoS/Dofloo"; flow: established, to_server; dsize: 20; content: "|49 4e 46 4f 3a 30 2e 30 25 7c 30 2e 30|"; depth: 13; content: "|20 4d 62 70 73 00|"; distance: 1; within: 6; reference: url, https://cape.contextis.com/analysis/39282/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10004701; rev: 6;)
326
327alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "BACKDOOR [PTsecurity] SSVagent (APT31)"; flow: established, to_server; content: "|00 00 00 01 00 00 00 01 00 00 00|"; offset: 1; depth: 11; http_client_body; pcre: "/^[A-F-0-9]{32}/RP"; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10006530; rev: 3;)
328
329alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "BACKDOOR [PTsecurity] Possible SSVagent (APT31)"; flow: established, to_server; content: "|00 00 00|"; offset: 1; depth: 3; http_client_body; pcre: "/^.{12}[A-F-0-9]{32}/P"; content: "|0d0a 0d0a|"; depth: 300; byte_jump: 1, 0, relative; isdataat: !5, relative; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10006531; rev: 4;)
330
331alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "REMOTE [PTsecurity] Orcus"; flow: established,from_server; content: "|3082|"; depth: 300; content: "|550403|"; depth: 3000; content: "|0c|Orcus Server0"; distance: 1; within: 14; reference: url, https://app.any.run/tasks/71e6d83c-fd4e-41a9-9c3b-d0a77830a89d; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10006589; rev: 3;)
332
333alert tcp any any -> any any (msg: "REMOTE [PTsecurity] TinyNuke"; flow: established, to_server; stream_size: client, =, 11; stream_size: server, =, 1; dsize: 10; content: "AVE_MARIA"; depth: 9; reference: url, https://app.any.run/tasks/48ad8f56-2255-47bf-a988-e0602c11f4b0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10006793; rev: 4;)
334
335alert tcp $HOME_NET any -> $EXTERNAL_NET [53, 443] (msg: "PROXY [PTsecurity] Bunitu FB set FB70820_0"; flow: established, to_server; dsize: 14; content: "|00|"; offset: 1; depth: 1; stream_size: server, >,0; stream_size: server, <,2; stream_size: client, >,0; stream_size: client, <,16; flowbits: noalert; flowbits: set, FB70820_0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11000339; rev: 12;)
336
337alert tcp $EXTERNAL_NET [53, 443] -> $HOME_NET any (msg: "PROXY [PTsecurity] Bunitu FB set FB70820_1"; flow: established, to_client; dsize: 50; content: "|00|"; offset: 1; depth: 1; stream_size: server, >,0; stream_size: server, <,52; stream_size: client, >,0; stream_size: client, <,16; flowbits: noalert; flowbits: isset, FB70820_0; flowbits: unset, FB70820_0; flowbits: set, FB70820_1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11000340; rev: 11;)
338
339alert tcp $HOME_NET any -> $EXTERNAL_NET [53, 443] (msg: "PROXY [PTsecurity] Bunitu Successful Connection"; flow: established, to_server; dsize: 37; content: "|00|"; offset: 1; depth: 1; stream_size: server, >,0; stream_size: server, <,52; stream_size: client, >,0; stream_size: client, <,53; flowbits: isset, FB70820_1; flowbits: set, FB70820_2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11000342; rev: 10;)
340
341alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg: "BOTNET [PTsecurity] Tofsee Successful Connection FB set PT.Tofsee_0"; flow: established, to_client; dsize: 200; flags: PA; stream_size: client,=,1; stream_size: server,=,201; flowbits: noalert; flowbits: set, PT.Tofsee_0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001386; rev: 8;)
342
343alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg: "BOTNET [PTsecurity] Tofsee Successful Connection FB set PT.Tofsee_1"; flow: established, to_client; dsize: 57; flags: PA; stream_size: client,<,200; stream_size: server,=,258; flowbits: isset, PT.Tofsee_0; flowbits: noalert; flowbits: unset, PT.Tofsee_0; flowbits: set, PT.Tofsee_1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001388; rev: 8;)
344
345alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "BOTNET [PTsecurity] Tofsee FB set PT.Tofsee_2"; flow: established, to_server; dsize: 97; flags: PA; stream_size: client,<,300; stream_size: server,=,258; flowbits: noalert; flowbits: isset, PT.Tofsee_1; flowbits: unset, PT.Tofsee_1; flowbits: set, PT.Tofsee_2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001387; rev: 8;)
346
347alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "BOTNET [PTsecurity] Tofsee"; flow: established, to_server; flowbits: isset,PT.Tofsee_2; dsize: 25; flags: PA; stream_size: client,<,350; stream_size: server,=,258; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001385; rev: 6;)
348
349alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB447357_0"; flow: established, to_server; content: "|1703 01 0020|"; depth: 5; fast_pattern; stream_size: server, >,954; stream_size: server, <,3863; stream_size: client, >,166; stream_size: client, <,2558; flowbits: noalert; flowbits: isset, FB0_01; flowbits: set, FB447357_0; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11002430; rev: 6;)
350
351alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB447357_1"; flow: established, to_client; content: "|1703 01 0020|"; depth: 5; fast_pattern; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,2414; stream_size: server, <,3863; stream_size: client, >,166; stream_size: client, <,2558; flowbits: noalert; flowbits: isset, FB447357_0; flowbits: unset, FB447357_0; flowbits: set, FB447357_1; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11002431; rev: 6;)
352
353alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB447357_2"; flow: established, to_server; content: "|1703 01 0220|"; depth: 5; fast_pattern; stream_size: server, >,3044; stream_size: server, <,3863; stream_size: client, >,715; stream_size: client, <,2558; flowbits: noalert; flowbits: isset, FB447357_1; flowbits: unset, FB447357_1; flowbits: set, FB447357_2; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11002432; rev: 6;)
354
355alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB447357_3"; flow: established, to_client; content: "|1703 01 0020|"; depth: 5; fast_pattern; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,3630; stream_size: server, <,3963; stream_size: client, >,1264; stream_size: client, <,2558; flowbits: noalert; flowbits: isset, FB447357_2; flowbits: unset, FB447357_2; flowbits: set, FB447357_3; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11002433; rev: 6;)
356
357alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] SSL TOR unusual activity"; flow: established, to_server; content: "|1703 01 0220|"; depth: 5; fast_pattern; stream_size: server, >,3630; stream_size: server, <,4407; stream_size: client, >,1813; stream_size: client, <,3102; flowbits: isset, FB447357_3; flowbits: unset, FB447357_3; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11002434; rev: 5;)
358
359alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB167479_0"; flow: established, to_server; content: "|1703 0100 20|"; fast_pattern; depth: 5; content: "|1703 0100 20|"; distance: 32; within: 5; stream_size: server, >,1063; stream_size: client, >,429; stream_size: server, <,3156; stream_size: client, <,2261; flowbits: noalert; flowbits: isset, FB0_01; flowbits: set, FB167479_0; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11001533; rev: 10;)
360
361alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB167479_1"; flow: established, to_client; content: "|17 03 01 00 20|"; fast_pattern; depth: 5; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,2523; stream_size: client, >,429; stream_size: server, <,4000; stream_size: client, <,2261; flowbits: noalert; flowbits: isset, FB167479_0; flowbits: unset, FB167479_0; flowbits: set, FB167479_1; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11001540; rev: 9;)
362
363alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB167479_2"; flow: established, to_server; content: "|17 03 01 00 20|"; fast_pattern; depth: 5; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,3153; stream_size: client, >,1015; stream_size: server, <,4100; stream_size: client, <,2261; flowbits: noalert; flowbits: isset, FB167479_1; flowbits: unset, FB167479_1; flowbits: set, FB167479_2; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11001541; rev: 10;)
364
365alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity FB set FB167479_3"; flow: established, to_client; content: "|17 03 01 00 20|"; fast_pattern; depth: 5; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,3739; stream_size: client, >,1601; stream_size: server, <,4856; stream_size: client, <,2261; flowbits: noalert; flowbits: isset, FB167479_2; flowbits: unset, FB167479_2; flowbits: set, FB167479_3; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11001542; rev: 9;)
366
367alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SUSPICIOUS [PTsecurity] Unusual TOR SSL Activity"; flow: established, to_server; content: "|17 03 01 00 20|"; fast_pattern; depth: 5; content: "|1703|"; distance: 32; within: 2; stream_size: server, >,3739; stream_size: client, >,2187; stream_size: server, <,5000; stream_size: client, <,5000; flowbits: isset, FB167479_3; flowbits: unset, FB167479_3; reference: url, rules.ptsecurity.com; classtype: misc-activity; sid: 11001543; rev: 7;)
368
369alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SPYWARE [PTsecurity] Trickbot/Upatre/Dyre/Dridex JA3 FB set FB320221_"; ja3_hash; content: "8c4a22651d328568ec66382a84fc505f"; flowbits: set, FB320221_; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001756; rev: 7;)
370
371alert tls $HOME_NET any -> $EXTERNAL_NET any (msg: "SPYWARE [PTsecurity] Trickbot/Upatre/Dyre/Dridex JA3 FB set FB320221_"; ja3_hash; content: "6734f37431670b3ab4292b8f60f29984"; flowbits: set, FB320221_; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001757; rev: 7;)
372
373alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "SPYWARE [PTsecurity] Trickbot/Upatre/Dyre/Dridex FB set FB320221_0"; flow: established, to_client; content: "|1703|"; depth: 2; byte_test: 2, >=,160, 1, relative; byte_test: 2, <=,240, 1, relative; stream_size: server, <,3000; stream_size: client, <,3000; flowbits: isset, FB320221_; flowbits: noalert; flowbits: set, FB320221_0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001758; rev: 8;)
374
375alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "SPYWARE [PTsecurity] Trickbot/Upatre/Dyre/Dridex SSL Successful Connection"; flow: established, to_client; content: "|17 03 01 01 00|"; depth: 5; content: "|17 03 01 00 20|"; distance: 256; within: 5; content: "|17 03 01|"; distance: 32; within: 3; stream_size: server, <,30000; stream_size: client, <,30000; flowbits: isset, FB320221_0; flowbits: unset, FB320221_0; flowbits: set, FB320221_1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001760; rev: 8;)
376
377alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] Babylon FB set FB322496_0"; flow: established, to_server; dsize: 4; content: "|FF|"; offset: 1; depth: 1; content: "|FF|"; distance: 1; within: 1; stream_size: server, =,1; stream_size: client, =,5; flowbits: noalert; flowbits: set, FB322496_0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001783; rev: 7;)
378
379alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] Babylon FB set FB322496_1"; flow: established, to_server; dsize: 4; content: "|FF|"; offset: 1; depth: 1; content: "|FF|"; distance: 1; within: 1; stream_size: server, <,24; stream_size: client, >,5; stream_size: client, <,250; flowbits: isset, FB322496_0; flowbits: unset, FB322496_0; flowbits: set, FB322496_1; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001784; rev: 7;)
380
381alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "REMOTE [PTsecurity] Babylon"; flow: established, to_client; dsize: 4; content: "|FF|"; offset: 1; depth: 1; content: "|FF|"; distance: 1; within: 1; stream_size: server, <,124; stream_size: client, >,5; stream_size: client, <,250; flowbits: isset, FB322496_1; flowbits: unset, FB322496_1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11001785; rev: 6;)
382
383alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "REMOTE [PTsecurity] Babylon"; flow: established, to_server; dsize: 4; content: "|ceff cdff|"; depth: 4; stream_size: server, =,1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11000314; rev: 4;)
384
385alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "REMOTE [PTsecurity] LiteManager FB set FB206141_0"; flow: established, to_server; dsize: 4; content: "|0000|"; depth: 2; stream_size: server, >,0; stream_size: server, <,2; stream_size: client, >,0; stream_size: client, <,6; flowbits: noalert; flowbits: set, FB206141_0; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 11001881; rev: 8;)
386
387alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "REMOTE [PTsecurity] LiteManager FB set FB206141_1"; flow: established, to_server; dsize: 4; content: "|0000|"; depth: 2; stream_size: server, >,0; stream_size: server, <,2; stream_size: client, >,0; stream_size: client, <,10; flowbits: noalert; flowbits: isset, FB206141_0; flowbits: unset, FB206141_0; flowbits: set, FB206141_1; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 11001882; rev: 8;)
388
389alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg: "REMOTE [PTsecurity] LiteManager FB set FB206141_2"; flow: established, to_client; dsize: 4; content: "|0000|"; depth: 2; stream_size: server, >,0; stream_size: server, <,6; stream_size: client, >,0; stream_size: client, <,10; flowbits: noalert; flowbits: isset, FB206141_1; flowbits: unset, FB206141_1; flowbits: set, FB206141_2; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 11001883; rev: 8;)
390
391alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "REMOTE [PTsecurity] LiteManager FB set FB206141_3"; flow: established, to_server; dsize: 4; content: "|0000|"; depth: 2; stream_size: server, >,0; stream_size: server, <,6; stream_size: client, >,0; stream_size: client, <,14; flowbits: noalert; flowbits: isset, FB206141_2; flowbits: unset, FB206141_2; flowbits: set, FB206141_3; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 11001884; rev: 8;)
392
393alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg: "REMOTE [PTsecurity] LiteManager"; flow: established, to_client; dsize: 4; content: "|0000|"; depth: 2; stream_size: server, >,0; stream_size: server, <,14; stream_size: client, >,0; stream_size: client, <,22; flowbits: isset, FB206141_3; flowbits: unset, FB206141_3; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 11001885; rev: 6;)
394
395alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] DarkTrack Successful Connection FB set FB582528_0"; flow: established, to_server; dsize: 6; content: "|0000 00|"; fast_pattern; offset: 2; depth: 3; content: "|01|"; offset: 0; depth: 1; byte_test: 1,>,0x06,1; byte_test: 1,<,0xf0,1; stream_size: server, =,1; stream_size: client, =,7; flowbits: noalert; flowbits: set, FB582528_0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11003004; rev: 8;)
396
397alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "REMOTE [PTsecurity] DarkTrack Successful Connection"; flow: established, to_client; dsize: 6; stream_size: server, >,0; stream_size: server, <,54; stream_size: client, >,0; stream_size: client, <,650; content: "|0100 0000|"; fast_pattern; depth: 4; flowbits: isset, FB582528_0; flowbits: unset, FB582528_0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11003005; rev: 7;)
398
399alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "LOADER [PTsecurity] ModiLoader FB set FB909586_0"; flow: established, to_server; dsize: 49<>53; pcre: "/^[\x00-\xff]{10,55}[\x00-\x7f][\x00-\x7f]/"; stream_size: server,=, 1; stream_size: client, <,54; flowbits: noalert; flowbits: set, FB909586_0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11003921; rev: 10;)
400
401alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg: "LOADER [PTsecurity] ModiLoader FB set FB909586_1"; flow: established, to_client; dsize: 3; stream_size: server, =,4; stream_size: client, <,54; flowbits: noalert; flowbits: isset, FB909586_0; flowbits: unset, FB909586_0; flowbits: set, FB909586_1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11003922; rev: 9;)
402
403alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg: "LOADER [PTsecurity] ModiLoader Successful Connection"; flow: established, to_server; dsize: 2; stream_size: server, =,4; stream_size: client, <,56; flowbits: isset, FB909586_1; flowbits: unset, FB909586_1; flowbits: set, FB909586_2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11003923; rev: 8;)
404
405alert tls any any -> any any (msg: "REMOTE [PTsecurity] SilentTrinity FB set ST_checker1"; flow: established, to_server; stream_size: client, <,3500; stream_size: server, <,8000; content: "|17030302|"; depth: 4; byte_test: 1,>=,0xea,0,relative; byte_test: 1,<=,0xec,0,relative; flowbits: set, ST_checker1; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11004397; rev: 7;)
406
407alert tls any any -> any any (msg: "REMOTE [PTsecurity] SilentTrinity FB set ST_checker2"; flow: established, to_client; stream_size: client, <,3500; stream_size: server, <,8000; content: "|1703030099|"; depth: 5; flowbits: isset, ST_checker1; flowbits: set, ST_checker2; flowbits: unset, ST_checker1; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11004398; rev: 6;)
408
409alert tls any any -> any any (msg: "REMOTE [PTsecurity] SilentTrinity FB set ST_checker3"; flow: established, to_client; stream_size: client, <,3500; stream_size: server, <,8000; content: "|17030303|"; depth: 4; byte_test: 1,>=,0x03,0,relative; byte_test: 1,<=,0x04,0,relative; flowbits: noalert; flowbits: isset, ST_checker2; flowbits: unset, ST_checker2; flowbits: set, ST_checker3; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11004399; rev: 9;)
410
411alert tls any any -> any any (msg: "REMOTE [PTsecurity] SilentTrinity"; flow: established, to_server; stream_size: client, <,3500; stream_size: server, <,8000; content: "|1703030065|"; depth: 5; flowbits: isset, ST_checker3; flowbits: unset, ST_checker3; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 11004724; rev: 4;)
412
413alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "POLICY [PTsecurity] TOR cert set FB set FB0_01"; flow: established, to_client; content: "|3082|"; depth: 300; content: "|308201|"; distance: 2; within: 3; content: "|a00302010202|"; distance: 1; within: 6; content: "|7777|"; distance: 38; within: 2; fast_pattern; flowbits: set, FB0_01; flowbits: noalert; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 10001844; rev: 6;)
414
415alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "SPYWARE [PTsecurity] SpyNote response"; flow: established, to_client; dsize: 23; content: "Server|20|Prent|20 3c|please|3e 0d 0a|"; depth: 23; fast_pattern; reference: url, https://app.any.run/tasks/35f20b0a-10b1-4355-a562-076d8ab6db94; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10008411; rev: 2;)
416
417alert tcp any any -> any any (msg: "SPYWARE [PTsecurity] SpyNote/Craxs"; dsize: >19; pcre: "/^[0-9]{1,5}\x00[0-9]{1,5}\x00/"; content: "|1f 8b 08 00 00 00 00 00|"; distance: 0; within: 8; content: "|1f 8b 08 00 00 00 00 00|"; distance: 1; threshold: type limit, track by_src, count 1, seconds 120; reference: url, https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions.html; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10008415; rev: 1;)
418
419alert http any any -> any any (msg: "SPYWARE [PTsecurity] Hydra"; flow: established, to_server; http.method; content: "POST"; http.uri; content: "/api/v1/device/update"; http.header; content: "charset: utf-8"; nocase; http.request_body; content: "{|22|bot_phones|22|:"; depth: 14; fast_pattern; reference: url, tria.ge/240808-w3nt2a1brd/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012079; rev: 1;)
420
421alert http any any -> any any (msg: "SPYWARE [PTsecurity] Hydra"; flow: established, to_server; http.method; content: "POST"; http.uri; content: "/api/v1/device"; http.header; content: "charset: utf-8"; nocase; http.request_body; content: "{|22|injects_loaded|22|:"; depth: 18; fast_pattern; reference: url, tria.ge/240808-w3nt2a1brd/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012089; rev: 1;)
422
423alert http any any -> any any (msg: "SPYWARE [PTsecurity] Hydra"; flow: established, to_server; http.method; content: "POST"; http.uri; content: "/api/v1/device"; http.header; content: "charset: utf-8"; nocase; http.request_body; content: "{|22|country|22|"; depth: 10; content: "|22|admin_rights_enabled|22|:"; distance: 0; fast_pattern; content: "|22|os_version|22|:"; distance: 0; content: "|22|tag|22|:"; distance: 0; content: "|22|push_token|22|:"; distance: 0; reference: url, tria.ge/240808-w3nt2a1brd/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012090; rev: 1;)
424
425alert http any any -> any any (msg: "SPYWARE [PTsecurity] Zanubis"; flow: established, to_server; http.method; content: "POST"; http.uri; content: "/socket.io/"; http.header; content: "Content-Type: text/plain"; content: "Accept-Encoding: gzip"; content: "User-Agent: okhttp/"; content: !"Referer"; http.request_body; content: "[|22|inicio|22|,|22|"; depth: 14; fast_pattern; content: "=:"; distance: 43; within: 3; content: "==:"; distance: 22; within: 4; reference: url, https://www.virustotal.com/gui/file/f6efdc5aa776a013ec6802d33a90676d83f5a6e07324a2775cf1994eb252ff8d/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012111; rev: 2;)
426
427alert http any any -> any any (msg: "BACKDOOR [PTsecurity] NGLite/NKAbuse"; flow: established, to_server; content: "POST"; http_method; content: "User-Agent: Go-http-client/"; http_header; content: "{|22|id|22|:|22|nkn-sdk-go|22|,|22|method|22|:|22|getwsaddr|22|,|22|params|22|:{|22|address|22|:|22|__"; http_client_body; depth: 63; content: !"Referer|3a|"; http_header; reference: url, https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10006871; rev: 3;)
428
429alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "STEALER [PTsecurity] MetaStealer"; flow: established, to_client; content: "200"; http_stat_code; content: "Content-Length: 46"; http_header; content: "{|22|ok|22|:|22|"; http_server_body; depth: 7; pcre: "/[a-fA-F0-9]{8}-(?:[a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}\x22\x7d\x0a/RQ"; isdataat: !1, relative; reference: url, https://app.any.run/tasks/a3bfd605-f3ef-43e4-85bc-7e909275a770; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10007504; rev: 4;)
430
431alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "REMOTE [PTsecurity] XWorm Ping"; flow: established, from_server; dsize: 19; content: "16|00 66 14 47 80 9b ae 6d c0 d9 1e 2b 17 b3 d8 4a 5a|"; depth: 19; threshold: type limit, track by_dst, seconds 120, count 1; reference: md5, ed22b81e3a57a1622dd8a8900411e520; reference: url, github.com/Shinyenigma/XWorm-RAT/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10008312; rev: 3;)
432
433alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] XWorm Ping"; flow: established, to_server; dsize: 19; content: "16|00 53 9c 47 5c 59 25 30 ab 7d 21 76 83 fa 5e 04 9e|"; depth: 19; threshold: type limit, track by_dst, seconds 120, count 1; reference: md5, ed22b81e3a57a1622dd8a8900411e520; reference: url, github.com/Shinyenigma/XWorm-RAT/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10008313; rev: 3;)
434
435alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "STEALER [PTsecurity] WorldWind"; flow: established, to_server; content: "POST"; http_method; content: "/bot"; http_uri; depth: 4; content: "/sendDocument?chat_id="; distance: 44; http_uri; content: "&text="; distance: 0; http_uri; content: "WorldWind"; http_uri; fast_pattern; content: "System:"; http_uri; content: "CPU:"; http_uri; content: "Screen:"; http_uri; content: !"Referer:"; http_header; threshold: type limit, track by_dst, count 1, seconds 120; reference: url, https://app.any.run/tasks/ab8f29a9-cf74-4f63-b296-dced2e5a2393; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10009186; rev: 1;)
436
437alert http any any -> any any (msg: "SPYWARE [PTsecurity] Metamorfo"; flow: established, to_server; content: "POST"; http_method; content: ".php"; http_uri; content: "Connection: keep-alive"; http_header; depth: 23; content: "Content-Type: application/x-www-form-urlencoded"; http_header; distance: 0; content: "Content-Length: "; http_header; distance: 0; content: "Host: "; http_header; distance: 0; content: "Accept: text/html,application/xhtml+xml,application/xml|3b|q="; http_header; distance: 0; content: "Host="; fast_pattern; http_client_body; depth: 5; content: !"Referer|3a|"; http_header; reference: url, https://app.any.run/tasks/7f89b953-a4fd-4a53-a957-1c83ddf1b1d2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010035; rev: 1;)
438
439alert http any any -> any any (msg: "STEALER [PTsecurity] ZIPThief"; flow: established, to_server; content: "POST"; http_method; urilen: 2<>10; content: "Content-Type|3A| application/octet-stream|3B| boundary=----"; http_raw_header; content: !"Referer"; http_header; content: "|504b 0304 1400|"; http_client_body; depth: 6; fast_pattern; pcre: "/.{24}([a-f]|\d){8}\-([a-f]|\d){4}\-([a-f]|\d){4}\-([a-f]|\d){4}\-([a-f]|\d){12}\.txt/PR"; reference: url, https://app.any.run/tasks/a74d0647-c3f7-44b0-b66b-bc4e7c2715c8; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010039; rev: 2;)
440
441alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] SafeRAT"; flow: established, to_server; dsize: 14; stream_size: server, =, 1; stream_size: client, =, 15; content: "|0a 00 00 00|efaSnigoL|00|"; depth: 14; fast_pattern; reference: url, https://www.virustotal.com/gui/file/c226f1b68aecfe0efc2614882268041fc95ada881c930dd1e1fbc413f5727987; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010258; rev: 1;)
442
443alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "LOADER [PTsecurity] SafeRAT"; flow: established, to_server; content: "GET"; http_method; urilen: 12; content: "/payload.bin"; http_uri; depth: 12; fast_pattern; content: "Connection: Keep-Alive|0d 0a|User-Agent: Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b| +http://www.google.com/bot.html)|0d 0a|Host:"; http_raw_header; depth: 120; isdataat: !50, relative; content: !"Referer|3a|"; http_header; content: !"Accept"; http_header; reference: url, https://www.virustotal.com/gui/file/c226f1b68aecfe0efc2614882268041fc95ada881c930dd1e1fbc413f5727987; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010259; rev: 1;)
444
445alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "LOADER [PTsecurity] SafeRAT"; flow: established, to_server; content: "GET"; http_method; urilen: 12; content: "/payload.bin"; http_uri; depth: 12; fast_pattern; content: "Connection: Keep-Alive|0d 0a|User-Agent: WinHTTP Example/1.0|0d 0a|Host:"; http_raw_header; depth: 120; isdataat: !50, relative; content: !"Referer|3a|"; http_header; content: !"Accept"; http_header; reference: url, https://www.virustotal.com/gui/file/c226f1b68aecfe0efc2614882268041fc95ada881c930dd1e1fbc413f5727987; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010260; rev: 1;)
446
447alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "STEALER [PTsecurity] Ares"; flow: established, to_server; content: "POST"; http_method; content: "/api/"; http_uri; depth: 5; content: "Accept-Encoding: gzip, deflate"; http_header; content: "User-Agent: python-requests/"; http_header; content: "Content-Length:"; http_header; content: !"Referer"; http_header; content: "|7b 22|username|22|:"; http_client_body; depth: 13; content: "|22|platform|22|:"; http_client_body; distance: 0; content: "|22|hostname|22|:"; http_client_body; distance: 0; isdataat: !30, relative; reference: url, virustotal.com/gui/file/de4b4f2ec4489ffa873465683818b7db52bf914c3387dd1b84f2dd855a9a1171; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010709; rev: 1;)
448
449alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "STEALER [PTsecurity] Ares"; flow: established, to_server; content: "POST"; http_method; content: "/api/"; http_uri; depth: 5; content: "Accept-Encoding: gzip, deflate"; http_header; content: "User-Agent: python-requests/"; http_header; content: "Content-Length:"; http_header; content: "Content-Type: multipart/form-data|3b| boundary="; http_header; content: !"Referer"; http_header; content: "Content-Disposition: form-data|3b| name=|22|uploaded|22 3b| filename=|22|list.txt|22|"; http_client_body; depth: 120; reference: url, virustotal.com/gui/file/de4b4f2ec4489ffa873465683818b7db52bf914c3387dd1b84f2dd855a9a1171; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010710; rev: 3;)
450
451alert http any any -> any any (msg: "STEALER [PTsecurity] MetaStealer"; flow: established, to_server; content: "GET"; http_method; content: "/avast_update"; http_uri; depth: 13; fast_pattern; content: "Connection|3A| close"; http_header; content: "cpp-httplib/"; http_user_agent; content: !"avast"; http_host; content: !"Referer"; http_header; content: !"Pragma"; http_header; reference: md5, 37880a9cbdc396b07436de5a2e7bb25b; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010717; rev: 4;)
452
453alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MINER [PTsecurity] RustMiner"; flow: established, to_server; content: "GET"; http_method; content: "Cache-Control: no-cache|0d 0a|Connection: Keep-Alive|0d 0a|Pragma: no-cache"; http_header; content: "Accept: */*, ???@, ??????????????"; http_header; distance: 0; content: !"Referer"; http_header; threshold: type limit, track by_src, seconds 120, count 1; reference: url, https://tria.ge/240111-fj6bzaehfl/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010726; rev: 1;)
454
455alert tcp any any -> any any (msg: "BACKDOOR [PTsecurity] AdAptertrAin Response"; flow: established, to_client; content: "###%k###"; depth: 16; fast_pattern; pcre: "/\x20([0-9]{1,3}\.){3}[0-9]{1,3}/R"; content: "###%k###"; distance: 0; reference: url, https://tria.ge/240116-da7gkabfck/behavioral3; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010801; rev: 1;)
456
457alert tcp any any -> any any (msg: "BACKDOOR [PTsecurity] AdAptertrAin"; flow: established, to_server; dsize: <128; content: "(XXX)"; depth: 16; fast_pattern; content: "(XXX)"; distance: 0; pcre: "/^[0-9]{0,6}\x28[X]{3}\x29[0-9]{0,6}\x28[X]{3}\x29[0-9]{0,6}$/"; reference: url, https://tria.ge/240116-da7gkabfck/behavioral3; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010802; rev: 1;)
458
459alert tls any any -> any any (msg: "REMOTE [PTsecurity] VenomRAT SSL certificate"; flow: established,from_server; content: "|3082|"; depth: 300; content: "|550403|"; depth: 600; content: "|08|VenomRAT"; distance: 1; within: 10; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010904; rev: 1;)
460
461alert tcp any any -> any any (msg: "REMOTE [PTsecurity] Possible CyberGate Request"; flow: established, to_server; stream_size: server, <, 3; stream_size: client, =, 5; dsize: 4; content: "|7c 0a|"; offset: 2; depth: 2; fast_pattern; pcre: "/^[2-4]{1}[0-9]{1}\x7c\x0a/"; threshold: type limit,track by_src,count 1,seconds 120; flowbits: set, CyberGate_rqs0; reference: url, https://www.virustotal.com/gui/file/289c546bff97b1f1c08c5bb2d58ec8073e4fdb3cb5e75215e0b9eaf18e8eb866/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010929; rev: 2;)
462
463alert tcp any any -> any any (msg: "REMOTE [PTsecurity] CyberGate Request"; flow: established, to_server; stream_size: server, <, 10; stream_size: client, <, 50; dsize: 25<>45; threshold: type limit,track by_src,count 1,seconds 120; flowbits: isset, CyberGate_rqs0; flowbits: unset, CyberGate_rqs0; reference: url, https://www.virustotal.com/gui/file/289c546bff97b1f1c08c5bb2d58ec8073e4fdb3cb5e75215e0b9eaf18e8eb866/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010930; rev: 2;)
464
465alert tcp any any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] VxRAT"; flow: established, to_server, only_stream; stream_size: client, >, 100; stream_size: client, <, 400; stream_size: server, <, 5; byte_test: 1, >, 0x63, 0; byte_test: 1, <, 0xc8, 0; content: "|00 00 00 00 00 00 00 00 00 00 00 54|"; offset: 1; depth: 12; content: "|40 00|"; distance: 6; within: 32; content: "|00 0a 00|"; distance: 6; within: 80; content: "|00 0a 00|"; distance: 6; within: 80; content: "|00 0a 00|"; distance: 6; within: 80; content: "|00|D|00|I|00|S|00|P|00|L|00|A|00|Y|00|"; distance: 0; fast_pattern; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10010999; rev: 1;)
466
467alert tcp any any -> $EXTERNAL_NET any (msg: "WORM [PTsecurity] Expiro"; flow: established, to_server; stream_size: client, <, 80; stream_size: client, >, 50; stream_size: server, <, 3; content: "|17 00 00 00 af b0 f3 aa f1 98 b0 ff|"; depth: 12; reference: url, https://tria.ge/240229-lbqt7scg95/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011031; rev: 1;)
468
469alert tcp any any -> any any (msg: "SPYWARE [PTsecurity] Grandoreiro"; flow: established, to_server; content: "%"; http_uri; content: ","; http_uri; distance: 0; content: "@"; http_uri; distance: 0; content: ")"; http_uri; distance: 0; content: "$"; http_uri; distance: 0; content: "*"; http_uri; distance: 0; content: "Accept: */*"; http_header; content: "Accept-Encoding|3A| gzip"; http_header; content: "User-Agent|3A| Mozilla/4.0 (compatible|3B| Clever Internet Suite)"; http_header; content: !"Referer"; http_header; reference: url, https://app.any.run/tasks/cf1c73d6-a0e7-426f-b77a-b84e3302c3ae; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011166; rev: 2;)
470
471alert tcp any any -> any any (msg: "BACKDOOR [PTsecurity] Trojan.Backdoor Echo Heartbeat"; flow: established, to_server; stream_size: client, =, 17; stream_size: server, =, 1; content: "|0000 78e3 0000 4f95 0000 0004 6563 686f|"; depth: 16; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011181; rev: 1;)
472
473alert http any any -> any any (msg: "SPYWARE [PTsecurity] Trojan.Banker"; flow: established, to_server; http.method; content: "POST"; http.uri; content: ".php"; http.header; content: "Content-Type: application/x-www-form-urlencoded"; content: "Accept: text/html, */*"; content: !"Referer"; http.request_body; content: "titulo="; depth: 7; nocase; content: "&texto="; distance: 0; within: 100; nocase; content: "Mac"; distance: 0; nocase; content: "Resolucao"; distance: 0; nocase; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011254; rev: 1;)
474
475alert http any any -> any any (msg: "SPYWARE [PTsecurity] Possible Trojan.Banker"; flow: established, to_server; http.method; content: "POST"; http.uri; content: ".php"; http.header; content: !"Referer"; http.request_body; content: "dados="; depth: 6; reference: url, https://www.virustotal.com/gui/file/70d3b577620279fd2a2e6cb39e601e5c3342b375f0e53d8771ded26442bafeb9/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011251; rev: 1;)
476
477alert tcp any any -> any !$HTTP_PORTS (msg: "REMOTE [PTsecurity] Remcos"; flow: established, to_server; dsize: 300<>450; stream_size: client, <, 451; content: "|01 80 b0 a6 75 bd 32 15 1c 8e|"; depth: 10; threshold: type threshold, seconds 30, count 2, track by_dst; reference: url, https://www.virustotal.com/gui/file/7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011276; rev: 1;)
478
479alert tcp any any -> any any (msg: "REMOTE [PTsecurity] Gh0st"; flow: established, to_server; dsize: 200<>400; stream_size: server, <, 2; content: "|a1 a6 a0|"; depth: 3; content: "|8f 90 90 ac 92 90 90 bf 84 90 90 e8 0c a9 4f d0|"; distance: 1; within: 16; reference: url, https://tria.ge/240402-bd4hzaca7x/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011296; rev: 1;)
480
481alert tcp any any -> any any (msg: "REMOTE [PTsecurity] Ryuk Client Heartbeat"; flow: established, to_server; dsize: 29; stream_size: client, =, 30; stream_size: server, <, 2; content: "|44 4b 00 00 29 af a3 d2 11 00 00 00 08 0a 11 45|"; depth: 16; reference: url, https://tria.ge/240331-f2rarsfa57/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011307; rev: 1;)
482
483alert tcp any any -> any any (msg: "ROOTKIT [PTsecurity] Winnti"; flow: established, to_server; content: "848923JNNWWAAV03"; depth: 30; fast_pattern; reference: url, https://app.any.run/tasks/0e9aa891-01d3-42b4-aaea-63fa191a6dcb; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011352; rev: 1;)
484
485alert http any any -> any any (msg: "SHELL [PTsecurity] CobaltStrike"; flow: established, to_server; content: "POST"; http.uri; content: "/uploads/"; content: ".jpg?timestamp="; distance: 0; http.header; content: "Accept-Encoding: gzip"; content: "User-Agent: ixwebsocket"; content: "windows ssl"; content: "Content-Type: application/x-www-form-urlencoded"; reference: url, https://www.virustotal.com/gui/file/bd3e5af30087dc60849da000412fb719825c7e06e4f75639b95f188407d26f96/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011361; rev: 2;)
486
487alert tcp any any -> any any (msg: "REMOTE [PTsecurity] XWorm"; flow: established, to_server; dsize: 276; stream_size: client, =, 277; stream_size: server, <, 3; content: "272|00|"; depth: 4; fast_pattern; reference: url, https://www.virustotal.com/gui/file/0ca479e1f8698b0ef5124d184309ce416a72407d0dc8cb017f02bb80f014a12d/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011368; rev: 1;)
488
489alert http any any -> any any (msg: "STEALER [PTsecurity] ZZSteal"; flow: established, to_server; http.method; content: "POST"; http.uri; content: "/upwawsfrg.php"; isdataat: !1, relative; http.cookie; content: "SESSION="; depth: 8; http.header; content: "Content-Type: application/x-www-form-urlencoded"; content: "User-Agent: Mozilla / 5.0(Windows NT 10.0|3b| Win64|3b| x64|3b| rv: 108.0) Gecko / 20100101 Firefox / 108.0"; fast_pattern; content: "Expect: 100-continue"; content: !"Referer"; http.request_body; content: "Name="; depth: 5; content: "&dataFile="; distance: 5; within: 30; reference: url, https://tria.ge/240403-pm36fsda7z/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011385; rev: 1;)
490
491alert tcp any any -> any any (msg: "LOADER [PTsecurity] DBatLoader"; flow: established, to_server; stream_size: client, <, 100; stream_size: server, =, 1; dsize: 50<>100; content: "pyCode|20 2d 20|"; depth: 9; fast_pattern; content: "|20 7c 20|Windows"; distance: 0; content: "|20 7c 20|"; distance: 0; content: "|20|"; distance: 0; reference: url, https://www.joesandbox.com/analysis/1347377; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011485; rev: 1;)
492
493alert http any any -> any any (msg: "BACKDOOR [PTsecurity] RustyNet (APT Patchwork)"; flow: established, to_server; http.method; content: "POST"; http.uri; content: ".php"; endswith; http.header; content: "Content-Type: application/x-www-form-urlencoded"; content: "Expect: 100-continue"; content: !"Referer"; http.request_body; content: "simpleid="; depth: 9; fast_pattern; content: "&fiiir="; distance: 0; content: "&uqid="; distance: 0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011588; rev: 1;)
494
495alert http any any -> any any (msg: "BACKDOOR [PTsecurity] Trojan.Backdoor (APT Patchwork)"; flow: established, to_server; pcre: "/^[a-z]{10,40}$/V"; http.method; content: "POST"; http.header; content: "Content-Type: application/x-www-form-urlencoded"; content: "Cache-Control: no-cache"; content: !"Referer"; http.request_body; content: "umnome="; depth: 7; fast_pattern; content: "&pmjodf="; distance: 0; content: "&idkdfjej="; distance: 0; content: "&cokenme="; distance: 0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011589; rev: 1;)
496
497alert http any any -> any any (msg: "BACKDOOR [PTsecurity] RustyNet (APT Patchwork)"; flow: established, to_server; http.method; content: "POST"; http.uri; content: ".php"; endswith; http.header; content: "Content-Type: application/x-www-form-urlencoded"; content: !"Referer"; http.request_body; content: "uuiddsd="; depth: 8; fast_pattern; content: "&uqid="; distance: 0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011590; rev: 1;)
498
499alert tcp any any -> any any (msg: "REMOTE [PTsecurity] XWorm"; flow: established, to_server; dsize: 292; stream_size: client, =, 293; stream_size: server, <, 3; content: "288|00|"; depth: 4; fast_pattern; reference: url, https://app.any.run/tasks/11cc1312-a965-460f-8c68-4316a749b71e; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011633; rev: 1;)
500
501alert http any any -> any any (msg: "LOADER [PTsecurity] Latrodectus"; flow: established, to_server; http.method; content: "POST"; urilen: >7; http.header; content: "User-Agent: Mozilla/5.0 (Windows NT 10.0|3b| Win64|3b| x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"; content: "Connection: Keep-Alive"; content: "Cache-Control: no-cache"; content: !"Referer"; http.request_body; content: "393b03dfe0772d1d5cbdd183c97f7ce6"; depth: 32; fast_pattern; reference: url, https://app.any.run/tasks/4081d674-449f-4a16-9710-13f1a6236c3c; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011642; rev: 1;)
502
503alert http any any -> any any (msg: "REMOTE [PTsecurity] 9002RAT"; flow: established, to_server; http.method; content: "POST"; http.uri; content: "/?q="; depth: 4; isdataat: 7, relative; isdataat: !9, relative; pcre: "/^\/\?q=[a-f0-9]{8}$/U"; http.header; content: "User-Agent: User-Agent:Mozilla/5.0 (Windows NT 10.0|3b| Win64|3b| x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537."; fast_pattern; content: "Cache-Control: no-cache"; content: !"Referer"; reference: url, https://www.virustotal.com/gui/file/28808164363d221ceb9cc48f7d9dbff8ba3fc5c562f5bea9fa3176df5dd7a41e/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011655; rev: 1;)
504
505alert tcp any any -> any any (msg: "REMOTE [PTsecurity] Crimson (APT TransparentTribe)"; flow: established, to_server; stream_size: server, <, 30; stream_size: server, >, 15; stream_size: client, <, 200; content: "|00 00 00 00|iny"; offset: 1; depth: 7; fast_pattern; content: "|3d|"; distance: 3; content: "|00 00 00 7c|"; distance: 3; content: "|7c|"; distance: 3; content: "|7c|"; distance: 0; content: "|7c|"; distance: 0; content: "|7c|"; distance: 0; reference: url, https://www.virustotal.com/gui/file/e87978f0af9bb550ab4686a7d3657e6cbfd92347744dfce8ff2321781ac2eee0/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011664; rev: 2;)
506
507alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] PhantomRAT (APT PhantomCore)"; flow: established, to_server; stream_size: server, =, 1; stream_size: client, >, 260; dsize: 190<>512; content: "{|22|Uuid|22|"; distance: 0; content: "|22|Hostname|22|"; distance: 0; content: "|22|Username|22|"; distance: 0; content: "|22|LocalIp|22|"; distance: 0; content: "|22|PublicIp|22|"; distance: 0; content: "|22|Os|22|"; distance: 0; content: "}"; endswith; reference: url, https://www.virustotal.com/gui/file/5d924a9ab2774120c4d45a386272287997fd7e6708be47fb93a4cad271f32a03/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011867; rev: 2;)
508
509alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "LOADER [PTsecurity] PhantomDL (APT PhantomCore)"; flow: established, to_server; stream_size: server, =, 1; stream_size: client, >, 150; dsize: 85<>120; content: "{|22|Id|22|"; content: "|22|Domain|22|"; distance: 0; content: "}"; endswith; reference: url, https://app.any.run/tasks/9fff9dbd-075d-47fd-a265-3dae5d6977dd/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011868; rev: 1;)
510
511alert http any any -> any any (msg: "LOADER [PTsecurity] SafeRAT FB set SafeRAT_loader"; flow: established, to_server; http.method; content: "GET"; http.uri; content: "/"; startswith; pcre: "/^([a-zA-Z]{1,10}\.txt|payload\.bin)$/UR"; http.header_names; content: "|0d 0a|Connection|0d 0a|Host|0d 0a 0d 0a|"; content: !"Content"; content: !"Accept"; content: !"User-Agent"; content: !"Referer"; flowbits: set, SafeRAT_loader; flowbits: noalert; reference: url, https://www.virustotal.com/gui/file/859e09a10260c646d2864c1f718c551ea566e8612f47979e6de4076c480c8cbc/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011879; rev: 1;)
512
513alert http any any -> any any (msg: "LOADER [PTsecurity] SafeRAT"; flow: established, to_client; http.stat_code; content: "200"; http.header; content: "Content-Type"; content: "Accept-Ranges: bytes"; content: "Content-Disposition"; http.response_body; content: "UVWATAUAVAWH"; offset: 5; depth: 12; flowbits: isset, SafeRAT_loader; flowbits: unset, SafeRAT_loader; reference: url, https://www.virustotal.com/gui/file/859e09a10260c646d2864c1f718c551ea566e8612f47979e6de4076c480c8cbc/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011880; rev: 1;)
514
515alert http any any -> any any (msg: "REMOTE [PTsecurity] PhantomRAT (APT PhantomCore)"; flow: established, to_server; http.method; content: "POST"; http.header; content: "User-Agent: Boost.Beast"; content: "Content-Type: application/json"; content: !"Referer"; http.request_body; content: "{|22|BuildName|22|:|22|"; startswith; content: "|22|Domain|22|:"; distance: 0; content: "|22|Hostname|22|:"; distance: 0; content: "|22|Os|22|:"; distance: 0; content: "|22|Username|22|:"; distance: 0; content: "|22|Uuid|22|:"; distance: 0; reference: url, https://www.virustotal.com/gui/file/dca85252d885882fb5eb38d21d48c44012f769a631114ea0c4bfc0f423d82c60/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011947; rev: 1;)
516
517alert tcp any any -> any any (msg: "REMOTE [PTsecurity] Nerbian"; flow: established, to_client; stream_size: client, <, 501; stream_size: client, >, 100; stream_size: server, <, 501; stream_size: server, >, 100; content: "4r3f"; depth: 4; fast_pattern; content: "|01 00 00|"; distance: 1; within: 3; threshold: type limit, track by_src, count 1, seconds 120; reference: url, https://www.virustotal.com/gui/file/19e0aab36e15ddb57e684748ac73dbced7d08e35c5950fe53a3b4011cba1f7ac/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10011998; rev: 1;)
518
519alert tcp any any -> any any (msg: "LOADER [PTsecurity] AllaKore"; flow: established, to_server; dsize: 100<>200; stream_size: server, <, 2; stream_size: client, <, 201; base64_decode: bytes 100; base64_data; content: "pyCodeV16"; depth: 9; content: "*NEW"; distance: 0; content: "|20 7c 20|"; distance: 0; content: "|20 7c 20|"; distance: 0; reference: url, https://tria.ge/240918-mvh45swfkf/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012001; rev: 1;)
520
521alert tcp any any -> any any (msg: "LOADER [PTsecurity] PrivateLoader FB set priloader_2st_client_pkt"; flow: established, to_server; stream_size: client, =, 29; stream_size: server, =, 9; content: "|10 00 00 00|"; depth: 4; flowbits: set, priloader_2st_client_pkt; flowbits: noalert; reference: url, https://tria.ge/240924-seflzatcpg/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012029; rev: 1;)
522
523alert tcp any any -> any any (msg: "LOADER [PTsecurity] PrivateLoader"; flow: established, to_client; stream_size: client, =, 45; stream_size: server, =, 13; content: "|10 00 00 00|"; depth: 4; flowbits: isset, priloader_2st_client_pkt; flowbits: unset, priloader_2st_client_pkt; reference: url, https://tria.ge/240924-seflzatcpg/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012030; rev: 1;)
524
525alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] XWorm"; flow: established, to_server; stream_size: client, =, 181; stream_size: server, =, 1; dsize: 180; content: "176|00|"; depth: 4; isdataat: 175, relative; isdataat: !176, relative; flowbits: set, xworm_blocksize176; reference: url, https://tria.ge/240905-yktnnsybjk/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012051; rev: 1;)
526
527alert tcp any any -> any any (msg: "LOADER [PTsecurity] Jalapeno"; flow: established, to_client; stream_size: client, =, 1; stream_size: server, =, 117; dsize: 116; content: "END$$$$$"; endswith; reference: url, https://tria.ge/240921-1zgzjawgkn/behavioral2; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012053; rev: 1;)
528
529alert tcp any any -> any any (msg: "REMOTE [PTsecurity] Nanocore request"; flow: established, to_server; stream_size: client, >, 32; stream_size: client, <, 64; content: !"|20|"; byte_test: 1, >, 0x10, 0; byte_test: 1, <, 0x1f, 0; content: "|00 00 00|"; offset: 1; depth: 3; content: !"|00|"; within: 16; content: "|16 00 00 00|opqrs"; distance: 12; within: 31; content: !"|00|"; distance: 0; threshold: type limit, track by_dst, count 1, seconds 120; reference: url, https://app.any.run/tasks/d154d1eb-f4fb-4815-a9b3-b049425f08ec; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012062; rev: 3;)
530
531alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] Slam V2.0 screenshot exfiltration"; flow: established, to_server; dsize: 35<>50; content: "SCREENSHOT*screen.jpg*"; startswith; byte_test: 2, >, 0x3030, 0, relative; byte_test: 2, <, 0x4040, 0, relative; content: "*"; distance: 0; threshold: type limit, track by_dst, count 2, seconds 240; reference: url, https://tria.ge/240915-bxx6asydpm/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012075; rev: 1;)
532
533alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "REMOTE [PTsecurity] Slam V2.0 FB set slam_ping"; flow: established, to_client; dsize: 8<>17; content: "?PING"; endswith; flowbits: set, slam_ping; flowbits: noalert; reference: url, https://tria.ge/240915-bxx6asydpm/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012076; rev: 1;)
534
535alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] Slam V2.0 ping-pong"; flow: established, to_server; dsize: 8<>17; content: "PONG#"; startswith; content: "#"; endswith; flowbits: isset, slam_ping; flowbits: unset, slam_ping; threshold: type limit, track by_dst, count 2, seconds 240; reference: url, https://tria.ge/240915-bxx6asydpm/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012077; rev: 1;)
536
537alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "REMOTE [PTsecurity] Slam V2.0 checkin"; flow: established, to_server; dsize: 32<>81; content: "SetInfo#"; startswith; content: "Encrypted"; distance: 0; nocase; fast_pattern; content: "#"; endswith; reference: url, https://tria.ge/240915-bxx6asydpm/behavioral1; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012078; rev: 1;)
538
539alert tcp any any -> any any (msg: "STEALER [PTsecurity] WorldWind checkin"; flow: established, to_server; stream_size: client, <, 80; stream_size: server, =, 1; content: "|46 00 00 00|"; startswith; fast_pattern; content: "{|22|id|22 3a| 0"; within: 8; content: "|22|hwid|22 3a|"; within: 10; content: !"|20|"; distance: 2; within: 32; content: "|22|country|22 3a|"; distance: 32; content: !","; distance: 0; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012099; rev: 1;)
540
541alert tcp any any -> any any (msg: "STEALER [PTsecurity] WorldWind exfiltration"; flow: established, to_server; stream_size: server, =, 1; content: !"|00 00|"; depth: 2; content: "|00 00|"; offset: 2; depth: 2; content: "{|22|id|22 3a|"; within: 8; content: "|22|filename|22 3a|"; within: 16; content: ".txt"; within: 24; content: "|22|content|22 3a|"; within: 16; content: !"|20|"; distance: 1; content: !","; distance: 0; content: !"."; distance: 0; content: !"|00|"; distance: 0; reference: url, https://www.virustotal.com/gui/file/84d52de2b69e14f26259da07297e02eb2c4ac32045a690f65a267fe931da0433/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012100; rev: 1;)
542
543alert http any any -> any any (msg: "KEYLOGGER [PTsecurity] SnakeKeylogger exfiltration via Telegram"; flow: established, to_server; http.method; content: "GET"; http.uri; content: "/bot/sendMessage?chat_id="; startswith; content: "&text="; distance: 0; content: "PC Name|3a|"; within: 16; fast_pattern; content: "Country Name|3a|"; distance: 0; content: "Clicked on the File"; distance: 0; http.host; content: "api.telegram.org"; startswith; isdataat: !1, relative; threshold: type limit, track by_dst, count 1, seconds 120; reference: url, https://www.virustotal.com/gui/file/bcade8f76366bc86315e2775770083a82a5f1ca9344d03be5ef52616dcceaea8/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012139; rev: 1;)
544
545alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg: "KEYLOGGER [PTsecurity] SnakeKeylogger exfiltration via SMTP"; flow: established, to_server; content: "Subject|3a| Pc Name|3a|"; content: "|2f| VIP Recovery |5c|"; within: 48; threshold: type limit, track by_dst, count 1, seconds 120; reference: url, https://www.virustotal.com/gui/file/bcade8f76366bc86315e2775770083a82a5f1ca9344d03be5ef52616dcceaea8/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012140; rev: 1;)
546
547alert tcp any any -> any any (msg: "LOADER [PTsecurity] Bumblebee"; flow: established, to_server; dsize: 100<>200; stream_size: server, <, 2; stream_size: client, <, 201; content: "alcon|22 fe 94 63 4a 56|"; offset: 1; depth: 11; reference: url, https://www.virustotal.com/gui/file/c26344bfd07b871dd9f6bd7c71275216e18be265e91e5d0800348e8aa06543f9/detection; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012145; rev: 1;)
548
549alert http any any -> any any (msg: "STEALER [PTsecurity] Trojan.Stealer"; flow: established, to_server; http.method; content: "POST"; http.header; content: "Accept-Encoding: identity"; content: "User-Agent: Python-urllib/"; content: "Content-Type: application/x-www-form-urlencoded"; content: "Connection: close"; content: !"Referer"; http.request_body; content: "Image Name"; content: "PID"; distance: 0; content: "Session Name"; distance: 0; content: "Session#"; distance: 0; fast_pattern; content: "Mem Usage"; distance: 0; reference: url, cyble.com/blog/silent-intrusion-unraveling-the-sophisticated-attack-leveraging-vs-code-for-unauthorized-access/; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012179; rev: 1;)
550
551alert http any any -> any any (msg: "STEALER [PTsecurity] XavierEra"; flow: established, to_server; http.method; content: "POST"; http.uri; content: "/pip/x/requirements.php"; endswith; http.header; content: "User-Agent: python-requests/"; content: "Accept-Encoding: gzip, deflate, br"; content: "Content-Type: multipart/form-data|3b| boundary="; content: !"Referer"; http.request_body; content: "|50 4b|"; depth: 150; content: "Cookies"; distance: 0; content: "_Default_PASS"; distance: 0; fast_pattern; reference: url, https://app.any.run/tasks/d914b17f-c258-4522-9370-bd972106fa04; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10012300; rev: 1;)