My favorites | Sign in
Project Home Downloads Wiki Issues Source
Repository:
Checkout   Browse   Changes   Clones  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules"). The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved. All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights). In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#
# $Id: backdoor.rules,v 1.75.6.44 2010/02/23 17:22:56 vrtbuild Exp $
#---------------
# BACKDOOR RULES
#---------------
#



alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; depth:6; nocase; pcre:"/^NetBus\s+\d+\x2E\d+/smi"; metadata:policy security-ips drop; reference:url,www.2-spyware.com/file-backdoor-netbus-12-exe.html; classtype:trojan-activity; sid:109; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; metadata:policy security-ips drop; reference:arachnids,403; classtype:trojan-activity; sid:110; rev:6;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"BACKDOOR NetBus Pro 2.0 connection request"; flow:to_server,established; content:"BN |00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; sid:3009; rev:3;)
alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR NetBus Pro 2.0 connection established"; flow:from_server,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; metadata:policy security-ips drop; classtype:trojan-activity; sid:115; rev:11;)


# 3150, 4120
alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt"; flow:to_server; content:"00"; depth:2; metadata:policy security-ips drop; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1980; rev:7;)
alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:policy security-ips drop; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:195; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [3150]"; flow:to_server; content:"00"; depth:2; metadata:policy security-ips drop; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1981; rev:7;)
alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [3150]"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:policy security-ips drop; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1982; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [4120]"; flow:to_server; content:"00"; depth:2; metadata:policy security-ips drop; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1983; rev:6;)
alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [4120]"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:policy security-ips drop; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1984; rev:6;)


alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; flow:established,from_server; content:"Wtzup Use"; depth:32; metadata:policy security-ips drop; reference:arachnids,312; classtype:misc-activity; sid:119; rev:6;)
alert tcp $HOME_NET 1015 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 1.5 server response"; flow:from_server,established; content:"Connected."; metadata:policy security-ips drop; classtype:trojan-activity; sid:1985; rev:3;)


alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR - Dagger_1.4.0"; flow:from_server,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; metadata:policy security-ips drop; reference:arachnids,484; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:105; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; metadata:policy security-ips drop; reference:mcafee,98775; classtype:misc-activity; sid:108; rev:8;)


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR Infector.1.x"; flow:established,from_server; content:"WHATISIT"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:arachnids,315; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:117; rev:10;)
alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR SatansBackdoor.2.0.Beta"; flow:from_server,established; content:"Remote|3A| "; depth:11; nocase; content:"You are connected to me.|0D 0A|Remote|3A| Ready for commands"; distance:0; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260; classtype:trojan-activity; sid:118; rev:8;)
alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:121; rev:10;)

alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack 1.20 Connect"; flow:established,from_server; content:"host"; metadata:policy security-ips drop; classtype:misc-activity; sid:141; rev:6;)

alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flow:to_server,established; content:"Girl"; metadata:policy security-ips drop; reference:arachnids,98; classtype:misc-activity; sid:145; rev:6;)
alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere access"; flow:established,from_server; content:"NetSphere"; metadata:policy security-ips drop; reference:arachnids,76; classtype:trojan-activity; sid:146; rev:8;)
alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR GateCrasher"; flow:established,from_server; content:"GateCrasher"; depth:11; nocase; content:"Server"; distance:0; nocase; content:"On-Line..."; distance:0; nocase; pcre:"/^GateCrasher\s+v\d+\x2E\d+\x2C\s+Server\s+On-Line\x2E\x2E\x2E/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=973; classtype:trojan-activity; sid:147; rev:7;)
alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Connection"; flow:established,from_server; content:"c|3A 5C|"; metadata:policy security-ips drop; classtype:misc-activity; sid:152; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; metadata:policy security-ips drop; classtype:misc-activity; sid:157; rev:6;)
alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:from_server,established; content:"FTP Port open"; metadata:policy security-ips drop; classtype:misc-activity; sid:158; rev:6;)
alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"BACKDOOR Matrix 2.0 Client connect"; flow:to_server; content:"activate"; metadata:policy security-ips drop; reference:arachnids,83; classtype:misc-activity; sid:161; rev:6;)
alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"BACKDOOR Matrix 2.0 Server access"; flow:to_server; content:"logged in"; metadata:policy security-ips drop; reference:arachnids,83; classtype:misc-activity; sid:162; rev:6;)
alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:SA,12; content:"|B4 B4|"; metadata:policy security-ips drop; reference:arachnids,36; classtype:misc-activity; sid:163; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; metadata:policy security-ips drop; reference:arachnids,263; classtype:misc-activity; sid:185; rev:6;)


alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR PhaseZero Server Active on Network"; flow:established,from_server; content:"phAse zero server"; depth:17; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/p/phasezero/PhaseZero1.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4539; classtype:trojan-activity; sid:208; rev:8;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; metadata:policy security-ips drop; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:5;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; metadata:policy security-ips drop; classtype:attempted-admin; sid:210; rev:4;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; metadata:policy security-ips drop; classtype:attempted-admin; sid:211; rev:4;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; metadata:policy security-ips drop; classtype:attempted-admin; sid:212; rev:4;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; metadata:policy security-ips drop; classtype:attempted-admin; sid:213; rev:5;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; metadata:policy security-ips drop; classtype:attempted-admin; sid:214; rev:5;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; metadata:policy security-ips drop; classtype:attempted-admin; sid:215; rev:5;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; metadata:policy security-ips drop; reference:arachnids,516; classtype:attempted-admin; sid:216; rev:7;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; metadata:policy security-ips drop; classtype:attempted-admin; sid:217; rev:4;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; metadata:policy security-ips drop; classtype:attempted-user; sid:218; rev:5;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; metadata:policy security-ips drop; classtype:misc-activity; sid:219; rev:7;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; metadata:policy security-ips drop; classtype:misc-activity; sid:220; rev:7;)
alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A"; depth:1; metadata:policy security-ips drop; reference:arachnids,314; classtype:attempted-recon; sid:614; rev:9;)
alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"BACKDOOR win-trin00 connection attempt"; flow:to_server; content:"png []..Ks l44"; depth:14; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:9;)


# NOTES: this string should be within the first 3 bytes of the connection
alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (msg:"BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR SubSeven 2.1 Gold server connection response"; flow:from_server,established; content:"connected. time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1; metadata:policy security-ips drop; reference:mcafee,10566; reference:nessus,10409; classtype:trojan-activity; sid:2100; rev:8;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"BACKDOOR Remote PC Access connection attempt"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; metadata:policy security-ips drop; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"BACKDOOR DoomJuice/mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BACKDOOR sensepost.exe command shell attempt"; flow:to_server,established; uricontent:"/sensepost.exe"; nocase; metadata:policy security-ips drop; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:12;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick get windows directory attempt"; flow:to_server,established; content:"WINDIR"; depth:6; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3010; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick get system directory attempt"; flow:to_server,established; content:"SYSDIR"; depth:6; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3011; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick upload/execute arbitrary file attempt"; flow:to_server,established; content:"ABCJZDATEIV"; depth:11; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3012; rev:3;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 (msg:"BACKDOOR Asylum 0.1 connection request"; flow:to_server,established; content:"RQS"; depth:3; flowbits:set,backdoor.asylum.connect; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3013; rev:4;)
alert tcp $HOME_NET 23432 -> $EXTERNAL_NET any (msg:"BACKDOOR Asylum 0.1 connection established"; flow:from_server,established; flowbits:isset,backdoor.asylum.connect; content:"GNT"; depth:3; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3014; rev:5;)

alert tcp $HOME_NET 2000 -> $EXTERNAL_NET any (msg:"BACKDOOR Insane Network 4.0 connection established"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3015; rev:5;)
alert tcp $HOME_NET 63536 -> $EXTERNAL_NET any (msg:"BACKDOOR Insane Network 4.0 connection established port 63536"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3016; rev:5;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"BACKDOOR Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; sid:3063; rev:3;)
alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"BACKDOOR Vampire 1.2 connection confirmation"; flow:from_server,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; metadata:policy security-ips drop; classtype:misc-activity; sid:3064; rev:3;)


alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"BACKDOOR Y3KRAT 1.5 Connect"; flow:from_server,established; content:"connected"; depth:9; flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3081; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5880 (msg:"BACKDOOR Y3KRAT 1.5 Connect Client Response"; flow:to_server,established; flowbits:isset,backdoor.y3krat_15.connect; content:"getclient"; depth:9; flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3082; rev:4;)
alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"BACKDOOR Y3KRAT 1.5 Connection confirmation"; flow:from_server, established; flowbits:isset,backdoor.y3krat_15.client.response; content:"client"; depth:7; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:3083; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice 2000 Inbound Traffic"; flow:to_server,established; content:"1j|D0 D9|"; metadata:policy security-ips drop; classtype:trojan-activity; sid:3155; rev:3;)
alert tcp $HOME_NET 23032 -> $EXTERNAL_NET any (msg:"BACKDOOR Amanda 2.0 connection established"; flow:from_server,established; content:"Connected To Amanda 2.0"; depth:23; metadata:policy security-ips drop; classtype:trojan-activity; sid:3635; rev:3;)
alert tcp $HOME_NET 17499 -> $EXTERNAL_NET any (msg:"BACKDOOR Crazzy Net 5.0 connection established"; flow:from_server,established; content:"Crazzynet"; depth:9; metadata:policy security-ips drop; classtype:trojan-activity; sid:3636; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1204 (msg:"BACKDOOR amiboide uploader runtime detection - init connection"; flow:to_server,established; content:"23L'esclave|09|49152|09|65535"; depth:23; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088579; classtype:trojan-activity; sid:6076; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"fe"; depth:2; nocase; flowbits:set,Alvgus_ExecuteCommand; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6101; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"st"; depth:2; nocase; flowbits:set,Alvgus_CheckServer; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6097; rev:3;)
alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR cookie monster 0.24 runtime detection - get version info"; flow:from_server,established; flowbits:isset,CookieMonster_GetVersionInfo; content:"Cookie"; content:"Monster"; distance:0; content:"server"; distance:0; content:"engine"; distance:0; pcre:"/Cookie\s+Monster\s+server\s+engine/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084262; classtype:trojan-activity; sid:6172; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR mantis runtime detection - sent notify option server-to-client"; flow:from_server,established; flowbits:isset,Mantis_Notify1; content:"sendsubject"; depth:11; nocase; flowbits:set,Mantis_Notify2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6145; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR fear 0.2 runtime detection - initial connection"; flow:from_server,established; content:"QTAze1l9"; depth:8; nocase; flowbits:set,fear_0_2.conn.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6044; rev:3;)
alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any (msg:"BACKDOOR dagger v1.1.40 runtime detection"; flow:from_server,established; flowbits:isset,backdoor.dagger.1.1.40.conn; content:"|07 00 00 00 03 00 00 00|Yes"; depth:11; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1641; classtype:trojan-activity; sid:6109; rev:2;)
alert tcp $HOME_NET 57341 -> $EXTERNAL_NET any (msg:"BACKDOOR netraider 0.0 runtime detection"; flow:from_server,established; flowbits:isset,backdoor.netraider.0.0.runtime; content:"NSServer-sPISPJ99"; depth:17; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/n/netraider/Netraider0.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3979; classtype:trojan-activity; sid:6181; rev:2;)
alert tcp $HOME_NET 800: -> $EXTERNAL_NET any (msg:"BACKDOOR dsk lite 1.0 runtime detection - disconnect"; flow:from_server,established; flowbits:isset,DSK_Lite_1.0_TCP; content:"disconnect"; depth:10; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6017; rev:3;)
alert tcp $HOME_NET 8799 -> $EXTERNAL_NET any (msg:"BACKDOOR fun factory runtime detection - connect"; flow:from_server,established; flowbits:isset,FunFactory_conn; content:"100013Agentsvr^^Merlin"; nocase; pcre:"/^100013Agentsvr\x5E\x5EMerlin/smi"; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6048; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 13473 (msg:"BACKDOOR chupacabra 1.0 runtime detection - delete file"; flow:to_server,established; content:"delete|5C|"; depth:7; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=21339; classtype:trojan-activity; sid:6134; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR optix 1.32 runtime detection - init conn"; flow:from_server,established; flowbits:isset,back.optix.1.32.conn.2; content:"001|AC|Optix"; depth:9; nocase; content:"Pro"; distance:0; nocase; content:"Connected"; distance:0; nocase; content:"Successfully!"; distance:0; nocase; pcre:"/^001\xACOptix\s+Pro\s+v\d+\x2E\d+\s+Connected\s+Successfully\x21/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748; classtype:trojan-activity; sid:6113; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR nuclear rat v6_21 runtime detection"; flow:from_server,established; content:"|C2 C5 CD C4 FD F9 FF 86 E4 9A F8 FF E5 9B 98 E5 FC E1 FD A9 FC C2 C5 99 C0 A9|"; depth:26; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077717; classtype:trojan-activity; sid:6024; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"BACKDOOR autospy runtime detection - make directory"; flow:to_server,established; content:"mkdir"; depth:5; flowbits:set,AutoSpy_MakeDirectory; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6085; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR optixlite 1.0 runtime detection - icq notification"; flow:to_server,established; uricontent:"from=Optix+Lite"; nocase; uricontent:"fromemail="; nocase; uricontent:"subject=From+Optix+Lite"; nocase; uricontent:"body="; nocase; uricontent:"to="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=578; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368; classtype:trojan-activity; sid:6069; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 831 (msg:"BACKDOOR neurotickat1.3 runtime detection - initial connection"; flow:to_server,established; content:"VER "; depth:4; nocase; flowbits:set,neurotickat.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6060; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BACKDOOR dkangel runtime detection - smtp"; flow:to_server,established; flowbits:isset,DKangel_Email; content:"yyt_hac"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278; classtype:trojan-activity; sid:6126; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7648 (msg:"BACKDOOR xhx 1.6 runtime detection - initial connection client-to-server"; flow:to_server,established; content:"UAIIA"; depth:5; nocase; content:"XHX"; distance:0; nocase; content:"YANER"; distance:0; nocase; pcre:"/^UAIIA\s+XHX\s+YANER/smi"; flowbits:set,xhx_cts; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/x/xhx/Xhx1.60.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084140; classtype:trojan-activity; sid:6074; rev:3;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR optixlite 1.0 runtime detection - connection success server-to-client"; flow:from_server,established; flowbits:isset,optixlite_suc_conn_cts; content:"password"; depth:8; nocase; content:"Optix"; distance:0; nocase; content:"Lite"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"Ready"; distance:0; nocase; pcre:"/^password\x3B1\x3BOptix\s+Lite\s+Server\s+Ready/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=578; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368; classtype:trojan-activity; sid:6066; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR neurotickat1.3 runtime detection - icq notification"; flow:to_server,established; uricontent:"Uin="; nocase; uricontent:"Name=The+Hosts+port+is"; nocase; uricontent:"Name=Your+Host+is"; nocase; uricontent:"Send=yes"; nocase; pcre:"/Name=Your\+Host\+is\x3A[^\r\n]*\+The\+password\+is\x3A[^\r\n]*\+Version\+/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6058; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"BACKDOOR autospy runtime detection - get information"; flow:to_server,established; content:"info"; depth:4; flowbits:set,AutoSpy_GetInformation; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6077; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR fkwp 2.0 runtime detection - connection success"; flow:from_server,established; flowbits:isset,fkwp_conn_cts; content:"SUC"; depth:3; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=815; classtype:trojan-activity; sid:6033; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 12566 (msg:"BACKDOOR clindestine 1.0 runtime detection - capture small screen"; flow:to_server,established; content:"small"; depth:5; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1486; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:trojan-activity; sid:6137; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 57341 (msg:"BACKDOOR netraider 0.0 runtime detection"; flow:to_server,established; content:"NSClient-sPISPJ99"; depth:17; nocase; flowbits:set,backdoor.netraider.0.0.runtime; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/n/netraider/Netraider0.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3979; classtype:trojan-activity; sid:6180; rev:2;)
alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"BACKDOOR alvgus 2000 runtime detection - check server"; flow:to_client; flowbits:isset,Alvgus_CheckServer; content:"stAlvgus"; depth:8; nocase; content:"Trojan"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"2000"; distance:0; nocase; pcre:"/^stAlvgus\'s\s+Trojan\s+Server\s+2000/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6098; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8799 (msg:"BACKDOOR fun factory runtime detection - upload"; flow:to_server,established; content:"|AB 86 01 00 12 00 00 00|"; flowbits:set,FunFactory_upload; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6049; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR a trojan 2.0 runtime detection - get harddisk info"; flow:from_server,established; flowbits:isset,A_Trojan_GetHarddiskInfo; content:"infhd"; depth:5; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6092; rev:2;)
alert tcp $HOME_NET 9999 -> $EXTERNAL_NET any (msg:"BACKDOOR forced entry v1.1 beta runtime detection"; flow:from_server,established; content:"ForCed"; depth:6; nocase; content:"EnTrY"; distance:0; nocase; content:"|0D 0A 0D 0A 0D 0A|Connection"; distance:0; nocase; content:" Stable"; distance:0; nocase; pcre:"/^ForCed\s+EnTrY\s+\d+\x2E\d+\x2E\d+\x0D\x0A\x0D\x0A\x0D\x0AConnection\s+Stable/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=2160; classtype:trojan-activity; sid:6110; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"BACKDOOR netshadow runtime detection"; flow:to_server,established; content:"AJust"; nocase; content:"server"; distance:0; nocase; pcre:"/^\d+\x0dAJust\s+a\s+server\x00[^\r\n]*\x00\d+\.\d+\.\d+\.\d+\x00/smi"; metadata:policy security-ips drop; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.netshadow.html; reference:url,www.megasecurity.org/trojans/n/netshadow/Netshadow_a.html; classtype:trojan-activity; sid:6027; rev:2;)
alert tcp $HOME_NET 8799 -> $EXTERNAL_NET any (msg:"BACKDOOR fun factory runtime detection - upload"; flow:from_server,established; flowbits:isset,FunFactory_upload; content:"100011"; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6050; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 4950 (msg:"BACKDOOR dirtxt runtime detection - view client-to-server"; flow:to_server; content:"view"; depth:4; nocase; flowbits:set,Dirtxt_View; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6156; rev:5;)
alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"BACKDOOR alvgus 2000 runtime detection - view content of directory"; flow:to_client; flowbits:isset,Alvgus_ViewDirectory; content:"diGetting"; depth:9; nocase; content:"content"; distance:0; nocase; content:"directory"; distance:0; nocase; pcre:"/^diGetting\s+content\s+of\s+directory\x3A/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6100; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2589 (msg:"BACKDOOR dagger v1.1.40 runtime detection"; flow:to_server,established; content:"|0B 00 00 00 07 00 00 00|Connect"; depth:15; nocase; flowbits:set,backdoor.dagger.1.1.40.conn; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1477; classtype:trojan-activity; sid:6108; rev:2;)
alert tcp $HOME_NET 800: -> $EXTERNAL_NET any (msg:"BACKDOOR dsk lite 1.0 runtime detection - initial connection"; flow:from_server,established; flowbits:isset,DSK_Lite_1.0_TCP; content:"connect|3B|"; depth:8; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6016; rev:3;)
alert tcp $HOME_NET 7648 -> $EXTERNAL_NET any (msg:"BACKDOOR xhx 1.6 runtime detection - initial connection server-to-client"; flow:from_server,established; flowbits:isset,xhx_cts; content:" ["; depth:2; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/x/xhx/Xhx1.60.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084140; classtype:trojan-activity; sid:6075; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 13473 (msg:"BACKDOOR chupacabra 1.0 runtime detection"; flow:to_server,established; content:"getowner"; depth:8; flowbits:set,Chupacabra_GetComputerName; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6129; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 831 (msg:"BACKDOOR neurotickat1.3 runtime detection - initial connection"; flow:to_server,established; flowbits:isset,neurotickat.1; content:"FTPON"; nocase; content:"TIME"; distance:0; nocase; pcre:"/FTPON\d+\s+TIME\d+\s+/smi"; flowbits:set,neurotickat.2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6061; rev:3;)
alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"BACKDOOR autospy runtime detection - show autospy"; flow:from_server,established; flowbits:isset,AutoSpy_ShowAutoSpy; content:"autoSpY shown"; depth:13; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6080; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR neurotickat1.3 runtime detection - cgi notification"; flow:to_server,established; uricontent:"action="; nocase; uricontent:"ip="; nocase; uricontent:"port="; nocase; uricontent:"win="; nocase; uricontent:"pass="; nocase; uricontent:"connection="; nocase; uricontent:"id=NEUROTICKA"; nocase; uricontent:"s7pass="; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6059; rev:2;)
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"BACKDOOR hellzaddiction v1.0e runtime detection - ftp open"; flow:from_server,established; content:"220 HellzAddiction FTP server."; depth:30; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076338; classtype:trojan-activity; sid:6142; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR psyrat 1.0 runtime detection"; flow:from_server,established; content:"GOODPWD"; depth:7; nocase; flowbits:set,backdoor.psyrat.runtime.detection; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/p/psyrat/Psyrat1.0.html; classtype:trojan-activity; sid:6164; rev:2;)
alert udp $HOME_NET 4950 -> $EXTERNAL_NET any (msg:"BACKDOOR dirtxt runtime detection - info server-to-client"; flow:to_client; flowbits:isset,Dirtxt_Info; content:"info"; depth:4; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6155; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"BACKDOOR cookie monster 0.24 runtime detection"; flow:to_server,established; content:"ver|0D 0A|"; depth:5; flowbits:set,CookieMonster_GetVersionInfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6171; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR mantis runtime detection - go to address client-to-server"; flow:to_server,established; content:"gotoadres"; depth:9; nocase; flowbits:set,Mantis_GotoAdress; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6147; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 50766 (msg:"BACKDOOR fore v1.0 beta runtime detection - init conn"; flow:to_server,established; content:"access flatboost6302"; depth:20; nocase; flowbits:set,back.fore.v1.0.conn.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086922; classtype:trojan-activity; sid:6116; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR a trojan 2.0 runtime detection"; flow:to_server,established; content:"infhd"; depth:5; flowbits:set,A_Trojan_GetHarddiskInfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6091; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR freak 1.0 runtime detection - icq notification"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; content:"from=FrEaK_ViCTiM"; nocase; content:"fromemail=FrEaK"; nocase; content:"subject=FrEaK+SERVER"; nocase; content:"body="; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/freak/Freak1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073808; classtype:trojan-activity; sid:6071; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR coolcat runtime connection detection - tcp 1"; flow:to_server,established; content:"testforconnection|0D 0A|"; depth:19; nocase; flowbits:set,CoolCat.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=555; classtype:trojan-activity; sid:6012; rev:3;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR fkwp 2.0 runtime detection - connection attempt server-to-client"; flow:from_server,established; flowbits:isset,fkwp_conn_cts; dsize:>50; content:"FAI"; depth:3; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=815; classtype:trojan-activity; sid:6031; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1023 (msg:"BACKDOOR net runner runtime detection - initial connection client-to-server"; flow:to_server,established; content:"|0E|Get Resolution"; depth:15; nocase; flowbits:set,NetRunner_Init_Connection; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503; classtype:trojan-activity; sid:6118; rev:4;)
alert tcp $HOME_NET 33812 -> $EXTERNAL_NET any (msg:"BACKDOOR back attack v1.4 runtime detection"; flow:from_server,established; content:" You"; depth:4; nocase; content:"are"; distance:0; nocase; content:"now"; distance:0; nocase; content:"connected"; distance:0; nocase; content:"to"; distance:0; nocase; content:"an"; distance:0; nocase; content:"BackAtTaCk"; distance:0; nocase; content:"server"; distance:0; nocase; pcre:"/You\s+are\s+now\s+connected\s+to\s+an\s+BackAtTaCk\s+server/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074438; classtype:trojan-activity; sid:6151; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"di"; depth:2; nocase; flowbits:set,Alvgus_ViewDirectory; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6099; rev:3;)
alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"BACKDOOR autospy runtime detection - get information"; flow:from_server,established; flowbits:isset,AutoSpy_GetInformation; content:"Product Name"; depth:12; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6078; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR optix 1.32 runtime detection - init conn"; flow:from_server,established; content:" |0D 0A|"; depth:3; nocase; flowbits:set,back.optix.1.32.conn.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748; classtype:trojan-activity; sid:6111; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21212 (msg:"BACKDOOR schwindler 1.82 runtime detection"; flow:to_server,established; content:"ver"; depth:3; nocase; flowbits:set,schwindler; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5287; classtype:trojan-activity; sid:6063; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8799 (msg:"BACKDOOR fun factory runtime detection - set volume"; flow:to_server,established; content:"|B0 86 01 00 01 00 00 00|0"; flowbits:set,FunFactory_volume; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6051; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR psyrat 1.0 runtime detection"; flow:from_server,established; flowbits:isset,backdoor.psyrat.runtime.detection; content:"PsyRAT_10A"; depth:10; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/p/psyrat/Psyrat1.0.html; classtype:trojan-activity; sid:6165; rev:2;)
alert tcp $HOME_NET 831 -> $EXTERNAL_NET any (msg:"BACKDOOR neurotickat1.3 runtime detection - initial connection"; flow:from_server,established; flowbits:isset,neurotickat.2; content:"One"; nocase; content:"more"; distance:0; nocase; content:"step"; distance:0; nocase; content:"until"; distance:0; nocase; content:"connection."; distance:0; nocase; pcre:"/One\s+more\s+step\s+until\s+connection\x2E/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6062; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR mantis runtime detection - sent notify option client-to-server 1"; flow:to_server,established; content:"notifuin"; depth:8; nocase; flowbits:set,Mantis_Notify1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6144; rev:5;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR minicommand runtime detection - directory listing server-to-client"; flow:from_server,established; content:"minicommand"; nocase; content:"fileserver"; distance:0; nocase; content:"ready"; distance:0; nocase; pcre:"/minicommand\s+fileserver\s+ready\.\r\n/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075932; classtype:trojan-activity; sid:6036; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR a trojan 2.0 runtime detection - init connection"; flow:to_server,established; flowbits:isset,A_Trojan_InitConnection; content:"conec"; depth:5; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6088; rev:2;)
alert tcp $EXTERNAL_NET 4226 -> $HOME_NET any (msg:"BACKDOOR silent spy 2.10 command response port 4226"; flow:from_server,established; content:"+---|7C|"; content:"|7C|---+"; distance:0; pcre:"/\x2B\x2D{3}\x7C[^\r\n]*\x7C\x2D{3}\x2B/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1530; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073048; classtype:trojan-activity; sid:6022; rev:4;)
alert tcp $HOME_NET 1023 -> $EXTERNAL_NET any (msg:"BACKDOOR net runner runtime detection - initial connection server-to-client"; flow:from_server,established; flowbits:isset,NetRunner_Init_Connection; content:"|0F|New Resoltutione"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503; classtype:trojan-activity; sid:6119; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR fkwp 2.0 runtime detection - connection attempt client-to-server"; flow:to_server,established; content:"AUTH"; depth:4; nocase; flowbits:set,fkwp_conn_cts; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=815; classtype:trojan-activity; sid:6030; rev:4;)
alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"BACKDOOR autospy runtime detection - show nude pic"; flow:from_server,established; flowbits:isset,AutoSpy_ShowNudePicture; content:"nude Raider pic"; depth:15; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6082; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR fear 0.2 runtime detection - php notification"; flow:to_server,established; uricontent:"body=FeaR"; nocase; pcre:"/body=FeaR\x25200\x2E2\x2E0\x2520Online\x3A\x2520\x5BIP_\d+\x2E\d+\x2E\d+\x2E\d+\x5D\x2520\x5BPort_/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6042; rev:2;)
alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR unicorn runtime detection - initial connection"; flow:from_server,established; content:"Connected to"; depth:12; nocase; pcre:"/^Connected\s+to\s+[^\r\n]*\x28\d+\.\d+\.\d+\.\d+\x29/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1506; classtype:trojan-activity; sid:6166; rev:2;)
alert tcp $HOME_NET 50766 -> $EXTERNAL_NET any (msg:"BACKDOOR fore v1.0 beta runtime detection - init conn"; flow:from_server,established; flowbits:isset,back.fore.v1.0.conn.1; content:"access ok "; depth:10; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086922; classtype:trojan-activity; sid:6117; rev:2;)
alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"BACKDOOR alvgus 2000 runtime detection - download file"; flow:to_client; flowbits:isset,Alvgus_DownloadFile; content:"tfTransferring"; depth:14; nocase; content:"file"; distance:0; nocase; content:"from"; distance:0; nocase; pcre:"/^tfTransferring\s+file\s+from\x3A/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6106; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"BACKDOOR autospy runtime detection - show autospy"; flow:to_server,established; content:"frmauto"; depth:7; flowbits:set,AutoSpy_ShowAutoSpy; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6079; rev:2;)
alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR netcontrol v1.0.8 runtime detection"; flow:from_server,established; flowbits:isset,backdoor.netcontro.1.0.8.conn; content:"con1.08"; depth:7; nocase; metadata:policy security-ips drop; reference:url,www.system-help.com/spyware/netcontrol/; classtype:trojan-activity; sid:6150; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR bifrose 1.1 runtime detection"; flow:to_server,established; flowbits:isset,bifrose.rev_conn.2; content:"|02 00 00 00 90|x"; flowbits:unset,bifrose.rev_conn.2; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1464; classtype:trojan-activity; sid:6057; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR fade 1.0 runtime detection - notification"; flow:to_server,established; uricontent:"win="; nocase; uricontent:"rpass="; nocase; uricontent:"ServerType=Fade"; nocase; uricontent:"id="; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076292; classtype:trojan-activity; sid:6039; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"BACKDOOR cookie monster 0.24 runtime detection"; flow:to_server,established; content:"ls|0D 0A|"; depth:4; flowbits:set,CookieMonster_FileExplorer; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6173; rev:3;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR optixlite 1.0 runtime detection - connection failure server-to-client"; flow:from_server,established; flowbits:isset,optixlite_suc_conn_cts; content:"password"; depth:8; nocase; pcre:"/^password\x3B0\x3BIncorrect\s+password/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=578; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368; classtype:trojan-activity; sid:6068; rev:5;)
alert udp $HOME_NET 4950 -> $EXTERNAL_NET any (msg:"BACKDOOR dirtxt runtime detection - view server-to-client"; flow:to_client; flowbits:isset,Dirtxt_View; content:"view"; depth:4; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6157; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"BACKDOOR tequila bandita 1.2 runtime detection - reverse connection"; flow:to_server,established; content:"|07|LAN|07|Win"; depth:28; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/t/toquitobandito/Tequilabandita1.2.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083232; classtype:trojan-activity; sid:6025; rev:3;)
alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"BACKDOOR alvgus 2000 runtime detection - upload file"; flow:to_client; flowbits:isset,Alvgus_UploadFile; content:"ttTransferring"; depth:14; nocase; content:"file"; distance:0; nocase; content:"to"; distance:0; nocase; pcre:"/^ttTransferring\s+file\s+to\x3A/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6104; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR a trojan 2.0 runtime detection"; flow:from_server,established; content:"resp1Conectado"; depth:14; flowbits:set,A_Trojan_InitConnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6087; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR fear 0.2 runtime detection - cgi notification"; flow:to_server,established; uricontent:"action="; nocase; uricontent:"ip="; nocase; uricontent:"id=FeaR-Server"; nocase; uricontent:"win="; nocase; uricontent:"rpass="; nocase; uricontent:"connection="; nocase; uricontent:"s7pass="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6043; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR silent spy 2.10 runtime detection - icq notification"; flow:to_server,established; uricontent:"/argh/notify.php?emailaddr="; nocase; uricontent:"msg=SERVER"; nocase; content:"User-Agent|3A|"; nocase; content:"SiLENT"; distance:0; nocase; content:"SPY"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*SiLENT\s+SPY/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1530; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073048; classtype:trojan-activity; sid:6023; rev:2;)
alert udp $HOME_NET 18001 -> $EXTERNAL_NET 18000 (msg:"BACKDOOR cyberpaky runtime detection"; content:"H02EXE"; nocase; content:"File"; distance:0; nocase; content:"Name|3A|"; distance:0; nocase; content:"CYBERPAKY"; distance:0; nocase; content:"Operating"; distance:0; nocase; content:"System"; distance:0; nocase; pcre:"/H02EXE\s+File\s+Name\x3A\s+CYBERPAKY\x0D\x0AOperating\s+System/smi"; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-cyberpaky-trojan.html; reference:url,www.megasecurity.org/trojans/c/cyberpaky/Cyberpaky1.8.html; classtype:trojan-activity; sid:6028; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR hellzaddiction v1.0e runtime detection - init conn"; flow:from_server,established; content:"xr"; depth:2; nocase; flowbits:set,backdoor.hellzaddiction.1.0E.conn; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076338; classtype:trojan-activity; sid:6140; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"BACKDOOR autospy runtime detection - show nude pic"; flow:to_server,established; content:"nraider"; depth:7; flowbits:set,AutoSpy_ShowNudePicture; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6081; rev:2;)
alert tcp $HOME_NET 8799 -> $EXTERNAL_NET any (msg:"BACKDOOR fun factory runtime detection - do script remotely"; flow:from_server,established; flowbits:isset,FunFactory_doscript; content:"100014"; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6054; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 10666 (msg:"BACKDOOR ambush 1.0 runtime detection - ping client-to-server"; flow:to_server; content:"10"; depth:2; nocase; flowbits:set,Ambush_Ping; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=238; classtype:trojan-activity; sid:6123; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"BACKDOOR delirium of disorder runtime detection - stop keylogger"; flow:to_server,established; content:"stopklog"; depth:8; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/d/deleriumofdisorder/Deleriumofdisorder.html; classtype:trojan-activity; sid:6160; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BACKDOOR dkangel runtime detection - smtp"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"|BA DA B0 B5 CC EC CA B9| 2.41 "; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*2\x2E41/smi"; flowbits:set,DKangel_Email; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278; classtype:trojan-activity; sid:6125; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"BACKDOOR cookie monster 0.24 runtime detection - kill kernel"; flow:to_server,established; content:"krnlkill|0D 0A|"; depth:10; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084262; classtype:trojan-activity; sid:6175; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 13473 (msg:"BACKDOOR chupacabra 1.0 runtime detection - send messages"; flow:to_server,established; content:"sndmsg|5C|"; depth:7; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=21339; classtype:trojan-activity; sid:6133; rev:2;)
alert tcp $HOME_NET 5400 -> $EXTERNAL_NET any (msg:"BACKDOOR bladerunner 0.80 runtime detection"; flow:from_server,established; content:"Blade Runner"; depth:12; nocase; pcre:"/^Blade\s+Runner\s+ver\s+\d+/smi"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/b/bladerunner/BladeRunner0.80a.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=862; classtype:trojan-activity; sid:6179; rev:2;)
alert udp $HOME_NET 4950 -> $EXTERNAL_NET any (msg:"BACKDOOR dirtxt runtime detection - chdir server-to-client"; flow:to_client; flowbits:isset,Dirtxt_Chdir; content:"chdir "; depth:6; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6153; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR hellzaddiction v1.0e runtime detection - init conn"; flow:from_server,established; flowbits:isset,backdoor.hellzaddiction.1.0E.conn; content:"R_Server"; depth:8; nocase; content:"version|3A|"; distance:0; nocase; pcre:"/^R_Server\s+version\x3A\d+\x2E\d+[^\r\n]*R\d+\x2E\d+/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076338; classtype:trojan-activity; sid:6141; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR unicorn runtime detection - set wallpaper client-to-server"; flow:to_server,established; content:"WALLPAPER "; depth:10; nocase; flowbits:set,Unicore_SetWallpaper; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1506; classtype:trojan-activity; sid:6167; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"tf"; depth:2; nocase; flowbits:set,Alvgus_DownloadFile; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6105; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR coolcat runtime connection detection - tcp 2"; flow:to_server,established; flowbits:isset,CoolCat.1; content:"password |22|"; depth:10; nocase; flowbits:set,CoolCat.2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=555; classtype:trojan-activity; sid:6013; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR a trojan 2.0 runtime detection - get drive info"; flow:from_server,established; flowbits:isset,A_Trojan_GetDriveInfo; content:"infdr"; depth:5; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6094; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR fade 1.0 runtime detection - enable keylogger"; flow:to_server,established; content:"877110"; depth:6; flowbits:set,Fade_kl; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076292; classtype:trojan-activity; sid:6040; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"BACKDOOR freak 1.0 runtime detection - irc notification"; flow:to_server,established; content:"NICK"; nocase; content:"FrEaK_ViCTiM"; distance:0; nocase; pcre:"/^NICK\s+FrEaK_ViCTiM\x0D\x0A/smi"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/freak/Freak1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073808; classtype:trojan-activity; sid:6070; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BACKDOOR netbus 1.7 runtime detection - email notification"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"NetBus"; distance:0; nocase; content:"server"; distance:0; nocase; content:"is"; distance:0; nocase; content:"up"; distance:0; nocase; content:"and"; distance:0; nocase; content:"running"; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*NetBus\s+server\s+is\s+up\s+and\s+running/smi"; metadata:policy security-ips drop; reference:url,www.2-spyware.com/file-backdoor-netbus-12-exe.html; classtype:trojan-activity; sid:6037; rev:2;)
alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR unicorn runtime detection - set wallpaper server-to-client"; flow:from_server,established; flowbits:isset,Unicore_SetWallpaper; content:"Wallpaper Changed"; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1506; classtype:trojan-activity; sid:6168; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"BACKDOOR delirium of disorder runtime detection - enable keylogger"; flow:to_server,established; content:"enableklog"; depth:10; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/d/deleriumofdisorder/Deleriumofdisorder.html; classtype:trojan-activity; sid:6159; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR ultimate destruction runtime detection - kill windows client-to-server"; flow:to_server,established; content:"Killwidows|7C|"; depth:11; nocase; metadata:policy security-ips drop; reference:url,www.splintersecurity.com; classtype:trojan-activity; sid:6178; rev:3;)
alert udp $HOME_NET 10666 -> $EXTERNAL_NET any (msg:"BACKDOOR ambush 1.0 runtime detection - ping server-to-client"; flow:to_client; flowbits:isset,Ambush_Ping; content:"=======>> AMBUSH v"; depth:18; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=238; classtype:trojan-activity; sid:6124; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 12566 (msg:"BACKDOOR clindestine 1.0 runtime detection - get system directory"; flow:to_server,established; content:"system"; depth:6; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1486; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:trojan-activity; sid:6139; rev:2;)
alert tcp $HOME_NET 13473 -> $EXTERNAL_NET any (msg:"BACKDOOR chupacabra 1.0 runtime detection - get user name"; flow:from_server,established; flowbits:isset,Chupacabra_GetUserName; content:"Current"; nocase; content:"User"; distance:0; nocase; content:"Logged"; distance:0; nocase; pcre:"/^Current\s+User\s+Logged\s+on\x3A/"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=21339; classtype:trojan-activity; sid:6132; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 4950 (msg:"BACKDOOR dirtxt runtime detection - chdir client-to-server"; flow:to_server; content:"chdir "; depth:6; nocase; flowbits:set,Dirtxt_Chdir; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6152; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR a trojan 2.0 runtime detection"; flow:to_server,established; content:"infme"; depth:5; flowbits:set,A_Trojan_GetMemoryInfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6089; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BACKDOOR optix 1.32 runtime detection - email notification"; flow:to_server,established; content:"!!!Optix"; nocase; content:"Pro"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"Online!!!"; distance:0; nocase; pcre:"/^\x21{3}Optix\s+Pro\s+v\d+\x2E\d+\s+Server\s+Online\x21{3}/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748; classtype:trojan-activity; sid:6114; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR a trojan 2.0 runtime detection"; flow:to_server,established; content:"infdr"; depth:5; flowbits:set,A_Trojan_GetDriveInfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6093; rev:2;)
alert tcp $HOME_NET 1023 -> $EXTERNAL_NET any (msg:"BACKDOOR net runner runtime detection - download file server-to-client"; flow:from_server,established; flowbits:isset,NetRunner_Download_File; content:"|08|New File File"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503; classtype:trojan-activity; sid:6121; rev:4;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR fade 1.0 runtime detection - enable keylogger"; flow:from_server,established; flowbits:isset,Fade_kl; content:"877110"; depth:6; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076292; classtype:trojan-activity; sid:6041; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR ultimate destruction runtime detection - kill process client-to-server"; flow:to_server,established; content:"Killpro|7C|"; depth:8; nocase; metadata:policy security-ips drop; reference:url,www.splintersecurity.com; classtype:trojan-activity; sid:6177; rev:3;)
alert tcp $HOME_NET 8799 -> $EXTERNAL_NET any (msg:"BACKDOOR fun factory runtime detection - set volume"; flow:from_server,established; flowbits:isset,FunFactory_volume; content:"100016"; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6052; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2600 (msg:"BACKDOOR digital rootbeer runtime detection"; flow:to_server,established; content:"iiiiiiinfo"; depth:10; nocase; flowbits:set,backdoor.digital.rootbeer.conn; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1641; classtype:trojan-activity; sid:6169; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR mantis runtime detection - go to address server-to-client"; flow:from_server,established; flowbits:isset,Mantis_GotoAdress; content:"adressgoneto"; depth:12; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6148; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 12566 (msg:"BACKDOOR clindestine 1.0 runtime detection - capture big screen"; flow:to_server,established; content:">>Send Capture"; depth:14; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1486; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:trojan-activity; sid:6136; rev:2;)
alert tcp $HOME_NET 21212 -> $EXTERNAL_NET any (msg:"BACKDOOR schwindler 1.82 runtime detection"; flow:from_server,established; flowbits:isset,schwindler; content:"Schwindler"; depth:10 ; nocase; content:"Servidor"; distance:0; nocase; content:"Porta"; distance:0; nocase; pcre:"/Schwindler\s+Servidor\x2E\s+Porta\s+\d+/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5287; classtype:trojan-activity; sid:6064; rev:2;)
alert tcp $EXTERNAL_NET 4225 -> $HOME_NET any (msg:"BACKDOOR silent spy 2.10 command response port 4225"; flow:from_server,established; content:"+---|7C|"; content:"|7C|---+"; distance:0; pcre:"/\x2B\x2D{3}\x7C[^\r\n]*\x7C\x2D{3}\x2B/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1530; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073048; classtype:trojan-activity; sid:6021; rev:3;)
alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"BACKDOOR autospy runtime detection - hide taskbar"; flow:from_server,established; flowbits:isset,AutoSpy_HideTaskbar; content:"Taskbar hidden"; depth:14; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6084; rev:2;)
alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR dimbus 1.0 runtime detection - get pc info"; flow:from_server,established; content:"DIMBUS"; nocase; content:"Server"; distance:0; nocase; pcre:"/\s{23}DIMBUS\s+Server\s+v\d+\x2E\d+/smi"; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-dimbus-1-0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060480; classtype:trojan-activity; sid:6026; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR freak 1.0 runtime detection - initial connection client-to-server"; flow:to_server,established; content:"026"; depth:3; nocase; flowbits:set,freak_cts; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/freak/Freak1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073808; classtype:trojan-activity; sid:6072; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR dsk lite 1.0 runtime detection - cgi notification"; flow:to_server,established; uricontent:"/cgi-bin/log.cgi?"; nocase; uricontent:"action="; nocase; uricontent:"ip="; nocase; uricontent:"port="; nocase; uricontent:"vicname="; nocase; uricontent:"server=DSK"; nocase; uricontent:"password="; nocase; uricontent:"usrname="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6019; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR fear 0.2 runtime detection - initial connection"; flow:from_server,established; flowbits:isset,fear_0_2.conn.2; content:"QTAxe1h9e1l9"; nocase; flowbits:unset,fear_0_2.conn.2; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6046; rev:3;)
alert tcp $HOME_NET 2600 -> $EXTERNAL_NET any (msg:"BACKDOOR digital rootbeer runtime detection"; flow:from_server,established; flowbits:isset,backdoor.digital.rootbeer.conn; content:"/NFO,Registered"; depth:15; nocase; content:"Owner|3A|"; distance:0; nocase; content:"|0D 0A|Current"; distance:0; nocase; content:" user|3A|"; distance:0; nocase; pcre:"/^\x2FNFO\x2CRegistered\s+Owner\x3A\s+[^\r\n]*\x0D\x0ACurrent\s+user\x3A\s+/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1641; classtype:trojan-activity; sid:6170; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 4950 (msg:"BACKDOOR dirtxt runtime detection - info client-to-server"; flow:to_server; content:"info"; depth:4; nocase; flowbits:set,Dirtxt_Info; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6154; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR bifrose 1.1 runtime detection"; flow:to_server,established; content:"|00 00 00 91|I|16 1B|e|1C|"; flowbits:set,bifrose.rev_conn.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1464; classtype:trojan-activity; sid:6055; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 800: (msg:"BACKDOOR dsk lite 1.0 runtime detection - initial connection"; flow:to_server,established; content:"verifypass|3B|"; depth:11; nocase; flowbits:set,DSK_Lite_1.0_TCP; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6015; rev:3;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR minicommand runtime detection - initial connection server-to-client"; flow:from_server,established; flowbits:isset,MiniCommand.1; content:"login_ok"; nocase; content:"MiniCommand"; distance:0; nocase; content:"version"; distance:0; nocase; content:"ready"; distance:0; nocase; content:"for"; distance:0; nocase; content:"action"; distance:0; nocase; pcre:"/^login_ok\x5EMiniCommand\s+version\s+\d+\.\d+\.\d+\s+ready\s+for\s+action\x2E/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075932; classtype:trojan-activity; sid:6035; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"BACKDOOR dark connection inside v1.2 runtime detection"; flow:to_server,established; content:"DCIClient12|0A|"; depth:12; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075571; classtype:trojan-activity; sid:6143; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR furax 1.0 b2 runtime detection"; flow:from_server,established; content:"|03 00 1C 00 00 00 00 00 01|Furax "; depth:15; nocase; content:"Server|00|"; distance:0; pcre:"/^\x03\x00\x1c\x00\x00\x00\x00\x00\x01Furax\s+\d+\.\d+\w+\s+Server\x00/smi"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/furax/Furax1.0b2.html; classtype:trojan-activity; sid:6161; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR a trojan 2.0 runtime detection - get system info"; flow:from_server,established; flowbits:isset,A_Trojan_GetSysInfo; content:"infsy"; depth:5; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6096; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 12566 (msg:"BACKDOOR clindestine 1.0 runtime detection - get computer info"; flow:to_server,established; content:"info"; depth:4; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1486; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:trojan-activity; sid:6138; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR optix 1.32 runtime detection - icq notification"; flow:to_server,established; uricontent:"/whitepages/page_me/1,,,00.html"; nocase; content:"to="; nocase; content:"from="; nocase; content:"fromemail="; nocase; content:"body="; nocase; pcre:"/body=\x2521\x2521\x2521Optix\s+Pro\s+v\d+\x252E\d+\S+sErver\s+Online\x2521\x2521\x2521/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748; classtype:trojan-activity; sid:6115; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"tt"; depth:2; nocase; flowbits:set,Alvgus_UploadFile; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6103; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 13473 (msg:"BACKDOOR chupacabra 1.0 runtime detection"; flow:to_server,established; content:"getname"; depth:7; flowbits:set,Chupacabra_GetUserName; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6131; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR optixlite 1.0 runtime detection - connection success client-to-server"; flow:to_server,established; content:"password|3B|"; depth:9; nocase; flowbits:set,optixlite_suc_conn_cts; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1577; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=26952; classtype:trojan-activity; sid:6065; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"BACKDOOR netcontrol v1.0.8 runtime detection"; flow:to_server,established; content:"con"; depth:3; nocase; flowbits:set,backdoor.netcontro.1.0.8.conn; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.system-help.com/spyware/netcontrol/; classtype:trojan-activity; sid:6149; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR dsk lite 1.0 runtime detection - php notification"; flow:to_server,established; uricontent:"/crakzpackz/sys/add.php?"; nocase; uricontent:"action="; nocase; uricontent:"ip="; nocase; uricontent:"port="; nocase; uricontent:"vicname="; nocase; uricontent:"server=DSK"; nocase; uricontent:"password="; nocase; uricontent:"usrname="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6020; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1023 (msg:"BACKDOOR net runner runtime detection - download file client-to-server"; flow:to_server,established; content:"|0D|Download File"; depth:14; nocase; flowbits:set,NetRunner_Download_File; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503; classtype:trojan-activity; sid:6120; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR fkwp 2.0 runtime detection - icq notification"; flow:to_server,established; uricontent:"folder_id="; nocase; uricontent:"params_count="; nocase; uricontent:"nick_name="; nocase; uricontent:"user_email=fkwp@yahoo.com"; nocase; content:"user_uin="; nocase; content:"friend_nickname="; nocase; content:"friend_contact="; nocase; content:"x="; nocase; content:"y="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=815; classtype:trojan-activity; sid:6029; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR freak 1.0 runtime detection - initial connection server-to-client"; flow:from_server,established; flowbits:isset,freak_cts; content:"027FrEaK_ViCTiM"; depth:15; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/freak/Freak1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073808; classtype:trojan-activity; sid:6073; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR dsk lite 1.0 runtime detection - icq notification"; flow:to_server,established; uricontent:"/whitepages/page_me.php?"; nocase; uricontent:"from=DSK"; nocase; uricontent:"fromemail=Dsk"; nocase; uricontent:"subject=Vics"; nocase; uricontent:"body=DSK"; nocase; uricontent:"to="; nocase; uricontent:"Send="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6018; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"BACKDOOR autospy runtime detection - hide taskbar"; flow:to_server,established; content:"taskhide"; depth:8; flowbits:set,AutoSpy_HideTaskbar; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6083; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR minicommand runtime detection - initial connection client-to-server"; flow:to_server,established; content:"login^"; depth:6; flowbits:set,MiniCommand.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075932; classtype:trojan-activity; sid:6034; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR a trojan 2.0 runtime detection - get memory info"; flow:from_server,established; flowbits:isset,A_Trojan_GetMemoryInfo; content:"infme"; depth:5; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6090; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR optix 1.32 runtime detection - init conn"; flow:to_server,established; flowbits:isset,back.optix.1.32.conn.1; content:"022|AC|"; depth:4; nocase; flowbits:set,back.optix.1.32.conn.2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748; classtype:trojan-activity; sid:6112; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR a trojan 2.0 runtime detection"; flow:to_server,established; content:"infsy"; depth:5; flowbits:set,A_Trojan_GetSysInfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6095; rev:2;)
alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"BACKDOOR autospy runtime detection - make directory"; flow:from_server,established; flowbits:isset,AutoSpy_MakeDirectory; content:"folder created"; depth:14; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6086; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8799 (msg:"BACKDOOR fun factory runtime detection - connect"; flow:to_server,established; content:"|AD 86 01 00 08 00 00 00|"; content:"1^Merlin"; distance:0; nocase; pcre:"/^\xad\x86\x01\x00\x08\x00\x00\x001\x5EMerlin/smi"; flowbits:set,FunFactory_conn; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6047; rev:3;)
alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"BACKDOOR alvgus 2000 runtime detection - execute command"; flow:to_client; flowbits:isset,Alvgus_ExecuteCommand; content:"feExecuting"; depth:11; nocase; content:"program"; distance:0; nocase; pcre:"/^feExecuting\s+program\x3A/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6102; rev:3;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR coolcat runtime connection detection - tcp 3"; flow:from_server,established; flowbits:isset,CoolCat.2; content:"psswd"; nocase; pcre:"/^psswd((ok\*\-\*Password\s+OK\r\n)|(error\*\-\*Wrong\s+password\r\n))/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=555; classtype:trojan-activity; sid:6014; rev:4;)
alert tcp $HOME_NET 13473 -> $EXTERNAL_NET any (msg:"BACKDOOR chupacabra 1.0 runtime detection - get computer name"; flow:from_server,established; flowbits:isset,Chupacabra_GetComputerName; content:"Owner|3A|"; depth:6; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=21339; classtype:trojan-activity; sid:6130; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8799 (msg:"BACKDOOR fun factory runtime detection - do script remotely"; flow:to_server,established; content:"|AE 86 01 00|"; flowbits:set,FunFactory_doscript; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6053; rev:3;)
alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR fucktrojan 1.2 runtime detection - flood"; flow:from_server,established; flowbits:isset,FuckTrojan_flood; content:"Windows"; nocase; content:"Directory"; distance:0; nocase; content:"Flooded"; distance:0; nocase; pcre:"/Windows\s+Directory\s+Flooded/smi"; metadata:policy security-ips drop; reference:url,megasecurity.org/trojans/f/fucktrojan/Fucktrojan1.2.html; classtype:trojan-activity; sid:6327; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12624 (msg:"BACKDOOR buttman v0.9p runtime detection - remote control - set flowbit"; flow:to_server,established; content:"*?!?"; depth:4; flowbits:set,buttman.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=684; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453089720; classtype:trojan-activity; sid:6335; rev:3;)
alert tcp $HOME_NET 23456 -> $EXTERNAL_NET any (msg:"BACKDOOR evilftp runtime detection - init connection"; flow:from_server,established; content:"Welcome"; nocase; content:"To"; distance:0; nocase; content:"EvilFTP"; distance:0; nocase; pcre:"/^\d+\x2d\s+Welcome\s+To\s+EvilFTP\s+\x3a\x29\r\n/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=965; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1929; classtype:trojan-activity; sid:6319; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR net demon runtime detection - initial connection - password send"; flow:to_server,established; flowbits:isset,NetDemon_Init1; content:"PWD "; nocase; pcre:"/^PWD\s+[^\r\n]*\n/smi"; flowbits:set,NetDemon_Init2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6310; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 18713 (msg:"BACKDOOR hatredfriend file manage command - set flowbit"; flow:to_server,established; content:"[LOAD"; nocase; content:"DRIVE"; distance:0; nocase; content:"DATA]"; distance:0; nocase; pcre:"/^\[LOAD\s+DRIVE\s+DATA\]/smi"; flowbits:set,backdoor.HatredFriend.cts; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=832; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077215; classtype:trojan-activity; sid:6337; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR net demon runtime detection - file manager request"; flow:to_server,established; content:"GETLIST "; depth:8; nocase; pcre:"/^GETLIST\s+[^\r\n]*\n/smi"; flowbits:set,NetDemon_FileManager; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6316; rev:2;)
alert tcp $HOME_NET 6912 -> $EXTERNAL_NET any (msg:"BACKDOOR shit heep runtime detection"; flow:from_server,established; content:"SHIT-HEEP"; depth:9; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5451; classtype:trojan-activity; sid:6306; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BACKDOOR cia 1.3 runtime detection - smtp notification"; flow:to_server,established; content:"From|3A|"; nocase; content:"Im"; distance:0; nocase; content:"Online"; distance:0; nocase; content:"<msn@msn.com>"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"Im"; distance:0; nocase; content:"Version|3A|"; distance:0; nocase; content:"CIA"; distance:0; nocase; content:"1.3"; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*Im\s+Online\s+\d+\x2E\d+\x2E\d+\x2E\d+/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076260; classtype:trojan-activity; sid:6301; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1337 (msg:"BACKDOOR joker ddos v1.0.1 runtime detection - bomb"; flow:to_server,established; flowbits:isset,backdoor.joker.ddos.1.0.conn.2; content:"C2 "; depth:3; nocase; pcre:"/^C2\s\d+/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076749; classtype:trojan-activity; sid:6295; rev:2;)
alert tcp $HOME_NET 11831 -> $EXTERNAL_NET any (msg:"BACKDOOR backlash runtime detection"; flow:from_server,established; content:"BackLash Server"; depth:15; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1376; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076823; classtype:trojan-activity; sid:6334; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BACKDOOR http rat runtime detection - smtp"; flow:to_server,established; content:"from|3A|"; nocase; content:"HTTP_RAT_"; distance:0; nocase; content:"subject|3A|"; distance:0; nocase; content:"there"; distance:0; nocase; content:"is"; distance:0; nocase; content:"a"; distance:0; nocase; content:"HTTPRAT"; distance:0; nocase; content:"waiting"; distance:0; nocase; content:"4"; distance:0; nocase; content:"u"; distance:0; nocase; content:"on"; distance:0; nocase; pcre:"/^FROM|3A|\s+HTTP_RAT_.*SUBJECT|3A|\s+there\s+is\s+a\s+HTTPRAT\s+waiting\s+4\s+u\s+on/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076346; classtype:trojan-activity; sid:6397; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 47221 (msg:"BACKDOOR 3xBackdoor runtime detection - set flowbit"; flow:to_server,established; content:"&raport"; depth:7; nocase; flowbits:set,bit.3xBackdoorconnection; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/0_9/3xbackdoor/3xbackdoor.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084228; classtype:trojan-activity; sid:6323; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR net demon runtime detection - initial connection - password accepted"; flow:from_server,established; flowbits:isset,NetDemon_Init2; content:"OKPWD|0A|"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6311; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR globalkiller1.0 runtime detection - notification"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; content:"from=MondoHack"; nocase; content:"fromemail="; nocase; content:"subject="; nocase; content:"body="; nocase; content:"to="; nocase; content:"send="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1656; classtype:trojan-activity; sid:6331; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR cia runtime detection - initial connection"; flow:from_server,established; flowbits:isset,CIA13_conn; content:"passcorrect|3B|"; nocase; content:"CIA"; distance:0; nocase; pcre:"/^passcorrect\x3B\d+\x3B\d+\x3BCIA/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076260; classtype:trojan-activity; sid:6303; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR cia 1.3 runtime detection - icq notification"; flow:to_server,established; uricontent:"/friendship/email_thank_you?"; nocase; uricontent:"nick_name=CIA-Test"; nocase; uricontent:"user_email=ciatest@icq.com"; nocase; uricontent:"friend_nickname=CIA-Notify-Tezt"; nocase; pcre:"/\x2Ffriendship\x2Femail_thank_you\?[^\r\n]*nick_name=CIA-Test[^\r\n]*friend_nickname=CIA-Notify-Tezt/Ui"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076260; classtype:trojan-activity; sid:6300; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR snowdoor runtime detection server-to-client"; flow:from_server,established; flowbits:isset,snowdoor_cts; content:"DISK"; depth:4; nocase; pcre:"/^DISK[A-z][0-9]/smi"; metadata:policy security-ips drop; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.snowdoor.html; reference:url,www.megasecurity.org/trojans/s/snow/Snow1.3.html; classtype:trojan-activity; sid:6401; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR net demon runtime detection - initial connection - password request"; flow:from_server,established; content:"PWD|0A|"; depth:4; nocase; flowbits:set,NetDemon_Init1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6309; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR insurrection 1.1.0 runtime detection - reverse connection"; flow:to_server,established; content:"sin"; depth:3; nocase; pcre:"/^sin\d+\x3A[^\r\n]*\x3A\d+\x3A\d+\x3A/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076744; classtype:trojan-activity; sid:6298; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR net demon runtime detection - file manager response"; flow:from_server,established; flowbits:isset,NetDemon_FileManager; content:"FILESIZE>"; depth:9; nocase; pcre:"/^FILESIZE\x3E[^\r\n]*\x3E\d+/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6317; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR insurrection 1.1.0 runtime detection - initial connection"; flow:to_server,established; content:"Insurrection1"; depth:13; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076744; classtype:trojan-activity; sid:6299; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR a-311 death user-agent string detected"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"A-311"; distance:0; nocase; content:"Server"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*A-311\s+Server/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076778; classtype:trojan-activity; sid:6396; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 11000 (msg:"BACKDOOR commando runtime detection - chat client-to-server"; flow:to_server,established; content:"Cliente |3A|"; flowbits:set,Commando; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/c/comando/Comando.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068368; classtype:trojan-activity; sid:6329; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7306 (msg:"BACKDOOR netspy runtime detection - command pattern client-to-server"; flow:to_server,established; content:"Netspy"; nocase; content:"Version"; distance:0; nocase; content:"service"; distance:0; nocase; pcre:"/^Netspy\s+Version\s+\d+\x2E\d+\r\nservice\x3A/smi"; flowbits:set,Netspy_Command_Pattern; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=434; classtype:trojan-activity; sid:6289; rev:2;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"BACKDOOR fictional daemon 4.4 runtime detection - telent"; flow:from_server,established; content:"We"; nocase; content:"got"; distance:0; nocase; content:"this"; distance:0; nocase; content:"GREAT"; distance:0; nocase; content:"Daemon"; distance:0; nocase; content:"Fictional"; nocase; content:"Daemon"; distance:0; nocase; pcre:"/^We\s+got\s+this\s+GREAT\s+Daemon.*Fictional\s+Daemon/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1159; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074164; classtype:trojan-activity; sid:6287; rev:2;)
alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR fucktrojan 1.2 runtime detection - initial connection"; flow:from_server,established; content:"Connected to Server |3A|-|29|"; depth:23; nocase; metadata:policy security-ips drop; reference:url,megasecurity.org/trojans/f/fucktrojan/Fucktrojan1.2.html; classtype:trojan-activity; sid:6325; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR cia runtime detection - initial connection - set flowbit"; flow:to_server,established; content:"verifyPASS"; depth:10; flowbits:set,CIA13_conn; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076260; classtype:trojan-activity; sid:6302; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR insurrection 1.1.0 runtime detection - icq notification 2"; flow:to_server,established; uricontent:"/cgi-bin/blah.cgi"; nocase; uricontent:"action="; nocase; uricontent:"ip="; nocase; uricontent:"port="; nocase; uricontent:"id=Insurrection"; nocase; uricontent:"win="; nocase; uricontent:"rpass="; nocase; uricontent:"connection="; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076744; classtype:trojan-activity; sid:6297; rev:2;)
alert tcp $EXTERNAL_NET 11000 -> $HOME_NET any (msg:"BACKDOOR commando runtime detection - chat server-to-client"; flow:from_server,established; flowbits:isset,Commando; content:"Servidor |3A|"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/c/comando/Comando.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068368; classtype:trojan-activity; sid:6330; rev:2;)
alert tcp $HOME_NET 6660 -> $EXTERNAL_NET any (msg:"BACKDOOR lamespy runtime detection - initial connection"; flow:from_server,established; flowbits:isset,bit.LameSpyInitialconnection; content:"cname|3A|"; depth:6; nocase; content:"Command Sendet"; distance:0; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1586; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3370; classtype:trojan-activity; sid:6308; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR net demon runtime detection - open browser request"; flow:to_server,established; content:"openbrowser "; depth:12; nocase; pcre:"/^openbrowser\s+[^\r\n]*\n/smi"; flowbits:set,NetDemon_OpenBrowser; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6314; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR fucktrojan 1.2 runtime detection - flood"; flow:to_server,established; content:"Flood"; nocase; flowbits:set,FuckTrojan_flood; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:6326; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR rad 1.2.3 runtime detection"; flow:from_server,established; content:" rad "; depth:6; nocase; content:" >< "; distance:0; pcre:"/^\s\srad\s\d+\x2E\d+\x2E\d+\s\s\x3E\x3C/smi"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/r/rad/Rad1.2.3.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072457; classtype:trojan-activity; sid:6399; rev:3;)
alert tcp $HOME_NET 16661 -> $EXTERNAL_NET any (msg:"BACKDOOR a-311 death runtime detection - initial connection server-to-client"; flow:from_server,established; content:"A-311"; nocase; content:"Death"; distance:0; nocase; content:"welcome"; distance:0; nocase; pcre:"/^A-311 Death welcome/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076778; classtype:trojan-activity; sid:6395; rev:2;)
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"BACKDOOR fictional daemon 4.4 runtime detection - ftp"; flow:from_server,established; content:"We"; nocase; content:"got"; distance:0; nocase; content:"this"; distance:0; nocase; content:"GREAT"; distance:0; nocase; content:"Daemon"; distance:0; nocase; content:"Fictional"; nocase; content:"Daemon"; distance:0; nocase; pcre:"/We\s+got\s+this\s+GREAT\s+Daemon.*Fictional\s+Daemon/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1159; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074164; classtype:trojan-activity; sid:6288; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR net demon runtime detection - open browser response"; flow:from_server,established; flowbits:isset,NetDemon_OpenBrowser; content:"browseropened|0A|"; depth:14; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6315; rev:2;)
alert tcp $HOME_NET 1337 -> $EXTERNAL_NET any (msg:"BACKDOOR joker ddos v1.0.1 runtime detection - initial connection"; flow:from_server,established; content:"MV 1.0"; depth:6; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076749; classtype:trojan-activity; sid:6292; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BACKDOOR hatredfriend email notification detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"IP"; distance:0; nocase; content:"Contact"; distance:0; nocase; content:"X-Mailer|3A|"; nocase; content:"EBT"; distance:0; nocase; content:"Reporter"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"Vic"; distance:0; nocase; content:"Ip"; distance:0; nocase; content:"Addy"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*IP\s+Contact.*X-Mailer\x3A[^\r\n]*EBT\s+Reporter.*Subject\x3A[^\r\n]*Vic\s+Ip\s+Addy/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=832; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077215; classtype:trojan-activity; sid:6339; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1207 (msg:"BACKDOOR softwar shadowthief runtime detection - initial connection"; flow:from_client,established; flowbits:isset,bit.SoftWARShadowThiefInitialconnection; content:"|01|SoftWAR Client|00|"; depth:18; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/s/softwar/Softwar.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=19977; classtype:trojan-activity; sid:6305; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR net demon runtime detection - message send"; flow:to_server,established; content:"MSG "; depth:4; nocase; pcre:"/^MSG\s+[^\r\n]*\n/smi"; flowbits:set,NetDemon_Msg; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6312; rev:2;)
alert tcp $EXTERNAL_NET 11000 -> $HOME_NET any (msg:"BACKDOOR commando runtime detection - initial connection"; flow:from_server,established; content:"Conectou"; depth:8; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/c/comando/Comando.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068368; classtype:trojan-activity; sid:6328; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR antilamer 1.1 runtime detection - set flowbit"; flow:to_server,established; content:"024"; depth:3; nocase; flowbits:set,backdoor.antilamer1.1.conn; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076222; classtype:trojan-activity; sid:6285; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR snowdoor runtime detection client-to-server"; flow:to_server,established; content:"DISK"; depth:4; nocase; flowbits:set,snowdoor_cts; flowbits:noalert; metadata:policy security-ips drop; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.snowdoor.html; reference:url,www.megasecurity.org/trojans/s/snow/Snow1.3.html; classtype:trojan-activity; sid:6400; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR justjoke v2.6 runtime detection"; flow:to_server,established; uricontent:"/scripts/WWPMsg.dll"; nocase; content:"from=JJB+Server"; nocase; content:"fromemail=JJB"; nocase; content:"subject=JJB+Pager"; nocase; content:"body=JJ+BackDoor+-+v"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073017; classtype:trojan-activity; sid:6291; rev:2;)
alert tcp $HOME_NET 18713 -> $EXTERNAL_NET any (msg:"BACKDOOR hatredfriend file manage command"; flow:from_server,established; flowbits:isset,backdoor.HatredFriend.cts; content:"[DRIVE"; nocase; content:"LIST]"; distance:0; nocase; pcre:"/\[DRIVE\s+LIST\]\d(\x00[a-zA-Z]\x3A(\s+\[.*\])?)+/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=832; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077215; classtype:trojan-activity; sid:6338; rev:2;)
alert tcp $HOME_NET 1207 -> $EXTERNAL_NET any (msg:"BACKDOOR softwar shadowthief runtime detection - initial connection - set flowbit"; flow:from_server,established; content:"R|00|SoftWAR Server"; depth:16; nocase; flowbits:set,bit.SoftWARShadowThiefInitialconnection; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/s/softwar/Softwar.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=19977; classtype:trojan-activity; sid:6304; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR net demon runtime detection - message response"; flow:from_server,established; flowbits:isset,NetDemon_Msg; content:"WAIT|0A|"; depth:5; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6313; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR antilamer 1.1 runtime detection"; flow:from_server,established; flowbits:isset,backdoor.antilamer1.1.conn; content:"024|C2 E5 F0 F1 E8 FF| |F1 E5 F0 E2 E5 F0 E0| - 1.1"; depth:23; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076222; classtype:trojan-activity; sid:6286; rev:2;)
alert udp $HOME_NET any -> $EXTERNAL_NET 8012 (msg:"BACKDOOR ptakks2.1 runtime detection - keepalive"; flow:to_server; content:"aComprobar"; nocase; content:"si"; distance:0; nocase; content:"esta"; distance:0; nocase; content:"conectadoa"; distance:0; nocase; pcre:"/\x23\x31\x23aComprobar\s+si\s+esta\s+conectadoa\x232\x23\x233\x23\x23f\x23/smi"; flowbits:set,PtakkS_Keepalive; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079909; classtype:trojan-activity; sid:6320; rev:3;)
alert tcp $HOME_NET 2583 -> $EXTERNAL_NET any (msg:"BACKDOOR wincrash 2.0 runtime detection"; flow:from_server,established; content:"WinCrash"; depth:8; nocase; content:"Server"; distance:0; nocase; pcre:"/^WinCrash\s+Server\s+\d+\x2E\d+/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084089; classtype:trojan-activity; sid:6333; rev:2;)
alert tcp $HOME_NET 1337 -> $EXTERNAL_NET any (msg:"BACKDOOR joker ddos v1.0.1 runtime detection - bomb - second flowbit"; flow:from_server,established; flowbits:isset,backdoor.joker.ddos.1.0.conn.1; content:"M1 "; depth:3; nocase; pcre:"/^M1\s\d+\x2E\d+\x2E\d+\x2E\d+/smi"; flowbits:set,backdoor.joker.ddos.1.0.conn.2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076749; classtype:trojan-activity; sid:6294; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4125 (msg:"BACKDOOR netangel connection client-to-server"; flow:to_server,established; content:"netangel"; depth:8; nocase; metadata:policy security-ips drop; reference:url,megasecurity.org/trojans/n/netangel/Netangel1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086360; classtype:trojan-activity; sid:6402; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1337 (msg:"BACKDOOR joker ddos v1.0.1 runtime detection - bomb - initial flowbit"; flow:to_server,established; content:"C1 "; depth:3; nocase; pcre:"/^C1\s\d+\x2E\d+\x2E\d+\x2E\d+/smi"; flowbits:set,backdoor.joker.ddos.1.0.conn.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076749; classtype:trojan-activity; sid:6293; rev:2;)
alert tcp $HOME_NET 623 -> $EXTERNAL_NET any (msg:"BACKDOOR rtb666 runtime detection"; flow:from_server,established; content:"RTB"; depth:3; nocase; content:"666"; distance:0; nocase; content:"Firewall"; distance:0; nocase; content:"Guarded"; distance:0; nocase; content:"Port"; distance:0; nocase; content:"Your"; distance:0; nocase; content:"IP"; distance:0; nocase; content:"is"; distance:0; nocase; pcre:"/^RTB\s+666\s+v\x2E\d+\x2E\d+\x3B\s+Firewall\s+Guarded\s+Port\x2E\s+Your\s+IP\s+is/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1501; classtype:trojan-activity; sid:6318; rev:2;)
alert tcp $HOME_NET 6660 -> $EXTERNAL_NET any (msg:"BACKDOOR lamespy runtime detection - initial connection - set flowbit"; flow:from_server,established; content:"accept|3A|"; depth:7; nocase; flowbits:set,bit.LameSpyInitialconnection; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1586; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3370; classtype:trojan-activity; sid:6307; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR insurrection 1.1.0 runtime detection - icq notification 1"; flow:to_server,established; uricontent:"/scripts/WWPMsg.dll"; nocase; content:"from="; nocase; content:"fromemail="; nocase; content:"subject=Insurrection+Page"; nocase; content:"body="; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076744; classtype:trojan-activity; sid:6296; rev:2;)
alert tcp $HOME_NET 1255 -> $EXTERNAL_NET any (msg:"BACKDOOR globalkiller1.0 runtime detection - initial connection"; flow:from_server,established; content:"Conectado"; depth:9; nocase; content:"Yeah!"; distance:0; nocase; pcre:"/^Conectado\s+Yeah\!/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1656; classtype:trojan-activity; sid:6332; rev:2;)
alert tcp $HOME_NET 21554 -> $EXTERNAL_NET any (msg:"BACKDOOR exploiter 1.0 runtime detection"; flow:from_server,established; flowbits:isset,backdoor.exploiter.1.0.conn; content:"Exploiter"; depth:9; nocase; content:"Server"; distance:0; nocase; content:"Port"; distance:0; nocase; pcre:"/^Exploiter\s+Server\s+\d+\x2E\d+\s+\x2E\s+Port\s+\d+/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1603; classtype:trojan-activity; sid:6498; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"BACKDOOR omerta 1.3 runtime detection"; flow:to_server,established; flowbits:isset,Omerta_1_3_conn_1; content:"Details|7C|"; depth:8; nocase; pcre:"/^Details\x7C[^\r\n]*\x7C\d+\x2E\d+\x2E\d+\x2E\d+\x7C\d+\x7C/smi"; flowbits:set,Omerta_1_3_conn_2; flowbits:noalert; metadata:policy security-ips drop; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.omerta.html; reference:url,www.antivirusprogram.se/virusinfo/Backdoor.Omerta_4852.html; classtype:trojan-activity; sid:6500; rev:3;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"BACKDOOR omerta 1.3 runtime detection"; flow:from_server,established; flowbits:isset,Omerta_1_3_conn_2; content:"connect|7C|"; nocase; metadata:policy security-ips drop; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.omerta.html; reference:url,www.antivirusprogram.se/virusinfo/Backdoor.Omerta_4852.html; classtype:trojan-activity; sid:6501; rev:3;)
alert tcp $HOME_NET 2115 -> $EXTERNAL_NET any (msg:"BACKDOOR bugs runtime detection - file manager server-to-client"; flow:from_server,established; flowbits:isset,Bugs_InitConnection; content:"CURDIR "; nocase; metadata:policy security-ips drop; reference:url,www.commodon.com/threat/threat-bugs.htm; classtype:trojan-activity; sid:6473; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2115 (msg:"BACKDOOR bugs runtime detection - file manager client-to-server"; flow:to_server,established; content:"CURDIR|0D|"; depth:7; nocase; flowbits:set,Bugs_InitConnection; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.commodon.com/threat/threat-bugs.htm; classtype:trojan-activity; sid:6472; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21554 (msg:"BACKDOOR exploiter 1.0 runtime detection"; flow:to_server,established; content:"ver"; depth:3; nocase; flowbits:set,backdoor.exploiter.1.0.conn; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1603; classtype:trojan-activity; sid:6497; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR badrat 1.1 runtime detection - flowbit set"; flow:to_server,established; content:"badratpass"; depth:10; nocase; flowbits:set,backdoor.badrat.1.1.conn; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/b/badrat/Badrat1.1.html; classtype:trojan-activity; sid:6475; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR w32.loosky.gen@mm runtime detection - notification"; flow:to_server,established; uricontent:"/synctl/ping.pl"; nocase; uricontent:"ip="; nocase; uricontent:"port1="; nocase; uricontent:"id="; nocase; uricontent:"ver="; nocase; uricontent:"con="; nocase; uricontent:"speed="; nocase; metadata:policy security-ips drop; reference:url,www.sophos.com/virusinfo/analyses/w32looskyl.html; classtype:trojan-activity; sid:6474; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR badrat 1.1 runtime detection"; flow:from_server,established; flowbits:isset,backdoor.badrat.1.1.conn; content:"okpass"; depth:6; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/b/badrat/Badrat1.1.html; classtype:trojan-activity; sid:6476; rev:2;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"BACKDOOR omerta 1.3 runtime detection"; flow:from_server,established; content:"RequestName|7C|"; depth:12; nocase; flowbits:set,Omerta_1_3_conn_1; flowbits:noalert; metadata:policy security-ips drop; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.omerta.html; reference:url,www.antivirusprogram.se/virusinfo/Backdoor.Omerta_4852.html; classtype:trojan-activity; sid:6499; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1480 (msg:"BACKDOOR remote hack 1.5 runtime detection - get password"; flow:to_server,established; content:"catasenha|7C|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1523; classtype:trojan-activity; sid:7098; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR sinique 1.0 runtime detection - initial connection with correct password client-to-server"; flow:to_server,established; content:"|B8 9B 93 9D 9A A2 91 86 9D 92 8D 88|"; depth:12; flowbits:set,sinique_initial_crt_client-to-server; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/s/sinique/Sinique1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077730; classtype:trojan-activity; sid:7087; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR fearless lite 1.01 runtime detection"; flow:to_server,established; content:"Pass-On"; depth:7; nocase; flowbits:set,backdoor.fearless.runtime; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/fearless/Fearless_lite1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078381; classtype:trojan-activity; sid:7111; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR cybernetic 1.62 runtime detection - reverse connection flowbit 1"; flow:to_server,established; content:"DmInf"; depth:5; nocase; flowbits:set,backdoor.cybernetic.1.62.rev.conn.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,research.sunbelt-software.com/threat_display.cfm?name=CyberNetic&threatid=41745; classtype:trojan-activity; sid:7065; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 30029 (msg:"BACKDOOR aol admin runtime detection"; flow:to_server,established; content:"INFO"; depth:4; nocase; flowbits:set,AOLAdmin1.1.connection; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/a/aoladmin/Aoladmin1.1.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=313; classtype:trojan-activity; sid:7104; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR w32.dumaru.gen@mm runtime detection - notification"; flow:to_server,established; uricontent:"/admin/logger.php"; nocase; uricontent:"p="; nocase; uricontent:"machineid="; nocase; uricontent:"connection="; nocase; uricontent:"iplan="; nocase; content:"Host|3A|"; nocase; content:"backtrust.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*backtrust\x2Ecom/smi"; metadata:policy security-ips drop; reference:url,www.vil.mcafeesecurity.com/vil/content/v_125643.htm; classtype:trojan-activity; sid:7073; rev:3;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR sinique 1.0 runtime detection - initial connection with correct password server-to-client"; flow:from_server,established; flowbits:isset,sinique_initial_crt_client-to-server; content:"|B8 9B 93 9D 9A A2 91 86 9D 92 9D 91 90|"; depth:13; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/s/sinique/Sinique1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077730; classtype:trojan-activity; sid:7088; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR fearless lite 1.01 runtime detection"; flow:from_server,established; flowbits:isset,backdoor.fearless.runtime; content:"Pass-On0"; depth:8; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/fearless/Fearless_lite1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078381; classtype:trojan-activity; sid:7112; rev:4;)
alert udp $EXTERNAL_NET 5887 -> $HOME_NET 5888 (msg:"BACKDOOR y3k 1.2 runtime detection"; flow:to_server; content:"login"; depth:5; nocase; flowbits:set,Y3K_InitConnection_2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7121; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR sinique 1.0 runtime detection - initial connection with wrong password -client-to-server"; flow:to_server,established; content:"|B8 9B 93 9D 9A A2 91 86 9D 92 8D 88|"; depth:12; flowbits:set,sinique_initial_wrg_client-to-server; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/s/sinique/Sinique1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077730; classtype:trojan-activity; sid:7089; rev:5;)
alert udp $EXTERNAL_NET 5881 -> $HOME_NET 5882 (msg:"BACKDOOR y3k 1.2 runtime detection"; flow:to_server; content:"Y3K"; depth:3; nocase; flowbits:set,Y3K_InitConnection_1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7119; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1480 (msg:"BACKDOOR remote hack 1.5 runtime detection - execute file"; flow:to_server,established; content:"executafile|7C|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1523; classtype:trojan-activity; sid:7097; rev:4;)
alert tcp $HOME_NET 30029 -> $EXTERNAL_NET any (msg:"BACKDOOR aol admin runtime detection"; flow:from_server,established; flowbits:isset,AOLAdmin1.1.connection; content:"AOL Admin Server 1.1 By CHeeSeR"; depth:31; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/a/aoladmin/Aoladmin1.1.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=313; classtype:trojan-activity; sid:7105; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR charon runtime detection - download file/log flowbit 2"; flow:to_server,established; flowbits:isset,charon_download_1; content:"FREQ|7C|"; depth:5; nocase; pcre:"/^FREQ\x7C\d+/smi"; flowbits:set,charon_download_2; flowbits:noalert; metadata:policy security-ips drop; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7059; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1480 (msg:"BACKDOOR remote hack 1.5 runtime detection - logon"; flow:to_server,established; content:"logon|7C|"; depth:6; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1523; classtype:trojan-activity; sid:7096; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR erazer v1.1 runtime detection - init connection"; flow:to_server,established; flowbits:isset,Erazer_InitConnection; content:"000Ok"; depth:5; nocase; content:"echter"; distance:0; nocase; content:"server"; distance:0; nocase; pcre:"/^000Ok\s+echter\s+server\s+\?/smi"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/e/erazer/Erazer1.1.html; classtype:trojan-activity; sid:7086; rev:3;)
alert tcp $EXTERNAL_NET 10015 -> $HOME_NET any (msg:"BACKDOOR up and run v1.0 beta runtime detection flowbit 1"; flow:from_server,established; content:"BOF"; depth:3; nocase; pcre:"/^BOF[a-z]\x3A\x5C/smi"; flowbits:set,up_run_1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088330; classtype:trojan-activity; sid:7078; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BACKDOOR cybernetic 1.62 runtime detection - email notification"; flow:to_server,established; content:"from|3A|"; nocase; content:"cyber@yahoo.com"; distance:0; nocase; content:"subject|3A|"; nocase; content:"notification"; distance:0; nocase; pcre:"/^from\x3A[^\r\n]*cyber@yahoo\x2Ecom.*subject\x3A[^\r\n]*notification\d+\x2E\d+\x2E\d+\x2E\d+/smi"; metadata:policy security-ips drop; reference:url,research.sunbelt-software.com/threat_display.cfm?name=CyberNetic&threatid=41745; classtype:trojan-activity; sid:7064; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR gwboy 0.92 runtime detection - init connection"; flow:to_server,established; flowbits:isset,GWBoy_InitConnection1; dsize:<50; content:"|02 01 03 05|"; depth:4; metadata:policy connectivity-ips drop, policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077181; classtype:trojan-activity; sid:7103; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 10015 (msg:"BACKDOOR up and run v1.0 beta runtime detection flowbit 2"; flow:to_server,established; flowbits:isset,up_run_1; content:"NEXT"; depth:4; nocase; flowbits:set,up_run_2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088330; classtype:trojan-activity; sid:7079; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR fraggle rock 2.0 lite runtime detection - pc info"; flow:from_server,established; flowbits:isset,backdoor.fraggle.rock.2.0.lite.pc.info; content:"info"; depth:4; nocase; content:"Information"; distance:0; nocase; pcre:"/^info\s+Information\s+for/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077120; classtype:trojan-activity; sid:7072; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR gwboy 0.92 runtime detection"; flow:to_server,established; content:"|01 0A 02|"; depth:3; flowbits:set,GWBoy_InitConnection1; flowbits:noalert; metadata:policy connectivity-ips drop, policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077181; classtype:trojan-activity; sid:7101; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 23476 (msg:"BACKDOOR donalddick v1.5b3 runtime detection"; flow:to_server,established; content:"1|00|AF&AY|00|pINg_|00|!|28|c|29 23|"; depth:19; nocase; flowbits:set,backdoor.donalddick.1.5.b.3.conn; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1720; classtype:trojan-activity; sid:7113; rev:4;)
alert tcp $EXTERNAL_NET 62358 -> $HOME_NET any (msg:"BACKDOOR erazer v1.1 runtime detection - sin notification"; flow:from_server,established; content:"Erazer"; depth:6; nocase; content:"SIN"; distance:0; nocase; content:"Server"; distance:0; nocase; pcre:"/^Erazer\s+SIN\s+Server/smi"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/e/erazer/Erazer1.1.html; classtype:trojan-activity; sid:7084; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR minimo v0.6 runtime detection - cgi notification"; flow:to_server,established; uricontent:"ip="; nocase; uricontent:"port="; nocase; uricontent:"nick=minibeta"; nocase; uricontent:"country="; nocase; uricontent:"visible="; nocase; uricontent:"protected="; nocase; uricontent:"about="; nocase; metadata:policy security-ips drop; classtype:trojan-activity; sid:7076; rev:2;)
alert tcp $HOME_NET 777 -> $EXTERNAL_NET any (msg:"BACKDOOR undetected runtime detection"; flow:from_server,established; content:"STLUdt v3.3 - "; depth:14; nocase; content:"-|28|udt33vic|29|"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/u/undetected/Undetected3.3.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=17265; classtype:trojan-activity; sid:7108; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR charon runtime detection - initial connection"; flow:to_server,established; content:"SI|7C|Server|7C|"; depth:10; nocase; pcre:"/^SI\|Server\|[^\r\n]*\|\d+\x2E\d+\x2E\d+\x2E\d+\|/smi"; metadata:policy security-ips drop; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7057; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR charon runtime detection - download file/log"; flow:from_server,established; flowbits:isset,charon_download_2; content:"SEND|7C|"; depth:5; nocase; metadata:policy security-ips drop; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7060; rev:3;)
alert tcp $EXTERNAL_NET 10015 -> $HOME_NET any (msg:"BACKDOOR up and run v1.0 beta runtime detection"; flow:from_server,established; flowbits:isset,up_run_3; content:"EOF"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088330; classtype:trojan-activity; sid:7081; rev:2;)
alert udp $HOME_NET 5882 -> $EXTERNAL_NET 5881 (msg:"BACKDOOR y3k 1.2 runtime detection - init connection 1"; flow:to_client; flowbits:isset,Y3K_InitConnection_1; content:"C"; depth:1; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7120; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 10015 (msg:"BACKDOOR up and run v1.0 beta runtime detection flowbit 3"; flow:to_server,established; flowbits:isset,up_run_2; content:"NEXT"; nocase; flowbits:set,up_run_3; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088330; classtype:trojan-activity; sid:7080; rev:2;)
alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"BACKDOOR donalddick v1.5b3 runtime detection"; flow:from_server,established; flowbits:isset,backdoor.donalddick.1.5.b.3.conn; content:"OK|00|1|00|AF&AY|00|pINg_|00|!|28|c|29 23|"; depth:22; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1720; classtype:trojan-activity; sid:7114; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR minimo v0.6 runtime detection - icq notification"; flow:to_server,established; uricontent:"/friendship/email_thank_you"; nocase; uricontent:"failed_url="; nocase; uricontent:"folder_id="; nocase; uricontent:"extra_params_counte="; nocase; uricontent:"nick_name="; nocase; uricontent:"user_email="; nocase; uricontent:"user_uin="; nocase; uricontent:"friend_nickname="; nocase; uricontent:"friend_contact="; nocase; uricontent:"friend_conta"; nocase; content:"User-Agent|3A|"; nocase; content:"http"; distance:0; nocase; content:"protocol"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*http\s+protocol/smi"; metadata:policy security-ips drop; classtype:trojan-activity; sid:7077; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR erazer v1.1 runtime detection"; flow:from_server,established; content:"000, Checking..."; depth:16; nocase; flowbits:set,Erazer_InitConnection; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/e/erazer/Erazer1.1.html; classtype:trojan-activity; sid:7085; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR charon runtime detection - download log flowbit 1"; flow:from_server,established; content:"REQ|7C 24|SYS|24|proc32.dll"; depth:19; nocase; flowbits:set,charon_download_1; flowbits:noalert; metadata:policy security-ips drop; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7061; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR charon runtime detection - download file flowbit 1"; flow:from_server,established; content:"REQ|7C|"; depth:4; nocase; pcre:"/^REQ\|[A-Z]\x3A\x5C/smi"; flowbits:set,charon_download_1; flowbits:noalert; metadata:policy security-ips drop; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7058; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR mosucker3.0 runtime detection - client-to-server"; flow:to_server,established; content:"KEY="; depth:4; nocase; content:"Nickname="; distance:0; nocase; pcre:"/^KEY=[^\s]*\s+Nickname=/smi"; flowbits:set,MoSucker3_0; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1306; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083782; classtype:trojan-activity; sid:7082; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR ghost 2.3 runtime detection"; flow:from_server,established; content:"ver|3A|Ghost version "; depth:18; nocase; content:"server"; distance:0; nocase; pcre:"/^ver\x3aGhost\s+version\s+\d+\x2E\d+\s+server/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/g/ghost/Ghost2.3.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=42053; classtype:trojan-activity; sid:7115; rev:4;)
alert tcp $HOME_NET 5555 -> $EXTERNAL_NET any (msg:"BACKDOOR serveme runtime detection"; flow:from_server,established; content:"ServeMe 1.x"; depth:11; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/s/serveme/Serveme.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453081036; classtype:trojan-activity; sid:7091; rev:4;)
alert udp $HOME_NET 5888 -> $EXTERNAL_NET 5887 (msg:"BACKDOOR y3k 1.2 runtime detection - init connection 2"; flow:to_client; flowbits:isset,Y3K_InitConnection_2; content:"{}"; depth:2; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7122; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR cybernetic 1.62 runtime detection - reverse connection"; flow:to_server,established; flowbits:isset,backdoor.cybernetic.1.62.rev.conn.2; content:"connect"; depth:7; nocase; flowbits:unset,backdoor.cybernetic.1.62.rev.conn.2; metadata:policy security-ips drop; reference:url,research.sunbelt-software.com/threat_display.cfm?name=CyberNetic&threatid=41745; classtype:trojan-activity; sid:7067; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR y3k 1.2 runtime detection - icq notification"; flow:to_server,established; content:"from=Y3K"; nocase; content:"Server"; distance:0; nocase; content:"fromemail=y3k"; distance:0; nocase; content:"subject=Y3K"; distance:0; nocase; content:"online"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7116; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21554 (msg:"BACKDOOR girlfriend runtime detection"; flow:to_server,established; content:"ver"; depth:3; nocase; flowbits:set,GirlFriend.1.35.connection; flowbits:noalert; reference:url,www.megasecurity.org/trojans/g/girlfriend/GirlFriend1.35_ms.html; reference:url,www.spywareguide.com/product_show.php?id=834; classtype:trojan-activity; sid:7106; rev:2;)
alert tcp $HOME_NET 21554 -> $EXTERNAL_NET any (msg:"BACKDOOR girlfriend runtime detection"; flow:from_server,established; flowbits:isset,GirlFriend.1.35.connection; content:"GirlFriend Server"; depth:17; nocase; pcre:"/^GirlFriend\s+Server\s+\d+\x2E\d+\s+\x2E\s+port\s+\d/smi"; reference:url,www.megasecurity.org/trojans/g/girlfriend/GirlFriend1.35_ms.html; reference:url,www.spywareguide.com/product_show.php?id=834; classtype:trojan-activity; sid:7107; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR mosucker3.0 runtime detection - server-to-client1"; flow:from_server,established; flowbits:isset,MoSucker3_0; content:"KEY="; depth:4; nocase; content:"PASSW="; distance:0; nocase; pcre:"/^KEY=[^\s]*\s+PASSW=/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1306; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083782; classtype:trojan-activity; sid:7083; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR bandook 1.0 runtime detection"; flow:to_server,established; content:"&first& "; depth:8; nocase; metadata:policy security-ips drop; reference:url,www.nuclearwinter.us/; classtype:trojan-activity; sid:7075; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1480 (msg:"BACKDOOR remote hack 1.5 runtime detection - start keylogger"; flow:to_server,established; content:"kstart|7C|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1523; classtype:trojan-activity; sid:7099; rev:4;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR sinique 1.0 runtime detection - initial connection with wrong password server-to-client"; flow:from_server,established; flowbits:isset,sinique_initial_wrg_client-to-server; content:"|B8 9B 93 9D 9A B2 95 9D 98 91 90|"; depth:11; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/s/sinique/Sinique1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077730; classtype:trojan-activity; sid:7090; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR lan filtrator 1.1 runtime detection - initial connection request"; flow:to_client, established; flowbits:isset,LanFiltrator_InitConnectionRequest; content:"id_id"; depth:5; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=887; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074827; classtype:trojan-activity; sid:7661; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR small uploader 1.01 runtime detection - get server information - flowbit set"; flow:to_server,established; content:"SrvInfo"; nocase; flowbits:set,smalluploader_srvinfo; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.www.megasecurity.org/trojans/f/fearless/Smalluploader1.01.html; classtype:trojan-activity; sid:7652; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR skyrat show runtime detection - initial connection - flowbit 3"; flow:from_server,established; flowbits:isset,skyrat.2; content:"*PORT2*"; depth:7; pcre:"/^\x2APORT2\x2A\d+/"; flowbits:set,skyrat.3; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7627; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"BACKDOOR forced control uploader runtime detection directory listing"; flow:to_server,established; flowbits:isset,Forced_Control_Uploader_Dir4; content:"EOF"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/forcedcontrol/Forcedcontrol_uploader1.0.html; classtype:trojan-activity; sid:7790; rev:2;)
alert tcp $HOME_NET 7410 -> $EXTERNAL_NET any (msg:"BACKDOOR phoenix 2.1 runtime detection"; flow:from_server,established; flowbits:isset,Phoenix_InitConnection; content:"The Phoenix is ready"; depth:20; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=977; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079790; classtype:trojan-activity; sid:7745; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5024 (msg:"BACKDOOR illusion runtime detection - file browser client-to-server"; flow:to_server,established; content:"[LOAD DRIVE DATA]"; flowbits:set,Illusion_File; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077268; classtype:trojan-activity; sid:7687; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR buschtrommel 1.22 runtime detection - initial connection - flowbit set 1"; flow:from_server,established; content:"*PASS*"; depth:6; flowbits:set,BuschTrommel_InitConnection1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7750; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR hornet 1.0 runtime detection - irc connection"; flow:from_server,established; flowbits:isset,hornet.3; content:"006cb"; depth:5; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1667; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7634; rev:2;)
alert tcp $HOME_NET 7080 -> $EXTERNAL_NET any (msg:"BACKDOOR messiah 4.0 runtime detection - get drives"; flow:from_server,established; flowbits:isset,Messiah_GetDrives; content:"GET///Drives"; depth:12; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077400; classtype:trojan-activity; sid:7777; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR snake trojan runtime detection"; flow:from_server,established; content:"The"; depth:3; nocase; content:"Snake"; distance:0; nocase; content:"Trojan"; distance:0; nocase; pcre:"/^The\s+Snake\s+Trojan/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=643; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078423; classtype:trojan-activity; sid:7717; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR nova 1.0 runtime detection - initial connection with pwd set - flowbit set"; flow:from_server,established; content:"Passed"; depth:6; nocase; flowbits:set,nova_conn_1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030; classtype:trojan-activity; sid:7740; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5024 (msg:"BACKDOOR illusion runtime detection - get remote info client-to-server"; flow:to_server,established; content:"104"; depth:3; flowbits:set,Illusion_Info; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077268; classtype:trojan-activity; sid:7685; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3100 (msg:"BACKDOOR brain wiper runtime detection - chat - flowbit set"; flow:to_server,established; content:"ChatCHA"; depth:7; flowbits:set,BrAin_Wiper_Chat; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=903; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068367; classtype:trojan-activity; sid:7700; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR dameware mini remote control runtime detection - initial connection - flowbit set"; flow:from_server,established; content:"0|11 00 00|"; depth:4; content:"333333|13|@"; offset:8; flowbits:set,DameWareMiniRemoteControl_InitConnection; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=925; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060041; classtype:trojan-activity; sid:7718; rev:2;)
alert tcp $HOME_NET 8811 -> $EXTERNAL_NET any (msg:"BACKDOOR fear1.5/aciddrop1.0 runtime detection - initial connection - flowbit set"; flow:from_server,established; content:"connected"; nocase; flowbits:set,Fear15_conn.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/fear/Fear1.5a.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:7708; rev:2;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR remote anything 5.11.22 runtime detection - victim response"; content:"RA Broadcast|00|"; depth:13; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1567; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076440; classtype:trojan-activity; sid:7791; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"BACKDOOR forced control uploader runtime detection - connection with password - flowbit set"; flow:to_server,established; content:"PWD"; depth:3; flowbits:set,Forced_Control_Uploader_Password; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/forcedcontrol/Forcedcontrol_uploader1.0.html; classtype:trojan-activity; sid:7784; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR small uploader 1.01 runtime detection - initial connection"; flow:from_server,established; flowbits:isset,smalluploader_conn; content:"Pass-On"; depth:7; nocase; pcre:"/^Pass-On\d+/smi"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/fearless/Smalluploader1.01.html; classtype:trojan-activity; sid:7651; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1784 (msg:"BACKDOOR snid x2 v1.2 runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"VER "; depth:4; flowbits:set,Snid_X2_InitConnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7662; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR skyrat show runtime detection - initial connection - flowbit 4"; flow:from_server,established; flowbits:isset,skyrat.3; content:"*PORT3*"; depth:7; pcre:"/^\x2APORT3\x2A\d+/"; flowbits:set,skyrat.4; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7628; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR katux 2.0 runtime detection - screen capture - flowbit set"; flow:to_server,established; content:"10040"; depth:5; flowbits:set,katux20.2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7604; rev:2;)
alert tcp $EXTERNAL_NET 5024 -> $HOME_NET any (msg:"BACKDOOR illusion runtime detection - file browser server-to-client"; flow:from_server,established; flowbits:isset,Illusion_File; content:"[DRIVE"; nocase; content:"LIST]"; nocase; pcre:"/\x5BDRIVE\s+LIST\x5D/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077268; classtype:trojan-activity; sid:7688; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR buschtrommel 1.22 runtime detection - spy function - flowbit set 1"; flow:to_server,established; content:"GETIT"; depth:5; flowbits:set,BuschTrommel_SpyFunction1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7753; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR katux 2.0 runtime detection - screen capture"; flow:from_server,established; flowbits:isset,katux20.2; content:"000Ecran captur|E9|, transfert lanc|E9|..."; depth:36; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077310; classtype:trojan-activity; sid:7605; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6767 (msg:"BACKDOOR nt remote controller 2000 runtime detection - sysinfo client-to-server"; flow:to_server,established; content:"|3B|SystemInfo"; nocase; flowbits:set,NT_Remote_Controller_2000_Sysinfo1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691; classtype:trojan-activity; sid:7764; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR theef 2.0 runtime detection - connection request with password"; flow:from_server,established; flowbits:isset,theef20.2; content:"|FA CB D9 D9|"; depth:4; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=859; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083786; classtype:trojan-activity; sid:7619; rev:3;)
alert tcp $EXTERNAL_NET 5024 -> $HOME_NET any (msg:"BACKDOOR illusion runtime detection - get remote info server-to-client"; flow:from_server,established; flowbits:isset,Illusion_Info; content:"023"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077268; classtype:trojan-activity; sid:7686; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR dameware mini remote control runtime detection - initial connection"; flow:to_server,established; flowbits:isset,DameWareMiniRemoteControl_InitConnection; content:"0|11 00 00 00 00 00 00|333333|13|@|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:30; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=925; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060041; classtype:trojan-activity; sid:7719; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR bionet 4.05 runtime detection - initial connection"; flow:from_server,established; flowbits:isset,BioNet4_05_BE; content:"!|00 00 00|&|01 01 00 01|KA"; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/b/bionet/Bionet4.00.05be.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072406; classtype:trojan-activity; sid:7735; rev:3;)
alert tcp $HOME_NET 7424 -> $EXTERNAL_NET any (msg:"BACKDOOR remote control 1.7 runtime detection - connection request"; flow:from_server,established; flowbits:isset,remote.control.3; content:"|03 00|"; depth:2; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080063; classtype:trojan-activity; sid:7623; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8811 (msg:"BACKDOOR fear1.5/aciddrop1.0 runtime detection - initial connection - flowbit set"; flow:to_server,established; flowbits:isset,Fear15_conn.1; content:"listdrives"; nocase; flowbits:set,Fear15_conn.2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/fear/Fear1.5a.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:7709; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR prorat 1.9 cgi notification detection"; flow:to_server,established; uricontent:"/cgi-bin/prorat.cgi"; nocase; uricontent:"bilgisayaradi="; nocase; uricontent:"ipadresi="; nocase; uricontent:"serverportu="; nocase; uricontent:"kurban="; nocase; uricontent:"servermodeli="; nocase; uricontent:"serversaati="; nocase; uricontent:"servertarihi="; nocase; uricontent:"serversifre="; nocase; uricontent:"islem="; nocase; metadata:policy security-ips drop; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.prorat.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082779; classtype:trojan-activity; sid:7722; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1001 (msg:"BACKDOOR remote havoc runtime detection - flowbit set 2"; flow:to_server,established; flowbits:isset,RemoteHAVOC_conn.1; content:"REFR"; depth:4; flowbits:set,RemoteHAVOC_conn.2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/r/remotehavoc/Remotehavoc3.0.1.html; reference:url,www.spywareguide.com/product_show.php?id=863; classtype:trojan-activity; sid:7674; rev:2;)
alert tcp $HOME_NET 3100 -> $EXTERNAL_NET any (msg:"BACKDOOR brain wiper runtime detection - launch application"; flow:to_client,established; flowbits:isset,BrAin_Wiper_LaunchApplication; content:"Program Launched"; depth:16; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=903; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068367; classtype:trojan-activity; sid:7699; rev:2;)
alert tcp $HOME_NET 8811 -> $EXTERNAL_NET any (msg:"BACKDOOR fear1.5/aciddrop1.0 runtime detection - initial connection"; flow:from_server,established; flowbits:isset,Fear15_conn.2; content:"Drive"; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/fear/Fear1.5a.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:7710; rev:2;)
alert tcp $HOME_NET 3100 -> $EXTERNAL_NET any (msg:"BACKDOOR brain wiper runtime detection - chat"; flow:to_client,established; flowbits:isset,BrAin_Wiper_Chat; content:"Chat dialog opened"; depth:18; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=903; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068367; classtype:trojan-activity; sid:7701; rev:2;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"BACKDOOR forced control uploader runtime detection directory listing - flowbit set 2"; flow:from_server,established; flowbits:isset,Forced_Control_Uploader_Dir1; content:"ULL["; flowbits:set,Forced_Control_Uploader_Dir2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/forcedcontrol/Forcedcontrol_uploader1.0.html; classtype:trojan-activity; sid:7787; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR hornet 1.0 runtime detection - fetch system info"; flow:from_server,established; flowbits:isset,hornet.2; content:"007Server"; depth:9; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1667; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7632; rev:2;)
alert tcp $HOME_NET 7424 -> $EXTERNAL_NET any (msg:"BACKDOOR remote control 1.7 runtime detection - connection request - flowbit 2"; flow:from_server,established; flowbits:isset,remote.control.1; content:"|10 00|"; depth:2; flowbits:set,remote.control.2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7621; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"BACKDOOR bobo 1.0 runtime detection - initial connection"; flow:to_server,established; flowbits:isset,BoBo_InitConnection; content:"zdorovo"; depth:7; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1531; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076842; classtype:trojan-activity; sid:7747; rev:2;)
alert tcp $EXTERNAL_NET 877 -> $HOME_NET 876 (msg:"BACKDOOR messiah 4.0 runtime detection - screen capture - flowbit set"; flow:established; content:"getscreen|7C|"; depth:10; flowbits:set,Messiah_ScreenCaptureA; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7774; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR analftp 0.1 runtime detection - icq notification"; flow:to_server,established; uricontent:"/wwp/msg/1,,,00.html"; uricontent:"uin="; nocase; uricontent:"name="; nocase; uricontent:"Anal+FTP"; uricontent:"send=yes"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59411; classtype:trojan-activity; sid:7762; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR skyrat show runtime detection - initial connection - flowbit 1"; flow:to_server,established; content:"*SPORT*"; depth:7; flowbits:set,skyrat.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7625; rev:2;)
alert tcp $HOME_NET 7777 -> $EXTERNAL_NET any (msg:"BACKDOOR jodeitor 1.1 runtime detection - initial connection"; flow:from_server,established; content:"++Conectado a"; depth:13; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=675; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077303; classtype:trojan-activity; sid:7658; rev:2;)
alert tcp $HOME_NET 1001 -> $EXTERNAL_NET any (msg:"BACKDOOR remote havoc runtime detection"; flow:from_server,established; flowbits:isset,RemoteHAVOC_conn.2; content:"LIST"; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/r/remotehavoc/Remotehavoc3.0.1.html; reference:url,www.spywareguide.com/product_show.php?id=863; classtype:trojan-activity; sid:7675; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR lan filtrator 1.1 runtime detection - sin notification"; flow:to_server,established; content:"pci"; depth:3; content:"|08 08 08 08 08 08 08 08|"; distance:0; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=887; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074827; classtype:trojan-activity; sid:7659; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR buschtrommel 1.22 runtime detection - initial connection"; flow:from_server,established; flowbits:isset,BuschTrommel_InitConnection2; content:"*VER1.22|28|REI|29|"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=20757; classtype:trojan-activity; sid:7752; rev:2;)
alert tcp $HOME_NET 876 -> $EXTERNAL_NET 877 (msg:"BACKDOOR messiah 4.0 runtime detection - screen capture"; flow:to_server,established; flowbits:isset,Messiah_ScreenCaptureA; content:"Downloadscreen|7C|"; depth:15; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077400; classtype:trojan-activity; sid:7775; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1111 (msg:"BACKDOOR roach 1.0 runtime detection - remote control actions - flowbit set"; flow:to_server,established; content:"|A2 D0 D4 D6 DF C1 E1 D5 D6 DC BB DC CE D7|"; depth:14; flowbits:set,Roach_RemoteControlActions; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7702; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR hornet 1.0 runtime detection - irc connection - flowbit set"; flow:to_server,established; content:"006cb"; depth:5; flowbits:set,hornet.3; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7633; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR cool remote control or crackdown runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"|7C|ENUMDRVS|7C|"; depth:10; nocase; flowbits:set,CoolRemoteControl_conn; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www.spywareguide.com/product_show.php?id=1495; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7676; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 11977 (msg:"BACKDOOR cool remote control 1.12 runtime detection - download file - flowbit set"; flow:to_server,established; content:"|7C|GETFILE|7C|"; nocase; flowbits:set,CoolRemoteControl_Download.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7680; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7424 (msg:"BACKDOOR remote control 1.7 runtime detection - connection request flowbit 1"; flow:to_server,established; content:"|0C 00 18 00 01 02 03 04 05 06 07 08 01 02 03 04 05 06 07 08 01 02 03 04 05 06 07 08|"; depth:28; flowbits:set,remote.control.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7620; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5005 (msg:"BACKDOOR outbreak_0.2.7 runtime detection - reverse connection"; flow:to_server,established; content:"Sin"; nocase; pcre:"/^Sin[^\r\n]*\/[^\r\n]*\x0D\x0A\d+\x0D\x0A/smi"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/o/outbreak/Outbreak0.2.7.html; classtype:trojan-activity; sid:7730; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"BACKDOOR forced control uploader runtime detection directory listing - flowbit set 3"; flow:to_server,established; flowbits:isset,Forced_Control_Uploader_Dir2; content:"KRP0"; flowbits:set,Forced_Control_Uploader_Dir3; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/forcedcontrol/Forcedcontrol_uploader1.0.html; classtype:trojan-activity; sid:7788; rev:2;)
alert tcp $HOME_NET 5110 -> $EXTERNAL_NET any (msg:"BACKDOOR prorat 1.9 initial connection detection"; flow:from_server,established; content:"Sifre_Korumasi"; depth:14; nocase; metadata:policy security-ips drop; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.prorat.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082779; classtype:trojan-activity; sid:7721; rev:2;)
alert tcp $HOME_NET 6767 -> $EXTERNAL_NET any (msg:"BACKDOOR nt remote controller 2000 runtime detection - sysinfo server-to-client"; flow:from_server,established; flowbits:isset,NT_Remote_Controller_2000_Sysinfo1; content:"SystemInfo|3B|"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691; classtype:trojan-activity; sid:7765; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR nova 1.0 runtime detection - cgi notification client-to-server"; flow:to_server,established; uricontent:"ip="; nocase; uricontent:"port="; nocase; uricontent:"nick="; nocase; uricontent:"os="; nocase; uricontent:"compname="; nocase; uricontent:"protected="; nocase; flowbits:set,nova_cgi_cts; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030; classtype:trojan-activity; sid:7742; rev:2;)
alert tcp $HOME_NET 12345 -> $EXTERNAL_NET any (msg:"BACKDOOR acid head 1.00 runtime detection"; flow:from_server,established; flowbits:isset,acid_head_conn_step1; content:"1.6"; depth:3; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=71371; classtype:trojan-activity; sid:7683; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR ncph runtime detection - initial connection"; flow:from_server,established; content:"xV4|12 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:24; nocase; metadata:policy security-ips drop; reference:url,www.mmbest.com/Software/Catalog3/1477.html; classtype:trojan-activity; sid:7638; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR theef 2.0 runtime detection - connection without password"; flow:from_server,established; content:"|FA CB D9 D9 E5 E1 D6|"; depth:7; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=859; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083786; classtype:trojan-activity; sid:7616; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"BACKDOOR forced control uploader runtime detection directory listing - flowbit set 1"; flow:to_server,established; content:"DIR"; flowbits:set,Forced_Control_Uploader_Dir1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/forcedcontrol/Forcedcontrol_uploader1.0.html; classtype:trojan-activity; sid:7786; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR wollf runtime detection"; flow:from_server,established; content:"Wollf"; nocase; content:"Remote"; distance:0; nocase; content:"Manager"; distance:0; nocase; pcre:"/^\x22Wollf\s+Remote\s+Manager\x22\s+v\d+\x2E\d+\x0d\x0a/smi"; metadata:policy security-ips drop; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.wollf.16.html; reference:url,www.megasecurity.org/trojans/w/wollf/Wollf1.5.html; classtype:trojan-activity; sid:7723; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2208 (msg:"BACKDOOR screen control 1.0 runtime detection - flowbit set"; flow:to_server,established; content:"/"; depth:1; content:"R"; depth:1; offset:2; nocase; pcre:"/^\x2F[GL]R/smi"; flowbits:set,ScreenControl_conn; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072468; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930; classtype:trojan-activity; sid:7664; rev:4;)
alert tcp $HOME_NET 7410 -> $EXTERNAL_NET any (msg:"BACKDOOR phoenix 2.1 runtime detection - flowbit set"; flow:from_server,established; content:"MSG00020"; depth:8; flowbits:set,Phoenix_InitConnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7744; rev:2;)
alert tcp $HOME_NET 4444 -> $EXTERNAL_NET any (msg:"BACKDOOR alexmessomalex runtime detection - initial connection"; flow:from_server,established; content:"accept|3A|"; depth:7; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/a/alexmessomalex/Alexmessomalex_b2.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=45547; classtype:trojan-activity; sid:7738; rev:2;)
alert tcp $EXTERNAL_NET 5005 -> $HOME_NET any (msg:"BACKDOOR outbreak_0.2.7 runtime detection - initial connection"; flow:from_server,established; content:"CON"; nocase; pcre:"/^CON\w{1,10}\d+\xAE[^\r\n]{1,20}\x3B/smi"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/o/outbreak/Outbreak0.2.7.html; classtype:trojan-activity; sid:7733; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR hanky panky 1.1 runtime detection - initial connection - flowbit set 2"; flow:to_server,established; flowbits:isset,hanky_conn1; content:"spas1|3A|"; depth:6; nocase; flowbits:set,hanky_conn2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077209; classtype:trojan-activity; sid:7696; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR small uploader 1.01 runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"Pass-On"; depth:7; nocase; flowbits:set,smalluploader_conn; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.www.megasecurity.org/trojans/f/fearless/Smalluploader1.01.html; classtype:trojan-activity; sid:7650; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR air runtime detection - php notification"; flow:to_server,established; uricontent:"/roach/notify/getip.php"; nocase; content:"Host|3A|"; nocase; content:"www.kornputers.com"; distance:0; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076794; classtype:trojan-activity; sid:7639; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1981 (msg:"BACKDOOR ullysse runtime detection - client-to-server"; flow:to_server,established; content:"L'esclave"; nocase; pcre:"/^\d+L\x27esclave\x09\d+\x09\d+/smi"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/u/ullysse/Ullysse.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075739; classtype:trojan-activity; sid:7644; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7424 (msg:"BACKDOOR remote control 1.7 runtime detection - connection request - flowbit 3"; flow:to_server,established; flowbits:isset,remote.control.2; content:"|1D 00 03 00|"; depth:4; flowbits:set,remote.control.3; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7622; rev:3;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR remote anything 5.11.22 runtime detection - chat with attacker"; content:"RA Chat|00 00|"; depth:9; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1567; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076440; classtype:trojan-activity; sid:7793; rev:2;)
alert tcp $EXTERNAL_NET 666 -> $HOME_NET 667 (msg:"BACKDOOR snipernet 2.1 runtime detection - flowbit set"; flow:to_server,established; content:"cmdping"; depth:7; nocase; flowbits:set,snipernet; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/s/snipernet/Snipernet2.1.html; classtype:trojan-activity; sid:7645; rev:2;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"BACKDOOR forced control uploader runtime detection directory listing - flowbit set 4"; flow:from_server,established; flowbits:isset,Forced_Control_Uploader_Dir3; content:"KSPDIR"; flowbits:set,Forced_Control_Uploader_Dir4; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/forcedcontrol/Forcedcontrol_uploader1.0.html; classtype:trojan-activity; sid:7789; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6767 (msg:"BACKDOOR nt remote controller 2000 runtime detection - services client-to-server"; flow:to_server,established; content:"|3B|ServicesStatus"; nocase; pcre:"/^\x3BServicesStatus\x3B(All|Active|Inactive)Services/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691; classtype:trojan-activity; sid:7763; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR skyrat show runtime detection - initial connection - flowbit 2"; flow:from_server,established; flowbits:isset,skyrat.1; content:"*PORT1*"; depth:7; pcre:"/^\x2APORT1\x2A\d+/"; flowbits:set,skyrat.2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7626; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR netdevil runtime detection - file manager"; flow:from_server,established; flowbits:isset,NetDevil_FileManager; content:"get_drives_done"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087652; classtype:trojan-activity; sid:7783; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR buschtrommel 1.22 runtime detection - spy function"; flow:from_server,established; flowbits:isset,BuschTrommel_SpyFunction2; content:"{FTPL}"; depth:6; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=20757; classtype:trojan-activity; sid:7755; rev:2;)
alert tcp $HOME_NET 7250 -> $EXTERNAL_NET any (msg:"BACKDOOR desktop scout runtime detection"; flow:from_server,established; content:"DTS-300|0D 0A|"; depth:9; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=927; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074737; classtype:trojan-activity; sid:7720; rev:2;)
alert tcp $HOME_NET 1784 -> $EXTERNAL_NET any (msg:"BACKDOOR snid x2 v1.2 runtime detection - initial connection"; flow:from_server,established; flowbits:isset,Snid_X2_InitConnection; content:"Snid X2 Server"; depth:14; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1525; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5567; classtype:trojan-activity; sid:7663; rev:2;)
alert tcp $HOME_NET 1111 -> $EXTERNAL_NET any (msg:"BACKDOOR roach 1.0 runtime detection - remote control actions"; flow:from_server,established; flowbits:isset,Roach_RemoteControlActions; content:"|A2 D0 D4 D6 DF C1 E1 D5 D6 DC BB DC CE D7|"; depth:14; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=950; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075964; classtype:trojan-activity; sid:7703; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR data rape runtime detection - execute program client-to-server"; flow:to_server,established; content:"063"; depth:3; nocase; flowbits:set,Data_Rape_Execute_Program; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/d/datarape/Datarape1.0f.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076909; classtype:trojan-activity; sid:7768; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BACKDOOR nova 1.0 runtime detection - cgi notification server-to-client"; flow:from_server,established; flowbits:isset,nova_cgi_cts; content:"|23| Nova CGI Notification Script"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030; classtype:trojan-activity; sid:7743; rev:2;)
alert tcp $HOME_NET 567 -> $EXTERNAL_NET any (msg:"BACKDOOR hrat 1.0 runtime detection"; flow:from_server,established; content:"hRat"; depth:4; nocase; content:"are"; distance:0; nocase; content:"ready"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"version"; distance:0; nocase; pcre:"/^hRat\s+are\s+ready\s+-\>\s+Server\s+version/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073815; classtype:trojan-activity; sid:7684; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"BACKDOOR evade runtime detection - file manager - flowbit set"; flow:to_server,established; content:"DRIVECHANGE +"; flowbits:set,Evade_File_Manager1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/e/evade/Evade1.1b.html; classtype:trojan-activity; sid:7690; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR katux 2.0 runtime detection - chat - flowbit set"; flow:to_server,established; content:"07415"; depth:5; flowbits:set,katux20.4; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7608; rev:2;)
alert tcp $HOME_NET 19850 -> $EXTERNAL_NET any (msg:"BACKDOOR digital upload runtime detection - chat"; flow:from_server,established; content:"<chat>"; nocase; content:"</chat>"; nocase; pcre:"/\x3Cchat\x3E[^\r\n]*\x3C\x2Fchat\x3E/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068131; classtype:trojan-activity; sid:7671; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR roach 1.0 server installation notification - email"; flow:to_server,established; uricontent:"/roach/mail.php"; nocase; uricontent:"port="; nocase; uricontent:"name="; nocase; uricontent:"pw="; nocase; uricontent:"lanby="; nocase; uricontent:"to="; nocase; content:"Host|3A|"; nocase; content:"www.kornputers.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*www\x2Ekornputers\x2Ecom/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=950; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075964; classtype:trojan-activity; sid:7704; rev:2;)
alert tcp $HOME_NET 2208 -> $EXTERNAL_NET any (msg:"BACKDOOR screen control 1.0 runtime detection - initial connection"; flow:from_server,established; flowbits:isset,ScreenControl_conn; content:"/LO"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072468; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930; classtype:trojan-activity; sid:7665; rev:3;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR hanky panky 1.1 runtime detection - initial connection - flowbit set 1"; flow:from_server,established; content:"spass|3A|"; depth:6; nocase; flowbits:set,hanky_conn1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077209; classtype:trojan-activity; sid:7695; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR data rape runtime detection - execute program server-to-client"; flow:from_server,established; flowbits:isset,Data_Rape_Execute_Program; content:"000File"; depth:7; nocase; content:"is"; distance:0; nocase; content:"executed..."; distance:0; nocase; pcre:"/000File\s+is\s+executed\x2E\x2E\x2E/smi"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/d/datarape/Datarape1.0f.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076909; classtype:trojan-activity; sid:7769; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR cool remote control or crackdown runtime detection - initial connection"; flow:from_server,established; flowbits:isset,CoolRemoteControl_conn; content:"|7C|DRVS|7C|"; depth:6; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www.spywareguide.com/product_show.php?id=1495; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7677; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set"; flow:to_server,established; content:"008g"; depth:4; flowbits:set,hornet.4; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7635; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR evade runtime detection - initial connection"; flow:to_server,established; content:"IDENTIFY"; depth:8; pcre:"/^IDENTIFY\s+\x23\s+\d+\x2E\d+\x2E\d+\x2E\d+\s+\x23\s+/"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/e/evade/Evade1.1b.html; classtype:trojan-activity; sid:7689; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 19850 (msg:"BACKDOOR digital upload runtime detection - initial connection"; flow:to_server,established; content:"<password>"; depth:10; nocase; content:"</password>"; distance:0; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068131; classtype:trojan-activity; sid:7670; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR reversable ver1.0 runtime detection - execute command - flowbit set"; flow:to_client,established; content:"EXECUT"; depth:6; flowbits:set,ReVerSaBle_ExecuteCommand; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7726; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR air runtime detection - webmail notification"; flow:to_server,established; uricontent:"/air/notify/mail.php?"; nocase; uricontent:"controlport="; nocase; uricontent:"webserverport="; nocase; uricontent:"to="; nocase; uricontent:"ip="; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076794; classtype:trojan-activity; sid:7640; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3100 (msg:"BACKDOOR brain wiper runtime detection - launch application - flowbit set"; flow:to_server,established; content:"APP"; flowbits:set,BrAin_Wiper_LaunchApplication; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=903; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068367; classtype:trojan-activity; sid:7698; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR diems mutter runtime detection - server-to-client"; flow:from_server,established; flowbits:isset,DiemsMutter; content:"v|3B|"; depth:2; nocase; pcre:"/^v\x3B\d+\x2E\d+\x3B/smi"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/d/diemsmutter/Diemsmutter1.4.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=16111; classtype:trojan-activity; sid:7657; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR netcontrol takeover runtime detection"; flow:from_server,established; content:"answer"; depth:6; nocase; content:"|00 00 00 00 00 00|NetControl.Server"; distance:0; nocase; content:"|22|The"; distance:0; nocase; content:"UNSEEN|22|"; distance:0; nocase; content:"Project"; distance:0; nocase; pcre:"/^answer\x00{6}NetControl\x2EServer\s+\d+\x2E\d+\s+\x22The\s+UNSEEN\x22\s+Project/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077485; classtype:trojan-activity; sid:7643; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR radmin runtime detection - client-to-server"; flow:to_server,established; content:"|01 00 00 00 01 00 00 00 08 08|"; depth:10; flowbits:set,Radmin; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=578; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368; classtype:trojan-activity; sid:7728; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR helios 3.1 runtime detection - initial connection"; flow:from_server,established; content:"100|8D|"; depth:4; content:"|8D|3.1|8D|1|8F|"; distance:0; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074473; classtype:trojan-activity; sid:7630; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"BACKDOOR bobo 1.0 runtime detection - send message - flowbit set"; flow:to_server,established; content:"Send Message"; depth:12; flowbits:set,BoBo_SendMessages; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7748; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR netdevil runtime detection - file manager - flowbit set"; flow:to_server,established; content:"get_drives"; nocase; flowbits:set,NetDevil_FileManager; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087652; classtype:trojan-activity; sid:7782; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR buschtrommel 1.22 runtime detection - spy function - flowbit set 2"; flow:from_server,established; flowbits:isset,BuschTrommel_SpyFunction1; content:"{PLTS}"; depth:6; flowbits:set,BuschTrommel_SpyFunction2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7754; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR bionet 4.05 runtime detection - file manager - flowbit set"; flow:to_server,established; content:"|00 00 00 FF 00 01 00 01 FD 12 00|"; flowbits:set,BioNet4_05_fm; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/b/bionet/Bionet4.00.05be.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072406; classtype:trojan-activity; sid:7736; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BACKDOOR amitis v1.3 runtime detection - email notification"; flow:to_server,established; content:"From|3A|"; nocase; content:"Amitis"; distance:0; content:"1.3"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"Server"; distance:0; nocase; content:"information"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*Amitis\s+1\x2E3.*Subject\x3A[^\r\n]*Server\s+information/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=669; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075097; classtype:trojan-activity; sid:7713; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR hornet 1.0 runtime detection - fetch processes list"; flow:from_server,established; flowbits:isset,hornet.4; content:"008"; depth:3; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1667; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7636; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR beast 2.02 runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"666"; depth:3; flowbits:set,beast_conn; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075851; classtype:trojan-activity; sid:7756; rev:2;)
alert tcp $HOME_NET 876 -> $EXTERNAL_NET 877 (msg:"BACKDOOR messiah 4.0 runtime detection - enable keylogger"; flow:to_server,established; flowbits:isset,Messiah_EnableKeyloggerA; content:"kcaption|7C|"; depth:9; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077400; classtype:trojan-activity; sid:7773; rev:2;)
alert tcp $HOME_NET 11977 -> $EXTERNAL_NET any (msg:"BACKDOOR cool remote control 1.12 runtime detection - download file"; flow:from_server,established; flowbits:isset,CoolRemoteControl_Download.1; content:"|7C|FILESIZE|7C|"; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7681; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set"; flow:to_server,established; content:"007r"; depth:4; flowbits:set,hornet.2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7631; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR katux 2.0 runtime detection - chat"; flow:from_server,established; flowbits:isset,katux20.4; content:"000Chat ouvert..."; depth:17; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077310; classtype:trojan-activity; sid:7609; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR netdevil runtime detection - flowbit set 1"; flow:from_server,established; content:"passed"; depth:6; nocase; flowbits:set,backdoor.NetDevil.conn.step1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=27557; classtype:trojan-activity; sid:7714; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"BACKDOOR omniquad instant remote control runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"Instant"; nocase; content:"Remote"; distance:0; nocase; content:"Control"; distance:0; nocase; content:"Service"; distance:0; nocase; pcre:"/Instant\s+Remote\s+Control\s+Service/smi"; flowbits:set,Omniquad_IRC_InitConnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7705; rev:3;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR analftp 0.1 runtime detection - initial connection"; flow:from_server,established; content:"Anal"; nocase; content:"FTP"; distance:0; nocase; pcre:"/^\d+\s+Anal\s+FTP\s+/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59411; classtype:trojan-activity; sid:7761; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR remote anything 5.11.22 runtime detection - chat with victim"; content:"RA Chat|00 00|"; depth:9; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1567; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076440; classtype:trojan-activity; sid:7792; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR hornet 1.0 runtime detection - icq notification"; flow:to_server,established; uricontent:"/scripts/WWPMsg.dll"; nocase; content:"from=Hornet+Server"; nocase; content:"fromemail=Hornet"; distance:0; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7637; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR diems mutter runtime detection - client-to-server"; flow:to_server,established; content:"v|3B|"; depth:2; nocase; flowbits:set,DiemsMutter; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/d/diemsmutter/Diemsmutter1.4.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=16111; classtype:trojan-activity; sid:7656; rev:2;)
alert tcp $EXTERNAL_NET 877 -> $HOME_NET 876 (msg:"BACKDOOR messiah 4.0 runtime detection - enable keylogger - flowbit set"; flow:established; content:"enablekey|7C|"; depth:10; flowbits:set,Messiah_EnableKeyloggerA; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7772; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR beast 2.02 runtime detection - initial connection"; flow:from_server,established; flowbits:isset,beast_conn; content:"666"; depth:3; pcre:"/^666\d+\xFF\d+\xFF\d+\xFF\d+\xFF\d+\xFF\d+\xFF\d+\xFF/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075851; classtype:trojan-activity; sid:7757; rev:2;)
alert tcp $HOME_NET 4321 -> $EXTERNAL_NET any (msg:"BACKDOOR bobo 1.0 runtime detection - initial connection - flowbit set"; flow:from_server,established; content:"Password|3A|"; depth:9; flowbits:set,BoBo_InitConnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7746; rev:2;)
alert tcp $HOME_NET 4321 -> $EXTERNAL_NET any (msg:"BACKDOOR bobo 1.0 runtime detection - send message"; flow:from_server,established; flowbits:isset,BoBo_SendMessages; content:"Message shown.|00|finish line|00|"; depth:27; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1531; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076842; classtype:trojan-activity; sid:7749; rev:2;)
# alert tcp $EXTERNAL_NET 5005 -> $HOME_NET any (msg:"BACKDOOR outbreak_0.2.7 runtime detection - ring server-to-client"; flow:from_server,established; content:"SINFO"; nocase; pcre:"/^SINFO\x3B\d+\x3B/smi"; flowbits:set,outbreak_ring_stc; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/o/outbreak/Outbreak0.2.7.html; classtype:trojan-activity; sid:7731; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 12345 (msg:"BACKDOOR acid head 1.00 runtime detection - flowbit set"; flow:to_server,established; content:"TROJAN"; depth:6; nocase; flowbits:set,acid_head_conn_step1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=71371; classtype:trojan-activity; sid:7682; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR reversable ver1.0 runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"PORT="; depth:5; content:"Victim="; distance:0; pcre:"/^PORT\x3D\d+\x2AVictim\x3D/"; metadata:policy security-ips drop; classtype:trojan-activity; sid:7724; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR netdevil runtime detection - flowbit set 2"; flow:to_server,established; flowbits:isset,backdoor.NetDevil.conn.step1; content:"version"; depth:7; nocase; flowbits:set,backdoor.NetDevil.conn.step2; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=27557; classtype:trojan-activity; sid:7715; rev:2;)
alert tcp $HOME_NET 2208 -> $EXTERNAL_NET any (msg:"BACKDOOR screen control 1.0 runtime detection - capture on port 2208"; flow:from_server,established; flowbits:isset,ScreenControl_conn; content:"/GR"; nocase; pcre:"/\x2FGR\d+\x3B\d+/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072468; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930; classtype:trojan-activity; sid:7667; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR bionet 4.05 runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"|05 00 00 00|1|00 01 00 01 FD 12 00|"; depth:12; flowbits:set,BioNet4_05_BE; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/b/bionet/Bionet4.00.05be.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072406; classtype:trojan-activity; sid:7734; rev:2;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"BACKDOOR forced control uploader runtime detection - connection with password"; flow:from_server,established; flowbits:isset,Forced_Control_Uploader_Password; content:"PWDok"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/forcedcontrol/Forcedcontrol_uploader1.0.html; classtype:trojan-activity; sid:7785; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR radmin runtime detection - server-to-client"; flow:from_server,established; flowbits:isset,Radmin; content:"|01 00 00 00|%|00 00 01 10 08 01 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:46; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=578; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368; classtype:trojan-activity; sid:7729; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR elfrat runtime detection - initial connection"; flow:from_server,established; content:"|01|elfRAT|04|"; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/e/elf/Elfrat1.2.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=55224; classtype:trojan-activity; sid:7778; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR hanky panky 1.1 runtime detection - initial connection"; flow:from_server,established; flowbits:isset,hanky_conn2; content:"spas"; depth:4; nocase; pcre:"/^spas[2-3]\x3A/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077209; classtype:trojan-activity; sid:7697; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR nova 1.0 runtime detection - initial connection with pwd set"; flow:from_server,established; flowbits:isset,nova_conn_1; content:"ClientsConnected"; nocase; pcre:"/^ClientsConnected-\d+/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030; classtype:trojan-activity; sid:7741; rev:2;)
alert tcp $HOME_NET 876 -> $EXTERNAL_NET 877 (msg:"BACKDOOR messiah 4.0 runtime detection - get server info"; flow:to_server,established; flowbits:isset,Messiah_GetServerInfoA; content:"serverinformation|7C|"; depth:18; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077400; classtype:trojan-activity; sid:7771; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR katux 2.0 runtime detection - get system info - flowbit set"; flow:to_server,established; content:"001"; depth:3; flowbits:set,katux20.3; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7606; rev:2;)
# alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"BACKDOOR flux 1.0 runtime detection"; flow:from_server,established; content:"|1A 01 00 00|"; depth:4; metadata:policy security-ips drop; classtype:trojan-activity; sid:7611; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR skyrat show runtime detection - initial connection"; flow:from_server,established; flowbits:isset,skyrat.4; content:"*portok*"; depth:8; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453081105; classtype:trojan-activity; sid:7629; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR small uploader 1.01 runtime detection - remote shell - flowbit set"; flow:to_server,established; content:"DoScAp"; nocase; flowbits:set,smalluploader_remotesh; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.www.megasecurity.org/trojans/f/fearless/Smalluploader1.01.html; classtype:trojan-activity; sid:7654; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6116 (msg:"BACKDOOR am remote client runtime detection - client-to-server"; flow:to_server,established; pcre:"/^\d+\x01/smi"; flowbits:set,AM_Remote_Client; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/a/amrc/Amrc1.1.html; classtype:trojan-activity; sid:7641; rev:3;)
alert tcp $HOME_NET 1001 -> $EXTERNAL_NET any (msg:"BACKDOOR remote havoc runtime detection - flowbit set 1"; flow:from_server,established; content:"CONN"; depth:4; nocase; flowbits:set,RemoteHAVOC_conn.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/r/remotehavoc/Remotehavoc3.0.1.html; reference:url,www.spywareguide.com/product_show.php?id=863; classtype:trojan-activity; sid:7673; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BACKDOOR omniquad instant remote control runtime detection - file transfer setup"; flow:to_server,established; content:"Welcome"; nocase; content:"to"; distance:0; nocase; content:"the"; distance:0; nocase; content:"Omniquad"; distance:0; nocase; content:"File"; distance:0; nocase; content:"Transfer"; distance:0; nocase; content:"Server"; distance:0; nocase; pcre:"/Welcome\s+to\s+the\s+Omniquad\s+File\s+Transfer\s+Server/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080053; classtype:trojan-activity; sid:7707; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2213 (msg:"BACKDOOR screen control 1.0 runtime detection - capture on port 2213 - flowbit set"; flow:to_server,established; content:"a"; flowbits:set,ScreenControl_capture2213; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930; classtype:trojan-activity; sid:7668; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR buschtrommel 1.22 runtime detection - initial connection - flowbit set 2"; flow:to_server,established; flowbits:isset,BuschTrommel_InitConnection1; content:"ver"; depth:3; flowbits:set,BuschTrommel_InitConnection2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7751; rev:2;)
alert tcp $HOME_NET 6767 -> $EXTERNAL_NET any (msg:"BACKDOOR nt remote controller 2000 runtime detection - foldermonitor server-to-client"; flow:from_server,established; flowbits:isset,NT_Remote_Controller_2000_FolderMonitor; content:"FolderMonitor|3B|"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691; classtype:trojan-activity; sid:7767; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 11977 (msg:"BACKDOOR cool remote control 1.12 runtime detection - upload file - flowbit set"; flow:to_server,established; content:"|7C|PUTFILE|7C|"; nocase; flowbits:set,CoolRemoteControl_upload; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7678; rev:2;)
alert tcp $HOME_NET 32222 -> $EXTERNAL_NET any (msg:"BACKDOOR remoter runtime detection - initial connection"; flow:from_server,established; content:"Connected"; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/r/remoter/Remoter.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=53155; classtype:trojan-activity; sid:7672; rev:2;)
alert tcp $EXTERNAL_NET 877 -> $HOME_NET 876 (msg:"BACKDOOR messiah 4.0 runtime detection - get server info - flowbit set"; flow:established; content:"getserverinfo|7C|"; depth:14; flowbits:set,Messiah_GetServerInfoA; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7770; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR netdevil runtime detection"; flow:from_server,established; flowbits:isset,backdoor.NetDevil.conn.step2; content:"ver"; nocase; pcre:"/^ver\d+\x2E\d+/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=27557; classtype:trojan-activity; sid:7716; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7080 (msg:"BACKDOOR messiah 4.0 runtime detection - get drives - flowbit set"; flow:from_client,established; content:"GET///Drives**"; depth:14; flowbits:set,Messiah_GetDrives; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7776; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BACKDOOR exception 1.0 runtime detection - notification"; flow:to_server,established; uricontent:"ip="; nocase; uricontent:"port="; nocase; uricontent:"id=Exception"; nocase; uricontent:"ver=Exception"; nocase; uricontent:"pass="; nocase; uricontent:"os="; nocase; uricontent:"conn="; nocase; uricontent:"cpu="; nocase; uricontent:"user="; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/e/exception/Exception1.0b1.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077099; classtype:trojan-activity; sid:7692; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR theef 2.0 runtime detection - connection request with password - flowbit 1"; flow:from_server,established; content:"|FA CB D9 D9 DD C5 D8 CE D6|"; depth:9; flowbits:set,theef20.1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7617; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"BACKDOOR minicom lite runtime detection - client-to-server"; flow:to_server,established; content:"|04 03 02 01|"; depth:4; nocase; flowbits:set,MinicomLite; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/m/minicom/Minicom4.5.html; reference:url,www.spywareguide.com/product_show.php?id=910; classtype:trojan-activity; sid:7648; rev:3;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR bionet 4.05 runtime detection - file manager"; flow:from_server,established; flowbits:isset,BioNet4_05_fm; content:"|00 00 00 01 01 00 01 00 00 00|"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/b/bionet/Bionet4.00.05be.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072406; classtype:trojan-activity; sid:7737; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6767 (msg:"BACKDOOR nt remote controller 2000 runtime detection - foldermonitor client-to-server"; flow:to_server,established; content:"|3B|FolderMonitor"; nocase; flowbits:set,NT_Remote_Controller_2000_FolderMonitor; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691; classtype:trojan-activity; sid:7766; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR lan filtrator 1.1 runtime detection - initial connection request - flowbit set"; flow:to_server,established; content:"|B4 AF 29 AE|LANfiltrator|AE 28 AF|`"; depth:20; flowbits:set,LanFiltrator_InitConnectionRequest; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7660; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR small uploader 1.01 runtime detection - get server information"; flow:from_server,established; flowbits:isset,smalluploader_srvinfo; content:"SrvInfoFearless"; nocase; content:"Lite"; distance:0; nocase; content:"Server"; distance:0; nocase; pcre:"/SrvInfoFearless\s+Lite\s+Server/smi"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/fearless/Smalluploader1.01.html; classtype:trojan-activity; sid:7653; rev:2;)
alert tcp $HOME_NET 11977 -> $EXTERNAL_NET any (msg:"BACKDOOR cool remote control 1.12 runtime detection - upload file"; flow:from_server,established; flowbits:isset,CoolRemoteControl_upload; content:"|7C|COMPLETEPUTFILE|7C|"; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7679; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR katux 2.0 runtime detection - get system info"; flow:from_server,established; flowbits:isset,katux20.3; content:"001"; depth:3; content:"Version serveur|3A| Katux 2"; distance:0; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077310; classtype:trojan-activity; sid:7607; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR darkmoon reverse connection detection - cts"; flow:to_server,established; flowbits:isset,darkmoon_reverse_stc; content:"DmInf"; depth:5; nocase; pcre:"/^DmInf\x5E[^\r\n]*\d+\x2E\d+\x2E\d+\x2E\d+\x5E/smi"; metadata:policy security-ips drop; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Trojan.Backdoor.Darkmoon&threatid=41348; reference:url,securityresponse.symantec.com/avcenter/venc/auto/index/indexD.html; classtype:trojan-activity; sid:7816; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR nightcreature beta 0.01 runtime detection"; flow:from_server,established; flowbits:isset,nightcreature.conn.step2; content:"<consol>---------------------------------------------<consol>Connected to NightCreature server"; nocase; metadata:policy security-ips drop; reference:url,opensc.ws/showthread.php?t=31; classtype:trojan-activity; sid:7821; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"BACKDOOR fatal wound 1.0 runtime detection - upload"; flow:to_server,established; content:"File Name -~-"; nocase; flowbits:set,fatalwound_upload; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077104; classtype:trojan-activity; sid:7808; rev:2;)
alert tcp $HOME_NET 6666 -> $EXTERNAL_NET any (msg:"BACKDOOR fatal wound 1.0 runtime detection - upload"; flow:from_server,established; flowbits:isset,fatalwound_upload; content:"Send File -~-"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077104; classtype:trojan-activity; sid:7809; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR darkmoon initial connection detection - stc"; flow:from_server,established; flowbits:isset,darkmoon_initial_cts; content:"|7C|Connected"; depth:10; nocase; content:"with|3A|"; distance:0; nocase; pcre:"/^\x7CConnected with\x3A\s+\d+\x2E\d+.\d+.\d+/smi"; metadata:policy security-ips drop; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Trojan.Backdoor.Darkmoon&threatid=41348; reference:url,securityresponse.symantec.com/avcenter/venc/auto/index/indexD.html; classtype:trojan-activity; sid:7814; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 148 (msg:"BACKDOOR incommand 1.7 runtime detection - file manage 1"; flow:to_server,established; flowbits:isset,InCommand_17_FileManager_1; content:"PASS InClientMainPassword"; depth:25; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1637; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44730; classtype:trojan-activity; sid:7798; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 9401 (msg:"BACKDOOR incommand 1.7 runtime detection - file manage 2"; flow:to_server,established; content:"USER inc"; depth:8; flowbits:set,InCommand_17_FileManager_2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7799; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 9401 (msg:"BACKDOOR incommand 1.7 runtime detection - file manage 2"; flow:to_server,established; flowbits:isset,InCommand_17_FileManager_2; content:"PASS InClientMainPassword"; depth:25; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1637; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44730; classtype:trojan-activity; sid:7800; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR darkmoon reverse connection detection - stc"; flow:from_server,established; content:"0^0^0^"; depth:6; flowbits:set,darkmoon_reverse_stc; flowbits:noalert; metadata:policy security-ips drop; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Trojan.Backdoor.Darkmoon&threatid=41348; reference:url,securityresponse.symantec.com/avcenter/venc/auto/index/indexD.html; classtype:trojan-activity; sid:7815; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"BACKDOOR fatal wound 1.0 runtime detection - execute file"; flow:to_server,established; content:"Execute -~-"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077104; classtype:trojan-activity; sid:7807; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"BACKDOOR nightcreature beta 0.01 runtime detection"; flow:to_server,established; content:"<pw>"; depth:4; nocase; flowbits:set,nightcreature.conn.step1; flowbits:noalert; metadata:policy security-ips drop; reference:url,opensc.ws/showthread.php?t=31; classtype:trojan-activity; sid:7819; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR fraggle rock 2.0 lite runtime detection - pc info - flowbit set"; flow:to_server,established; content:"updateinfo"; depth:10; nocase; flowbits:set,backdoor.fraggle.rock.2.0.lite.pc.info; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077120; classtype:trojan-activity; sid:7794; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR incommand 1.7 runtime detection - init connection"; flow:to_server,established; content:"ACS "; depth:4; flowbits:set,InCommand_17_InitConnection; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7795; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR darkmoon initial connection detection - cts"; flow:to_server,established; content:"|7C|55|7C|0|7C|0|7C 7C|"; depth:9; flowbits:set,darkmoon_initial_cts; flowbits:noalert; metadata:policy security-ips drop; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Trojan.Backdoor.Darkmoon&threatid=41348; reference:url,securityresponse.symantec.com/avcenter/venc/auto/index/indexD.html; classtype:trojan-activity; sid:7813; rev:2;)
alert tcp $HOME_NET 6666 -> $EXTERNAL_NET any (msg:"BACKDOOR fatal wound 1.0 runtime detection - initial connection"; flow:from_server,established; content:"00000"; nocase; content:"-~-"; distance:0; nocase; pcre:"/^00000\s+-~-\s+/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077104; classtype:trojan-activity; sid:7806; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR nightcreature beta 0.01 runtime detection"; flow:from_server,established; flowbits:isset,nightcreature.conn.step1; content:"<pw>ok"; depth:6; nocase; flowbits:set,nightcreature.conn.step2; flowbits:noalert; metadata:policy security-ips drop; reference:url,opensc.ws/showthread.php?t=31; classtype:trojan-activity; sid:7820; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR war trojan ver1.0 runtime detection - ie hijacker"; flow:to_server,established; uricontent:"/top100"; nocase; content:"Host|3A|"; nocase; content:"webfringe"; distance:0; nocase; pcre:"/^Host\x3A\s+www\x2Ewebfringe\x2Ecom/mi"; metadata:policy security-ips drop; reference:url,www.symantec.com/avcenter/attack_sigs/s20290.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075746; classtype:trojan-activity; sid:7805; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4201 (msg:"BACKDOOR war trojan ver1.0 runtime detection - send messages"; flow:to_server,established; content:"text|3A|"; depth:5; metadata:policy security-ips drop; reference:url,www.symantec.com/avcenter/attack_sigs/s20290.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075746; classtype:trojan-activity; sid:7803; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR nuclear uploader 1.0 runtime detection"; flow:from_server,established; content:"libManager.dll"; nocase; content:"get"; distance:0; nocase; pcre:"/libManager\x2Edll\x5Eget(drives|files)\x2A/smi"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/n/nuclear/Nuclear_uploader1.0_krepper_a.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079457; classtype:trojan-activity; sid:7810; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR incommand 1.7 runtime detection - init connection"; flow:from_server,established; flowbits:isset,InCommand_17_InitConnection; content:"PASSOK"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1637; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44730; classtype:trojan-activity; sid:7796; rev:3;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"BACKDOOR abacab runtime detection - telnet initial"; flow:from_server,established; content:" |0D 0A|Vous etes connecte a|3A 0D 0A 0D 0A 00|"; flowbits:set,Abacab; flowbits:noalert; metadata:policy security-ips drop; reference:url,megasecurity.org/trojans/a/abacab/Abacab0.9beta.html; classtype:trojan-activity; sid:7811; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 146 (msg:"BACKDOOR infector v1.0 runtime detection - init conn"; flow:to_server,established; content:"FC "; depth:3; nocase; flowbits:set,back.infector.v1.0.conn.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075657; classtype:trojan-activity; sid:7817; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4201 (msg:"BACKDOOR war trojan ver1.0 runtime detection - disable ctrl+alt+del"; flow:to_server,established; content:"disablectrlaltdel"; depth:17; metadata:policy security-ips drop; reference:url,www.symantec.com/avcenter/attack_sigs/s20290.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075746; classtype:trojan-activity; sid:7804; rev:2;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"BACKDOOR abacab runtime detection - banner"; flow:from_server,established; flowbits:isset,Abacab; content:"|00| |23 23 23| |23 23 23| |23| __...--'' ___...--_..' .|3B|.' |3B 0D 0A|"; nocase; content:"CONNECTION|3A 0D 0A| |0D 0A|Veuillez entrer le mot de passe|0D 0A 00|"; distance:0; nocase; metadata:policy security-ips drop; reference:url,megasecurity.org/trojans/a/abacab/Abacab0.9beta.html; classtype:trojan-activity; sid:7812; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 148 (msg:"BACKDOOR incommand 1.7 runtime detection - file manage 1"; flow:to_server,established; content:"USER inc"; depth:8; flowbits:set,InCommand_17_FileManager_1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7797; rev:2;)
alert tcp $HOME_NET 146 -> $EXTERNAL_NET any (msg:"BACKDOOR infector v1.0 runtime detection - init conn"; flow:from_server,established; flowbits:isset,back.infector.v1.0.conn.1; content:"FC'S TROJAN"; depth:11; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075657; classtype:trojan-activity; sid:7818; rev:2;)
alert tcp $HOME_NET 1327 -> $EXTERNAL_NET any (msg:"BACKDOOR mithril runtime detection - get system information"; flow:from_server,established; flowbits:isset,Mithril_GetSystemInformation; content:"|BC C6 CB E3 BB FA C3 FB A3 BA|"; depth:10; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/m/mithril/Mithril1.45.html; classtype:trojan-activity; sid:8076; rev:2;)
alert tcp $HOME_NET 1327 -> $EXTERNAL_NET any (msg:"BACKDOOR mithril runtime detection - init connection"; flow:from_server,established; content:"|CE DE B7 A8 B4 F2 BF AA B5 BD D6 F7 BB FA B5 C4 C1 AC BD D3| |D4 DA B6 CB BF DA| 1327 |3A| |C1 AC BD D3 CA A7 B0 DC|"; depth:43; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/m/mithril/Mithril1.45.html; classtype:trojan-activity; sid:8074; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR x2a runtime detection - client update"; flow:to_server,established; uricontent:"/app.txt"; nocase; content:"Host|3A|"; nocase; content:"x-2.gq.nu"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*x\x2d2\x2Egq\x2Enu/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084136; classtype:trojan-activity; sid:8080; rev:2;)
alert tcp $HOME_NET 2421 -> $EXTERNAL_NET any (msg:"BACKDOOR x2a runtime detection - init connection"; flow:from_server,established; content:"connected"; depth:9; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084136; classtype:trojan-activity; sid:8079; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1327 (msg:"BACKDOOR mithril runtime detection - get process list"; flow:to_server,established; content:"pslist|0A|"; depth:7; nocase; flowbits:set,Mithril_GetProcessList; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/m/mithril/Mithril1.45.html; classtype:trojan-activity; sid:8077; rev:2;)
alert tcp $HOME_NET 1327 -> $EXTERNAL_NET any (msg:"BACKDOOR mithril runtime detection - get process list"; flow:from_server,established; flowbits:isset,Mithril_GetProcessList; content:"|BD F8 B3 CC|ID|BA C5 A3 BA| "; depth:20; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/m/mithril/Mithril1.45.html; classtype:trojan-activity; sid:8078; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1327 (msg:"BACKDOOR mithril runtime detection - get system information"; flow:to_server,established; content:"sysinfo|0A|"; depth:8; nocase; flowbits:set,Mithril_GetSystemInformation; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/m/mithril/Mithril1.45.html; classtype:trojan-activity; sid:8075; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR black curse 4.0 runtime detection - normal init connection"; flow:to_server,established; content:"|7C|48|7C|0|7C|0|7C|"; depth:8; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/b/blackcurse/Blackcurse4.0.html; classtype:trojan-activity; sid:8362; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR black curse 4.0 runtime detection - inverse init connection"; flow:from_server,established; content:"0^0^0^"; depth:6; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/b/blackcurse/Blackcurse4.0.html; classtype:trojan-activity; sid:8361; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR superspy 2.0 beta runtime detection - processes/active windows manage"; flow:from_server,established; flowbits:isset,superSpy_20_Beta_ProcessesManage; content:"|02|"; depth:1; nocase; content:"|04 00|"; within:2; distance:1; nocase; pcre:"/^\x02[\x08\x0c]\x04\x00/"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726; classtype:trojan-activity; sid:8475; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR superspy 2.0 beta runtime detection - screen capture"; flow:from_server,established; flowbits:isset,superSpy_20_Beta_ScreenCapture; content:"|02 01 04 00|"; depth:4; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726; classtype:trojan-activity; sid:8473; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR superspy 2.0 beta runtime detection - screen capture 2"; flow:to_server,established; content:"|02 00 00 00|"; depth:4; nocase; flowbits:set,superSpy_20_Beta_ScreenCapture; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:8472; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR superspy 2.0 beta runtime detection - get system info"; flow:to_server,established; content:"|02 05 00 00|"; depth:4; nocase; flowbits:set,superSpy_20_Beta_GetSystemInfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:8470; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR superspy 2.0 beta runtime detection - get system info 2"; flow:from_server,established; flowbits:isset,superSpy_20_Beta_GetSystemInfo; content:"|02 06 AC 03|"; depth:4; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726; classtype:trojan-activity; sid:8471; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR superspy 2.0 beta runtime detection - processes/active windows manage 2"; flow:to_server,established; content:"|02|"; depth:1; nocase; content:"|00 00|"; within:2; distance:1; pcre:"/^\x02[\x07\x0b]\x00\x00/"; flowbits:set,superSpy_20_Beta_ProcessesManage; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:8474; rev:5;)
alert tcp $HOME_NET 4000 -> $EXTERNAL_NET any (msg:"BACKDOOR zzmm 2.0 runtime detection - init connection"; flow:from_server,established; flowbits:isset,Backdoor.ZZMM.InitConnect; content:"Attached"; nocase; content:"through"; distance:0; nocase; content:"port"; distance:0; nocase; pcre:"/^Attached\s+through\s+port\x3a/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453054345; classtype:trojan-activity; sid:8548; rev:2;)
alert tcp $HOME_NET 4000 -> $EXTERNAL_NET any (msg:"BACKDOOR zzmm 2.0 runtime detection - init connection"; flow:from_server,established; content:"Connected"; depth:9; nocase; content:"to"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"at"; distance:0; nocase; pcre:"/^Connected\s+to\s+Server\s+at\x3a/smi"; flowbits:set,Backdoor.ZZMM.InitConnect; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:8547; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR crossbow 1.12 runtime detection - init connection"; flow:to_server,established; flowbits:isset,Backdoor.Crossbow.Init; content:"SrvDtl|7C|"; depth:7; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/c/crossbow/Crossbow1.12.html; classtype:trojan-activity; sid:9665; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1254 (msg:"BACKDOOR ieva 1.0 runtime detection - swap mouse"; flow:to_server,established; content:"OTHER"; depth:5; nocase; metadata:policy security-ips drop; reference:url,www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html; classtype:trojan-activity; sid:9835; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR bersek 1.0 runtime detection"; flow:from_server,established; content:"|24|[version]"; depth:10; nocase; flowbits:set,Backdoor.Bersek.Init; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:9656; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1254 (msg:"BACKDOOR ieva 1.0 runtime detection - fake delete harddisk message"; flow:to_server,established; content:"DELEHARD"; depth:8; nocase; metadata:policy security-ips drop; reference:url,www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html; classtype:trojan-activity; sid:9833; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR apofis 1.0 runtime detection - remote controlling"; flow:to_server,established; content:"?&sesion="; nocase; flowbits:set,Backdoor.Apofis.Remotecontrol; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:9654; rev:3;)
alert tcp $HOME_NET 16454 -> $EXTERNAL_NET any (msg:"BACKDOOR superra runtime detection - success init connection"; flow:from_server,established; content:"{|05 00 00|"; depth:4; metadata:policy security-ips drop; classtype:trojan-activity; sid:9666; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR bersek 1.0 runtime detection - show processes"; flow:to_server,established; flowbits:isset,Backdoor.Bersek.Showprocesses; content:"|23|[shwproc]"; depth:10; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/b/bersek/Bersek1.0.html; classtype:trojan-activity; sid:9661; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR apofis 1.0 runtime detection - php notification"; flow:to_server,established; uricontent:"/Notificacion.php"; nocase; uricontent:"puerto="; nocase; uricontent:"version=1.0"; nocase; uricontent:"nombre="; nocase; uricontent:"pc="; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/a/apofis/Apofis1.0.html; classtype:trojan-activity; sid:9653; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR bersek 1.0 runtime detection"; flow:from_server,established; content:"|24|[showuni]"; depth:10; nocase; flowbits:set,Backdoor.Bersek.Filemanager; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:9658; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR sun shadow 1.70 runtime detection - init connection"; flow:to_server,established; content:"|FF 01 01 01 80 00 00 00|"; depth:8; nocase; flowbits:set,Backdoor.SunShadow.Init; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:9837; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1254 (msg:"BACKDOOR ieva 1.0 runtime detection - black screen"; flow:to_server,established; content:"BLACK"; depth:5; nocase; metadata:policy security-ips drop; reference:url,www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html; classtype:trojan-activity; sid:9834; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR crossbow 1.12 runtime detection"; flow:from_server,established; content:"SrvDtl"; depth:6; nocase; flowbits:set,Backdoor.Crossbow.Init; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:9664; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1254 (msg:"BACKDOOR ieva 1.0 runtime detection - send message"; flow:to_server,established; content:"ASKGAY"; depth:6; nocase; metadata:policy security-ips drop; reference:url,www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html; classtype:trojan-activity; sid:9832; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR bersek 1.0 runtime detection"; flow:from_server,established; content:"|24|[shellgo]"; depth:10; nocase; flowbits:set,Backdoor.Bersek.Remoteshell; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:9662; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR sun shadow 1.70 runtime detection - init connection"; flow:from_server,established; flowbits:isset,Backdoor.SunShadow.Init; content:"|FF 01 01 03 00 00 00 00|"; depth:8; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/s/sunshadow/Sunshadow1.7.0.html; classtype:trojan-activity; sid:9838; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR bersek 1.0 runtime detection"; flow:from_server,established; content:"|24|[proclst]"; depth:10; nocase; flowbits:set,Backdoor.Bersek.Showprocesses; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:9660; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR bersek 1.0 runtime detection - file manage"; flow:to_server,established; flowbits:isset,Backdoor.Bersek.Filemanager; content:"|23|[showuni]"; depth:10; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/b/bersek/Bersek1.0.html; classtype:trojan-activity; sid:9659; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1254 (msg:"BACKDOOR ieva 1.0 runtime detection - crazy mouse"; flow:to_server,established; content:"MOUSE"; depth:5; nocase; metadata:policy security-ips drop; reference:url,www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html; classtype:trojan-activity; sid:9836; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR poison ivy 2.1.2 runtime detection - init connection"; flow:from_server,established; flowbits:isset,PoisonIvy_init; content:"U|8B EC|P|B8 02 00 00 00 81 C4 04 F0 FF FF|"; depth:15; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/p/poisonivy/Poisonivy2.1.2.html; classtype:trojan-activity; sid:10111; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"BACKDOOR crossfires trojan 3.0 runtime detection - delete file"; flow:to_server,established; content:"delete|7C|"; depth:7; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/c/crossfires/Crossfires.html; classtype:trojan-activity; sid:10101; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR hav-rat 1.1 runtime detection - retrieve pc info"; flow:to_server,established; flowbits:isset,HavRat_pcinfo2; content:"StartPage|3A|"; depth:10; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/h/hav/Havrat1.0.html; classtype:trojan-activity; sid:10105; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR hav-rat 1.1 runtime detection"; flow:from_server,established; content:"getinfo"; depth:7; nocase; flowbits:set,HavRat_pcinfo1; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:10103; rev:2;)
alert tcp $HOME_NET 8812 -> $EXTERNAL_NET any (msg:"BACKDOOR rix3 1.0 runtime detection - init connection"; flow:from_server,established; content:"connected"; depth:9; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/r/rix3/Rix3_1.0.html; classtype:trojan-activity; sid:10112; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR k-msnrat 1.0.0 runtime detection - init connection"; flow:from_server,established; content:"SndInfo"; depth:7; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/k/kmsnrat/Kmsnrat1.0.0.html; classtype:trojan-activity; sid:10109; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR poison ivy 2.1.2 runtime detection"; flow:from_server,established; content:"|F6 13 00 00|"; depth:4; flowbits:set,PoisonIvy_init; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:10110; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR hav-rat 1.1 runtime detection"; flow:to_server,established; flowbits:isset,HavRat_pcinfo1; content:"User|3A|"; depth:5; nocase; flowbits:set,HavRat_pcinfo2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:10104; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"BACKDOOR crossfires trojan 3.0 runtime detection - chat with victim"; flow:to_server,established; content:"chat|7C|"; depth:5; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/c/crossfires/Crossfires.html; classtype:trojan-activity; sid:10102; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BACKDOOR Wordpress backdoor theme.php code execution attempt"; flow:to_server,established; uricontent:"wp-includes/theme.php"; nocase; uricontent:"iz="; nocase; pcre:"/wp-includes\x2Ftheme\x2Ephp\x3F[^\r\n]*iz=/Ui"; metadata:policy security-ips drop; reference:bugtraq,22797; reference:cve,2007-1277; reference:url,wordpress.org/development/2007/03/upgrade-212/; reference:url,www.securityfocus.com/archive/1/461794; classtype:trojan-activity; sid:10197; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BACKDOOR Wordpress backdoor feed.php code execution attempt"; flow:to_server,established; uricontent:"wp-includes/feed.php"; nocase; uricontent:"ix="; nocase; pcre:"/wp-includes\x2Ffeed\x2Ephp\x3F[^\r\n]*ix=/Ui"; metadata:policy security-ips drop; reference:bugtraq,22797; reference:cve,2007-1277; reference:url,wordpress.org/development/2007/03/upgrade-212/; reference:url,www.securityfocus.com/archive/1/461794; classtype:trojan-activity; sid:10196; rev:3;)
alert tcp $HOME_NET 5600 -> $EXTERNAL_NET any (msg:"BACKDOOR [x]-ztoo 1.0 runtime detection - start keylogger"; flow:from_server,established; content:"LogStarted"; depth:10; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084134; classtype:trojan-activity; sid:10457; rev:2;)
alert tcp $HOME_NET 3132 -> $EXTERNAL_NET any (msg:"BACKDOOR winicabras 1.1 runtime detection - get system info"; flow:from_server,established; flowbits:isset,Winicabras_getinfo; content:"|0D 0A|==INFORMACION"; depth:15; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/w/winicabras/Winicabras1.1.html; classtype:trojan-activity; sid:10461; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3132 (msg:"BACKDOOR winicabras 1.1 runtime detection - get system info"; flow:to_server,established; content:"000"; depth:3; flowbits:set,Winicabras_getinfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:10460; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32418 (msg:"BACKDOOR acidbattery 1.0 runtime detection - get password"; flow:to_server,established; content:"PSWD/GET"; depth:8; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=109; classtype:trojan-activity; sid:10445; rev:2;)
alert tcp $HOME_NET 5600 -> $EXTERNAL_NET any (msg:"BACKDOOR [x]-ztoo 1.0 runtime detection - init connection"; flow:from_server,established; content:"Connected"; depth:9; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084134; classtype:trojan-activity; sid:10454; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR acid shivers runtime detection - init telnet connection"; flow:from_server,established; content:"|1B|[2J|1B|[40m|1B|[37mAcid"; depth:18; nocase; content:"Shiver"; distance:0; nocase; content:"System"; distance:0; nocase; content:"Release"; distance:0; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=112; classtype:trojan-activity; sid:10449; rev:2;)
alert tcp $HOME_NET 12667 -> $EXTERNAL_NET any (msg:"BACKDOOR winicabras 1.1 runtime detection - explorer"; flow:from_server,established; flowbits:isset,Winicabras_explorer; content:"DRIVE"; depth:5; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/w/winicabras/Winicabras1.1.html; classtype:trojan-activity; sid:10463; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5024 (msg:"BACKDOOR [x]-ztoo 1.0 or illusion runtime detection - open file manager"; flow:to_server,established; content:"[LOAD DRIVE DATA]"; depth:17; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084134; classtype:trojan-activity; sid:10458; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR only 1 rat runtime detection - control command"; flow:from_server,established; content:"D41D8CD98F00B204E9800998ECF8427E"; depth:34; flowbits:set,Only1RAT_Control; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:10450; rev:3;)
alert tcp $HOME_NET 5600 -> $EXTERNAL_NET any (msg:"BACKDOOR [x]-ztoo 1.0 runtime detection - get system info"; flow:from_server,established; flowbits:isset,XZTOO_Getinfo; content:"Info|3B|"; depth:5; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084134; classtype:trojan-activity; sid:10456; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5600 (msg:"BACKDOOR [x]-ztoo 1.0 runtime detection - get system info"; flow:to_server,established; content:"GetInfo"; depth:7; nocase; flowbits:set,XZTOO_Getinfo; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:10455; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32418 (msg:"BACKDOOR acidbattery 1.0 runtime detection - open ftp serice"; flow:to_server,established; content:"FTP-ON"; depth:6; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=109; classtype:trojan-activity; sid:10444; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR nirvana 2.0 runtime detection - explore c drive"; flow:to_server,established; content:"|AC|kC|3A 5C|"; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/n/nirvana/Nirvana2.0.html; classtype:trojan-activity; sid:10442; rev:2;)
alert tcp $HOME_NET 2612 -> $EXTERNAL_NET any (msg:"BACKDOOR acessor 2.0 runtime detection - init connection"; flow:from_server,established; content:"connect_"; depth:8; nocase; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/a/acessor/Acessor2.0.html; classtype:trojan-activity; sid:10448; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BACKDOOR zalivator 1.4.2 pro runtime detection - smtp notification"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"|28 29|"; distance:0; nocase; content:"DivXProGainBundle"; nocase; content:"Registration"; distance:0; nocase; pcre:"/^Subject\x3a[^\r\n]*\x28\x29/smi"; pcre:"/DivXProGainBundle\s+registration/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084203; classtype:trojan-activity; sid:10453; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 12667 (msg:"BACKDOOR winicabras 1.1 runtime detection - explorer"; flow:to_server,established; content:"DRIVE"; depth:5; nocase; flowbits:set,Winicabras_explorer; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:10462; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR wineggdrop shell pro runtime detection - init connection"; flow:from_server,established; content:"WinEggDropShell"; depth:15; offset:28; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077750; classtype:trojan-activity; sid:10459; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5712 (msg:"BACKDOOR sohoanywhere runtime detection"; flow:to_server,established; flowbits:isset,Sohoanywhere_Init; content:"RFB 003.004|0A|"; depth:12; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060132; classtype:trojan-activity; sid:11323; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5051 (msg:"BACKDOOR netwindow runtime detection - reverse mode init connection request"; flow:to_server,established; content:"NWHOST"; depth:6; nocase; metadata:policy security-ips drop; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=NetWindow&threatid=43584; classtype:trojan-activity; sid:11320; rev:2;)
alert tcp $HOME_NET 1115 -> $EXTERNAL_NET any (msg:"BACKDOOR lurker 1.1 runtime detection - init connection"; flow:from_server,established; content:"|0D|Lurker"; depth:7; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077370; classtype:trojan-activity; sid:11316; rev:2;)
alert tcp $HOME_NET 5050 -> $EXTERNAL_NET any (msg:"BACKDOOR netwindow runtime detection - init connection request"; flow:from_server,established; content:"|1B 00 00 00|"; depth:4; metadata:policy security-ips drop; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=NetWindow&threatid=43584; classtype:trojan-activity; sid:11319; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR shadownet remote spy 2.0 runtime detection"; flow:from_server,established; content:"ShadowNet"; nocase; content:"Remote"; distance:0; nocase; content:"Web"; distance:0; nocase; content:"Based"; distance:0; nocase; content:"Spyware"; distance:0; nocase; pcre:"/ShadowNet\s+Remote\s+Web\s+Based\s+Spyware/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453081042; classtype:trojan-activity; sid:11314; rev:2;)
alert tcp $HOME_NET 5712 -> $EXTERNAL_NET any (msg:"BACKDOOR sohoanywhere runtime detection"; flow:from_server,established; content:"RFB 003.003|0A|"; depth:12; nocase; flowbits:set,Sohoanywhere_Init; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:11322; rev:2;)
alert udp $HOME_NET any -> 255.255.255.255 5053 (msg:"BACKDOOR netwindow runtime detection - udp broadcast"; flow:to_server; content:"NWHOST"; depth:6; nocase; metadata:policy security-ips drop; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=NetWindow&threatid=43584; classtype:trojan-activity; sid:11321; rev:3;)
alert tcp $EXTERNAL_NET 19820 -> $HOME_NET any (msg:"BACKDOOR boer runtime detection - init connection"; flow:from_server,established; content:"EMSG0006"; depth:8; nocase; metadata:policy security-ips drop; reference:url,soft.myboer.cn; classtype:trojan-activity; sid:11318; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 610 (msg:"BACKDOOR supervisor plus runtime detection"; flow:to_server,established; content:"L"; depth:1; nocase; content:"|00|"; depth:1; offset:3; pcre:"/^L\d\d\x00/smi"; flowbits:set,SupervisorPlus_detection; flowbits:noalert; classtype:trojan-activity; sid:11953; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR blue eye 1.0b runtime detection - init connection"; flow:from_server,established; flowbits:isset,BlueEye1.0b_detection; dsize:3; content:"SUC"; reference:url,secunia.com/virus_information/11032/blueye-a/; reference:url,www.spywareguide.com/spydet_816_blue_eye_1_0b.html; classtype:trojan-activity; sid:12147; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR hotmail hacker log edition 5.0 runtime detection - init connection"; flow:to_server,established; content:"Start"; depth:5; nocase; pcre:"/^Start$/smi"; flowbits:set,HotmailHackerLogEdition5.0_detection; flowbits:noalert; classtype:trojan-activity; sid:12242; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1357 (msg:"BACKDOOR cobra uploader 1.0 runtime detection"; flow:to_server,established; flowbits:isset,CobraUploader1.0_detection; content:"filebhejdai|7C|"; depth:12; reference:url,www.megasecurity.org/trojans/b/blackcobra/Blackcobra_uploader1.0.html; classtype:trojan-activity; sid:12164; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR bifrost v1.2.1 runtime detection"; flow:from_server,established; content:"|05 00 00 00 BC|"; depth:5; content:"|CC|"; within:1; distance:3; flowbits:set,Bifrost_v1.2.1_detection; flowbits:noalert; classtype:trojan-activity; sid:12297; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR theef 2.10 runtime detection - connect with password"; flow:from_server,established; content:"|FA CB D9 D9 DD C5 D8 CE D6|"; depth:9; flowbits:set,Theef210_Connectionwithpassword; flowbits:noalert; classtype:trojan-activity; sid:12235; rev:1;)
alert tcp $HOME_NET 500 -> $EXTERNAL_NET any (msg:"BACKDOOR optix pro v1.32 runtime detection - download file"; flow:from_server,established; flowbits:isset,OptixPROv1.32Download_detection1; content:"+OK REDY|0D 0A|"; depth:10; flowbits:set,OptixPROv1.32Download_detection2; flowbits:noalert; classtype:trojan-activity; sid:12154; rev:1;)
alert tcp $HOME_NET 54320 -> $EXTERNAL_NET any (msg:"BACKDOOR back orifice 2006 - v1.1.5 runtime detection - init connection"; flow:from_server,established; flowbits:isset,BackOrifice2006_1.1.5_detection; content:"|00 00 00|"; depth:3; content:"|CD C3 13|7|04|"; within:5; distance:1; threshold:type limit, track by_src, count 1, seconds 600; reference:url,www.salama.tn/backorifice.htm; reference:url,www.spywareguide.com/product_show.php?id=1945; classtype:trojan-activity; sid:12149; rev:1;)
alert tcp $HOME_NET [37,31415,31416] -> $EXTERNAL_NET any (msg:"BACKDOOR lithium 1.02 runtime detection"; flow:to_client,established; flowbits:isset,Lithium1.02_detection; content:"|00 00 00 00 00 04 00|"; offset:1; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=658; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-061113-2401-99; classtype:trojan-activity; sid:12166; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR trail of destruction 2.0 runtime detection - get system info"; flow:to_server,established; content:"_Get_Sys_Info_"; depth:14; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076564; classtype:trojan-activity; sid:12053; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR genie 1.7 runtime detection - init connection"; flow:to_client,established; content:"|1B|[2J|0D 0A| "; depth:7; content:"Hello"; nocase; content:"my"; distance:0; nocase; content:"master"; distance:0; nocase; content:"waiting"; distance:0; nocase; content:"for"; distance:0; nocase; content:"your"; distance:0; nocase; content:"commands"; distance:0; nocase; flowbits:set,Genie1.7_detection; flowbits:noalert; classtype:trojan-activity; sid:12240; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7896 (msg:"BACKDOOR lame rat v1.0 runtime detection"; flow:established; content:"MESSAGE + "; depth:10; nocase; content:" + windows"; distance:0; nocase; reference:url,www.megasecurity.org/trojans/l/lamerat/Lamerat1.0.html; classtype:trojan-activity; sid:11949; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR radmin 3.0 runtime detection - initial connection"; flow:from_server,established; flowbits:isset,Radmin3.0_conn_detection; content:"|01 00 00 00|%|00 00 02 12 08 02 00 00 0A 00 00|"; depth:16; reference:url,www.econsultant.com/spyware-database/r/radmin-3-0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096740; classtype:trojan-activity; sid:12374; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 501 (msg:"BACKDOOR optix pro v1.32 runtime detection - upload file"; flow:to_server,established; content:"InfoOn|AC|"; depth:7; flowbits:set,OptixPROv1.32Upload_detection1; flowbits:noalert; classtype:trojan-activity; sid:12156; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR theef 2.10 runtime detection - ftp"; flow:to_server,established; flowbits:isset,Theef210_TheefFTP; content:"Theef2.10_"; reference:url,www.spywareguide.com/product_show.php?id=859; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-071209-4425-99; classtype:trojan-activity; sid:12238; rev:1;)
alert tcp $HOME_NET 58008 -> $EXTERNAL_NET any (msg:"BACKDOOR tron runtime detection - init connection"; flow:from_server,established; flowbits:isset,Tron_Initconnection; content:"<THETIMEIS>"; depth:11; nocase; reference:url,www.megasecurity.org/trojans/t/tron/Tron.html; classtype:trojan-activity; sid:12055; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR winshadow runtime detection - init connection request"; flow:to_server,established; content:"@|11 00 00 00 00 00 00 1C 00 00 00 10 00 03 00 00 00 01 00 02 00|"; depth:22; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060036; classtype:trojan-activity; sid:11951; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR cafeini 1.0 runtime detection - init connection"; flow:to_client,established; content:"|FF FD 03 FF FD 18 FF FD 1F|"; depth:9; flowbits:set,CAFEiNi_detection; flowbits:noalert; classtype:trojan-activity; sid:12150; rev:1;)
alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"BACKDOOR optix pro v1.32 runtime detection - keylogging"; flow:from_server,established; content:"inc|AC|"; depth:4; threshold:type limit, track by_src, count 1, seconds 120; reference:url,www.spywareguide.com/product_show.php?id=1189; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768; classtype:trojan-activity; sid:12159; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR radmin 3.0 runtime detection - login & remote control"; flow:from_server,established; flowbits:isset,Radmin3.0_login_detection; content:"|01 00 00 00 05 00 00 00|''|00 00 00 00|"; depth:14; reference:url,www.econsultant.com/spyware-database/r/radmin-3-0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096740; classtype:trojan-activity; sid:12376; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR theef 2.10 runtime detection - connect with no password"; flow:from_server,established; flowbits:isset,Theef210_Connectionwithnopassword; content:"|FC CF D8 D6 98 84 9B 9A|"; depth:8; reference:url,www.spywareguide.com/product_show.php?id=859; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-071209-4425-99; classtype:trojan-activity; sid:12234; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 610 (msg:"BACKDOOR supervisor plus runtime detection"; flow:to_server,established; flowbits:isset,SupervisorPlus_detection; content:"<A "; depth:3; nocase; pcre:"/^\x3c\x41\x20.*\x3b\x5c\x5c.*\x5cSV\x24\x5c\x3e\x3c/smi"; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453109596; classtype:trojan-activity; sid:11954; rev:1;)
alert tcp $HOME_NET 503 -> $EXTERNAL_NET any (msg:"BACKDOOR optix pro v1.32 runtime detection - screen capturing"; flow:from_server,established; flowbits:isset,OptixPROv1.32Screencapture_detection1; content:" |0D 0A|"; depth:3; flowbits:set,OptixPROv1.32Screencapture_detection2; flowbits:noalert; classtype:trojan-activity; sid:12161; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR access remote pc runtime detection - init connection"; flow:to_server,established; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; flowbits:set,AccessRemotePC_detection; flowbits:noalert; classtype:trojan-activity; sid:12142; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR the[x] 1.2 runtime detection - execute command"; flow:from_server,established; content:"000The[X]Server"; depth:15; nocase; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074872; classtype:trojan-activity; sid:12052; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BACKDOOR itadem trojan 3.0 runtime detection"; flow:to_client,established; content:"|0D 0A|<title>ItAdEm Trojan Server</title>|0D 0A|"; nocase; reference:url,www.antispyware.com/glossary_details.php?ID=2059; reference:url,www.megasecurity.org/trojans/i/itadem/Itadem3.0.html; classtype:trojan-activity; sid:12244; rev:1;)
alert udp $HOME_NET 3262 -> $EXTERNAL_NET any (msg:"BACKDOOR winshadow runtime detection - udp response"; flow:to_client; content:"|03 00 00 00 01 00 02 00 00 00 00 00|"; depth:12; offset:5; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060036; classtype:trojan-activity; sid:11952; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR shark 2.3.2 runtime detection"; flow:to_server,established; content:"F|15 1D|"; depth:3; flowbits:set,sharK_2.3.2_detection; flowbits:noalert; classtype:trojan-activity; sid:12377; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1357 (msg:"BACKDOOR cobra uploader 1.0 runtime detection"; flow:to_server,established; content:"DIR"; depth:3; offset:3; pcre:"/^(SYS|WIN)DIR$/sm"; flowbits:set,CobraUploader1.0_detection; flowbits:noalert; classtype:trojan-activity; sid:12163; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR optix pro v1.32 runtime detection - init connection"; flow:from_server,established; content:"001|AC|Optix"; depth:9; nocase; content:"Pro"; distance:0; nocase; content:"v1.32"; distance:0; nocase; content:"Connected"; distance:0; nocase; content:"Successfully!|0D 0A|"; distance:0; nocase; reference:url,www.spywareguide.com/product_show.php?id=1189; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768; classtype:trojan-activity; sid:12152; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"BACKDOOR access remote pc runtime detection - rpc setup"; flow:to_server,established; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; flowbits:set,AccessRemotePC_RPCdetection; flowbits:noalert; classtype:trojan-activity; sid:12144; rev:1;)
alert tcp $HOME_NET 500 -> $EXTERNAL_NET any (msg:"BACKDOOR optix pro v1.32 runtime detection - download file"; flow:from_server,established; flowbits:isset,OptixPROv1.32Download_detection2; content:"+OK RCVD|0D 0A|"; depth:10; reference:url,www.spywareguide.com/product_show.php?id=1189; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768; classtype:trojan-activity; sid:12155; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR radmin 3.0 runtime detection - initial connection"; flow:to_server,established; content:"|01 00 00 00 01 00 00 00 08 08|"; depth:10; flowbits:set,Radmin3.0_conn_detection; flowbits:noalert; classtype:trojan-activity; sid:12373; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [37,31415,31416] (msg:"BACKDOOR lithium 1.02 runtime detection"; flow:to_server,established; content:"|24 00 00 00 00 00 03 00 0D 00 00 00|"; depth:12; flowbits:set,Lithium1.02_detection; flowbits:noalert; classtype:trojan-activity; sid:12165; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BACKDOOR c99shell.php command request"; flow:established,to_server; uricontent:"act="; pcre:"/[\x26\x3F]act=(cmd|search|upload|about|encoder|bind|ps_aux|ftpquickbrute|security|sql|eval|feedback|selfremove|fsbuff|ls|phpinfo)/Usmi"; reference:url,vil.nai.com/vil/content/v_136948.htm; classtype:policy-violation; sid:12077; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR blue eye 1.0b runtime detection - init connection"; flow:to_server,established; content:"AUTH"; depth:4; flowbits:set,BlueEye1.0b_detection; flowbits:noalert; classtype:trojan-activity; sid:12146; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 58008 (msg:"BACKDOOR tron runtime detection - init connection - flowbit set"; flow:to_server,established; content:"<SYSTMTIME>"; depth:11; nocase; flowbits:set,Tron_Initconnection; flowbits:noalert; classtype:trojan-activity; sid:12054; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR bifrost v1.2.1 runtime detection"; flow:to_server,established; flowbits:isset,Bifrost_v1.2.1_detection; content:"|00 00 00 9B|O|B0|h|FE|j|9A 1C|"; depth:11; offset:1; reference:url,www.spywareguide.com/spydet_1464_bifrose.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453114444; classtype:trojan-activity; sid:12298; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR genie 1.7 runtime detection - init connection"; flow:to_client,established; flowbits:isset,Genie1.7_detection; content:"|1B|[2J|0D 0A| "; depth:7; content:"Genie"; distance:0; nocase; content:"v1.7"; distance:0; nocase; reference:url,www.megasecurity.org/trojans/g/genie/Genie1.7.html; classtype:trojan-activity; sid:12241; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR theef 2.10 runtime detection - connect with password"; flow:to_server,established; flowbits:isset,Theef210_Connectionwithpassword; content:"|FA CB D9 D9 EB DE DE D6|"; depth:8; reference:url,www.spywareguide.com/product_show.php?id=859; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-071209-4425-99; classtype:trojan-activity; sid:12236; rev:1;)
alert tcp $HOME_NET 1339 -> $EXTERNAL_NET any (msg:"BACKDOOR killav_gj"; flow:from_server,established; content:"Server|3A|"; nocase; content:"Root"; distance:0; nocase; content:"kit"; distance:0; nocase; content:"scaner"; distance:0; nocase; pcre:"/^Server\x3a[^\r\n]*Root[^\r\n]*kit[^\r\n]*Scaner/smi"; threshold:type limit, track by_src, count 1, seconds 300; reference:url,karus-software.at/portal/modules.php?name=Virenlexikon&suche=t&submit=suche&show=Trojan.Win32.KillAV.GJ; classtype:trojan-activity; sid:11950; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR theef 2.10 runtime detection - connect with no password"; flow:from_server,established; content:"|FA CB D9 D9 E5 E1 D6|"; depth:7; flowbits:set,Theef210_Connectionwithnopassword; flowbits:noalert; classtype:trojan-activity; sid:12233; rev:1;)
alert tcp $HOME_NET 501 -> $EXTERNAL_NET any (msg:"BACKDOOR optix pro v1.32 runtime detection - upload file"; flow:from_server,established; flowbits:isset,OptixPROv1.32Upload_detection1; content:" |0D 0A|"; depth:3; flowbits:set,OptixPROv1.32Upload_detection2; flowbits:noalert; classtype:trojan-activity; sid:12157; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 54320 (msg:"BACKDOOR back orifice 2006 - v1.1.5 runtime detection - init connection"; flow:to_server,established; content:"|00 00 00|"; depth:3; content:"|CD C3 13|7"; within:4; distance:1; flowbits:set,BackOrifice2006_1.1.5_detection; flowbits:noalert; classtype:trojan-activity; sid:12148; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 503 (msg:"BACKDOOR optix pro v1.32 runtime detection - screen capturing"; flow:to_server,established; content:"SendACap|AC|"; depth:9; flowbits:set,OptixPROv1.32Screencapture_detection1; flowbits:noalert; classtype:trojan-activity; sid:12160; rev:1;)
alert tcp $HOME_NET 501 -> $EXTERNAL_NET any (msg:"BACKDOOR optix pro v1.32 runtime detection - upload file"; flow:from_server,established; flowbits:isset,OptixPROv1.32Upload_detection2; content:"FileSizeIs|AC|"; depth:11; reference:url,www.spywareguide.com/product_show.php?id=1189; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768; classtype:trojan-activity; sid:12158; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR access remote pc runtime detection - init connection"; flow:from_server,established; flowbits:isset,AccessRemotePC_detection; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Access%20Remote%20PC&threatid=29373; classtype:trojan-activity; sid:12143; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR theef 2.10 runtime detection - ftp"; flow:from_server,established; content:"Theef2"; content:"FTP"; distance:0; content:"Server"; distance:0; pcre:"/Theef2\s+FTP\s+Server\x3A/"; flowbits:set,Theef210_TheefFTP; flowbits:noalert; classtype:trojan-activity; sid:12237; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR radmin 3.0 runtime detection - login & remote control"; flow:to_server,established; content:"|01 00 00 00 05 00 00 02|''|02 00 00 00|"; depth:14; flowbits:set,Radmin3.0_login_detection; flowbits:noalert; classtype:trojan-activity; sid:12375; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR furax 1.0 b3 runtime detection"; flow:from_server,established; content:"|03 00 1C 00 00 00 00 00 01|Furax"; depth:14; nocase; content:"1.0b3"; distance:0; nocase; content:"Server|00|"; distance:0; nocase; pcre:"/^\x03\x00\x1c\x00\x00\x00\x00\x00\x01Furax\s+1\x2E0b3\s+Server\x00/smi"; reference:url,www.megasecurity.org/trojans/f/furax/Furax1.0b3.html; classtype:trojan-activity; sid:12245; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR cafeini 1.0 runtime detection"; flow:to_client,established; flowbits:isset,CAFEiNi_detection; content:"INIPACK"; depth:7; nocase; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.spywareguide.com/spydet_904_cafeini.html; classtype:trojan-activity; sid:12151; rev:2;)
alert tcp $HOME_NET 500 -> $EXTERNAL_NET any (msg:"BACKDOOR optix pro v1.32 runtime detection - download file"; flow:from_server,established; content:" |0D 0A|"; depth:3; flowbits:set,OptixPROv1.32Download_detection1; flowbits:noalert; classtype:trojan-activity; sid:12153; rev:1;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"BACKDOOR webcenter v1.0 Backdoor - init connection"; flow:from_server,established; content:"Web Center|3A|"; nocase; content:"Nom de l ordinateur|3A|"; distance:0; nocase; reference:url,www.megasecurity.org/trojans/w/webcenter/Webcenter1.0.html; classtype:trojan-activity; sid:12239; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR shark 2.3.2 runtime detection"; flow:from_server,established; flowbits:isset,sharK_2.3.2_detection; content:"F|15 1D|K|80|?|03 00 01 09|5"; depth:11; threshold:type limit, track by_src, count 1, seconds 600; reference:url,www.2-spyware.com/remove-shark-trojan.html; reference:url,www.megasecurity.org/trojans/s/shark/Shark0.5.html; reference:url,www.spywaredb.com/remove-shark-trojan/; classtype:trojan-activity; sid:12378; rev:1;)
alert tcp $HOME_NET 503 -> $EXTERNAL_NET any (msg:"BACKDOOR optix pro v1.32 runtime detection - screen capturing"; flow:from_server,established; flowbits:isset,OptixPROv1.32Screencapture_detection2; content:"SizeIs|AC|"; depth:11; threshold:type limit, track by_src, count 1, seconds 120; reference:url,www.spywareguide.com/product_show.php?id=1189; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768; classtype:trojan-activity; sid:12162; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"BACKDOOR access remote pc runtime detection - rpc setup"; flow:from_server,established; flowbits:isset,AccessRemotePC_RPCdetection; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Access%20Remote%20PC&threatid=29373; classtype:trojan-activity; sid:12145; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR ultimate rat 2.1 runtime detection"; flow:from_server,established; content:"|01 00 00 02|WordUP"; depth:10; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060550; classtype:trojan-activity; sid:12051; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR hotmail hacker log edition 5.0 runtime detection - init connection"; flow:to_client,established; flowbits:isset,HotmailHackerLogEdition5.0_detection; content:"|C0|STATUS|C0|Server"; depth:14; nocase; content:"Keylogging"; distance:0; nocase; content:"Started!"; distance:0; nocase; pcre:"/^\xc0STATUS\xc0Server\s\x3A\sKeylogging\sStarted\!$/smi"; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453075158; reference:url,www.spywareguide.com/spydet_935_hotmail_hacker_x_edition.html; classtype:trojan-activity; sid:12243; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR troll.a runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"terServer"; distance:0; nocase; pcre:"/^User-Agent\x3a[^\r\n]*terServer/smi"; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.econsultant.com/spyware-database/t/trojandownloader-win32-troll.html; reference:url,www.sophos.com/virusinfo/analyses/trojtrolla.html; classtype:trojan-activity; sid:12661; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR poison ivy 2.3.0 runtime detection - server connection"; flow:from_server,established; flowbits:isset,PoisonIvy2.3.0_serverDetection; content:"|E0 F5|=|C1 F0 EA 15 DB|C>e|F8 9B E2 14 BA|"; depth:16; threshold:type limit, track by_src, count 1, seconds 500; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PoisonIvy&threatid=43179; classtype:trojan-activity; sid:12702; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR poison ivy 2.3.0 runtime detection - server connection"; flow:to_server,established; content:"|B9 E1 A5|~|C7 B7 82|n|22|n|0B CB FD|w|ED|I"; depth:16; flowbits:set,PoisonIvy2.3.0_serverDetection; flowbits:noalert; classtype:trojan-activity; sid:12701; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR poison ivy 2.3.0 runtime detection - init connection"; flow:to_server,established; flowbits:isset,PoisonIvy2.3.0_initDetection; content:"|E0 F5|=|C1 F0 EA 15 DB|C>e|F8 9B E2 14 BA|"; depth:16; threshold:type limit, track by_src, count 1, seconds 300; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PoisonIvy&threatid=43179; classtype:trojan-activity; sid:12700; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR poison ivy 2.3.0 runtime detection - init connection"; flow:from_server,established; content:"|B9 E1 A5|~|C7 B7 82|n|22|n|0B CB FD|w|ED|I"; depth:16; flowbits:set,PoisonIvy2.3.0_initDetection; flowbits:noalert; classtype:trojan-activity; sid:12699; rev:1;)
alert tcp $HOME_NET 10110 -> $EXTERNAL_NET any (msg:"BACKDOOR Versi TheTheef Detection"; flow:established,to_server; content:"VERSI |28|TheTheef|29|"; depth:16; nocase; classtype:misc-activity; sid:12675; rev:1;)
alert tcp $HOME_NET 7323 -> $EXTERNAL_NET any (msg:"BACKDOOR Sygate Remote Administration Engine"; flow:established,to_client; content:"SyGate |0A|"; depth:8; nocase; reference:bugtraq,952; reference:url,marc.info/?l=bugtraq&m=94934808714972&w=2; classtype:misc-activity; sid:12684; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR bandook 1.35 runtime detection"; flow:from_server,established; flowbits:isset,Bandook135_detection; content:"|CF AB A8 A7 AE CF|"; depth:6; threshold:type limit, track by_src, count 1, seconds 300; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; classtype:trojan-activity; sid:12727; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR bandook 1.35 runtime detection"; flow:to_server,established; content:"|CF 8F 80 9B 9A 9D CF C9 CA C9 D9 8D C9|"; depth:13; flowbits:set,Bandook135_detection; flowbits:noalert; classtype:trojan-activity; sid:12726; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR dark moon 4.11 runtime detection"; flow:to_server,established; flowbits:isset,DarkMoon411_detection; content:"1bsrCwE93uxp"; depth:12; reference:url,www.spywareguide.com/spydet_2745_dark_moon.html; classtype:trojan-activity; sid:12725; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR dark moon 4.11 runtime detection"; flow:from_server,established; content:"1DbsLbE3i/MBQu9Z"; depth:16; flowbits:set,DarkMoon411_detection; flowbits:noalert; classtype:trojan-activity; sid:12724; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR troya 1.4 runtime detection - init connection"; flow:to_server,established; content:"/index"; nocase; flowbits:set,Troya_1_4_detection; flowbits:noalert; classtype:trojan-activity; sid:13245; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR yuri 1.2 runtime detection - init connection"; flow:from_server,established; content:"Req_Conn"; depth:8; nocase; flowbits:set,Yuri_1_2_detection; flowbits:noalert; classtype:trojan-activity; sid:13247; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR troya 1.4 runtime detection - init connection"; flow:from_server,established; flowbits:isset,Troya_1_4_detection; content:"<title>"; nocase; content:"Troya"; distance:0; nocase; content:"-"; distance:0; nocase; content:"by"; distance:0; nocase; content:"Sma"; distance:0; nocase; content:"Soft"; distance:0; nocase; content:"</title>"; distance:0; nocase; pcre:"/\x3Ctitle\x3ETroya\s+\x2D\s+by\s+Sma\s+Soft\x3C\x2Ftitle\x3E/smi"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Troya&threatid=41533; classtype:trojan-activity; sid:13246; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR yuri 1.2 runtime detection - init connection"; flow:to_server,established; flowbits:isset,Yuri_1_2_detection; content:"|7C|"; nocase; content:"|7C|"; distance:0; nocase; content:"|7C|Yuri"; distance:0; nocase; content:"v1."; distance:0; nocase; content:"|7C|"; distance:0; nocase; pcre:"/\x7C\d+\x2E\d+\x2E\d+\x2E\d+\x7C.*\x7CYuri\s+v1\x2E\d+\x7C/smi"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Yuri%20RAT&threatid=48528; classtype:trojan-activity; sid:13248; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR evilotus 1.3.2 runtime detection - init connection"; flow:to_server,established; flowbits:isset,Evilotus_detection; content:"|0C|~|7F D8|"; depth:4; content:"|00 00 00|d|C8 00 00|"; within:8; distance:1; content:"|00 00 00|"; within:3; distance:1; threshold:type limit, track by_src, count 1, seconds 200; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.Evilotus.A&threatid=124679; reference:url,www.megasecurity.org/trojans/e/evilotus/Evilotus1.3.2.html; classtype:trojan-activity; sid:13507; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR xploit 1.4.5 pc runtime detection"; flow:from_server,established; flowbits:isset,Xploit1_4_5_detection; content:"|01 00|"; depth:2; threshold:type limit, track by_src, count 1, seconds 400; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Xploit&threatid=48489; reference:url,spywaredetector.net/spyware_encyclopedia/Backdoor.Xploit.htm; classtype:trojan-activity; sid:13509; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR evilotus 1.3.2 runtime detection - init connection"; flow:from_server,established; flowbits:set,Evilotus_detection; content:"|0C|~|7F D8 13 00 00 00|d|C8 00 00 0B 00 00 00 07 00 00 00 80 E7 03 0C|~|7F D8|"; depth:27; flowbits:noalert; classtype:trojan-activity; sid:13506; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR xploit 1.4.5 runtime detection"; flow:to_server,established; content:"|00 01|"; depth:2; offset:1; content:"Minutes"; nocase; content:"|00 A1 0F 00 00 00|"; distance:0; flowbits:set,Xploit1_4_5_detection; flowbits:noalert; classtype:trojan-activity; sid:13508; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR MBR rootkit HTTP POST activity detected"; flow:established,to_server; uricontent:"POST /ld/mat18/s.php"; nocase; reference:url,www.sophos.com/security/blog/2008/01/987.html; classtype:trojan-activity; sid:13625; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR nuclear rat 2.1 runtime detection - init connection"; flow:to_server,established; flowbits:set,Nuclear_RAT_2_1_detection; content:"|FF 00|"; depth:2; content:"|00 00 00 01 00 00 00 00 00 00|"; within:10; distance:1; flowbits:noalert; classtype:trojan-activity; sid:13654; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR nuclear rat 2.1 runtime detection - init connection"; flow:from_server,established; flowbits:isset,Nuclear_RAT_2_1_detection; content:"|1E 0D 00 00 00 00 00 00 00 00 00 00 00|"; depth:13; threshold:type limit, track by_src, count 1, seconds 200; reference:url,en.wikipedia.org/wiki/Nuclear_RAT; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Nuclear%20RAT&threatid=43578; classtype:trojan-activity; sid:13655; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR zombget.03 runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"ZOMBIES_HTTP_GET"; distance:0; nocase; pcre:"/^User-Agent\x3a[^\r\n]*ZOMBIES\x5fHTTP\x5fGET/smi"; reference:url,ca.com/ca/fr/securityadvisor/pest/pest.aspx?id=453072485; reference:url,www.pctools.com/mrc/infections/id/Trojan-Downloader.ZombGet/; classtype:trojan-activity; sid:13815; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR passhax runtime detection - initial connection"; flow:to_server,established; content:"MAININFO|7C|password|7C|ENU|7C|My"; depth:24; nocase; content:"server"; distance:0; nocase; content:"|3A|D|7C|"; distance:0; nocase; pcre:"/^MAININFO\x7Cpassword\x7CENU\x7CMy\s+server\s+\x3AD\x7C/smi"; reference:url,www.spywareguide.com/spydet_30090_passhax.html; classtype:trojan-activity; sid:13814; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR wintrim.z runtime detection"; flow:to_server,established; uricontent:"/binaries/2/2_mslagent.dll"; nocase; content:"User-Agent|3A|"; nocase; content:"HTTPRequest"; distance:0; nocase; pcre:"/^User-Agent\x3a[^\r\n]*HTTPRequest/smi"; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.spywaredb.com/remove-trojandownloader-win32-wintrim-z/; reference:url,www.spywareguide.com/product_show.php?id=2225; classtype:trojan-activity; sid:13856; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan-spy.win32.delf.uv runtime detection"; flow:to_server,established; uricontent:"/popwin/"; nocase; uricontent:"/update.txt"; nocase; flowbits:set,Trojan-Spy.Win32.Delf.uv_Detection; flowbits:noalert; classtype:trojan-activity; sid:13877; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR zlob.acc runtime detection"; flow:to_server,established; uricontent:"/inst/setup_"; nocase; uricontent:".exe"; nocase; pcre:"/\x2finst\x2fsetup\x5f\d+\x5f\d+\x5f\x2eexe/Ui"; content:"Host|3A|"; nocase; content:"dl.winspywareprotects.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*dl\x2ewinspywareprotects\x2ecom/smi"; threshold:type limit, track by_src, count 1, seconds 300; reference:url,spyware.processlibrary.com/details/SpyName/Trojan-Downloader.Zlob.acc/; reference:url,www.spywarelib.com/removal-info/Trojan-Downloader.Zlob.acc/; classtype:trojan-activity; sid:13876; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BACKDOOR trojan-spy.win32.delf.uv runtime detection"; flow:from_server,established; flowbits:isset,Trojan-Spy.Win32.Delf.uv_Detection; content:"[|00|u|00|p|00|d|00|a|00|t|00|e|00|]"; content:"[|00|p|00|o|00|p|00|w|00|i|00|n|00|]"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Spy.Win32.Delf.uv&threatid=134949; classtype:trojan-activity; sid:13878; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan agent.nac runtime detection - click fraud"; flow:to_server,established; uricontent:"/in.cgi?"; nocase; uricontent:"key="; nocase; content:"Host|3A|"; nocase; content:"bfirst.info"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*bfirst\x2einfo/smi"; threshold:type limit, track by_src, count 1, seconds 300; reference:url,cai.com/pe/securityadvisor/pest/pest.aspx?id=453132827; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Win32.Agent.nac&threatid=234088; classtype:trojan-activity; sid:13941; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan downloader small.gy runtime detection - update"; flow:to_server,established; uricontent:"/grand/addme.php?"; nocase; uricontent:"botid="; nocase; uricontent:"port="; nocase; uricontent:"smtp="; nocase; uricontent:"ipstring="; nocase; uricontent:"connect,ok"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Proxy.Win32.Small.gy&threatid=257144; reference:url,www.iss.net/security_center/reference/vuln/Trojan.Spy.Small.GY.html; classtype:trojan-activity; sid:13945; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan downloader small.gy runtime detection - get whitelist"; flow:to_server,established; uricontent:"/grand/data/whitelist.txt"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Proxy.Win32.Small.gy&threatid=257144; reference:url,www.iss.net/security_center/reference/vuln/Trojan.Spy.Small.GY.html; classtype:trojan-activity; sid:13944; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan agent.nac runtime detection - call home"; flow:to_server,established; uricontent:"/fd/sea.php?"; nocase; uricontent:"ver="; nocase; content:"User-Agent|3A|"; nocase; content:"clk_jdfhid"; distance:0; nocase; pcre:"/^User-Agent\x3a[^\r\n]*clk\x5fjdfhid/smi"; threshold:type limit, track by_src, count 1, seconds 300; reference:url,cai.com/pe/securityadvisor/pest/pest.aspx?id=453132827; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Win32.Agent.nac&threatid=234088; classtype:trojan-activity; sid:13942; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR Adware.Win32.Agent.BM runtime detection #1"; flow:to_server,established; uricontent:"/?VFJDSz0"; nocase; content:"Host|3A|"; nocase; content:"www.visit-tracker.biz"; nocase; pcre:"/^Host\x3a[^\r\n]*www\x2Evisit\x2Dtracker\x2Ebiz/smi"; threshold:type limit, track by_src, count 1, seconds 100; reference:url,www.siteadvisor.com/sites/crackfind.com/downloads/12712157/; reference:url,www.threatexpert.com/threats/not-a-virus-adware-win32-agent-bm.html; classtype:trojan-activity; sid:14086; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR infostealer.banker.c runtime detection - collect user info"; flow:to_server,established; content:"/panel/s.php?"; nocase; content:"Host|3A|"; nocase; content:"leacherz.net"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*leacherz\x2enet/smi"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Infostealer.Banker.C&threatid=134389; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2007-040208-5335-99; classtype:trojan-activity; sid:14085; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan agent.aarm runtime detection - download other malware"; flow:to_server,established; uricontent:"/retadpu.php?"; nocase; uricontent:"version="; nocase; uricontent:"configversion="; nocase; uricontent:"GUID="; nocase; uricontent:"cmd="; nocase; uricontent:"p="; nocase; content:"Host|3A|"; nocase; content:"wr.mcboo.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*wr\x2emcboo\x2ecom/smi"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Win32.Agent.bls&threatid=135991; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.AARM&VSect=T; classtype:trojan-activity; sid:14083; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan agent.aarm runtime detection - call home"; flow:to_server,established; content:"/scripts/worker.php"; nocase; content:"Host|3A|"; nocase; content:"hujashka.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*hujashka\x2ecom/smi"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Win32.Agent.bls&threatid=135991; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.AARM&VSect=T; classtype:trojan-activity; sid:14081; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR Adware.Win32.Agent.BM runtime detection #2"; flow:to_server,established; uricontent:"/template/top.html"; nocase; content:"Referer|3A|"; nocase; content:"http|3A|//www.visit-tracker.biz/?VFJDSz0"; nocase; pcre:"/^Referer\x3a[^\r\n]*http\x3A\x2F\x2Fwww\x2Evisit\x2Dtracker\x2Ebiz\x2F\x3FVFJDSz0/smi"; threshold:type limit, track by_src, count 1, seconds 150; reference:url,www.siteadvisor.com/sites/crackfind.com/downloads/12712157/; reference:url,www.threatexpert.com/threats/not-a-virus-adware-win32-agent-bm.html; classtype:trojan-activity; sid:14087; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR infostealer.banker.c runtime detection - download cfg.bin"; flow:to_server,established; uricontent:"/panel/cfg.bin"; nocase; content:"Host|3A|"; nocase; content:"leacherz.net"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*leacherz\x2enet/smi"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Infostealer.Banker.C&threatid=134389; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2007-040208-5335-99; classtype:trojan-activity; sid:14084; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan agent.aarm runtime detection - spread via spam"; flow:to_server,established; uricontent:"/spm/"; nocase; uricontent:"id="; nocase; uricontent:"tick="; nocase; uricontent:"ver="; nocase; uricontent:"smtp="; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Win32.Agent.bls&threatid=135991; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.AARM&VSect=T; classtype:trojan-activity; sid:14082; rev:2;)
# alert tcp $HOME_NET 7306 -> $EXTERNAL_NET any (msg:"BACKDOOR netspy runtime detection - command pattern server-to-client"; flow:from_server,established; flowbits:isset,Netspy_Command_Pattern; content:"Netspy"; nocase; content:"Version"; distance:0; nocase; content:"STATUS"; distance:0; nocase; pcre:"/^Netspy\s+Version\s+\d+\x2E\d+\r\nSTATUS\x3A/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=434; classtype:trojan-activity; sid:6290; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR only 1 rat runtime detection - control command"; flow:to_server,established; flowbits:isset,Only1RAT_Control; content:"|7C FF 00 FF 00 FF 00 FF 00 FF 00 FF 0D 0A|"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Only%201%20RAT&threatid=40632; classtype:trojan-activity; sid:10451; rev:3;)
# alert tcp $HOME_NET 2213 -> $EXTERNAL_NET any (msg:"BACKDOOR screen control 1.0 runtime detection - capture on port 2213"; flow:from_server,established; flowbits:isset,ScreenControl_capture2213; content:"|00|2|00 00|x|9C ED|"; nocase; threshold:type limit, track by_src, count 1, seconds 120; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930; classtype:trojan-activity; sid:7669; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5005 (msg:"BACKDOOR outbreak_0.2.7 runtime detection - ring client-to-server"; flow:to_server,established; flowbits:isset,outbreak_ring_stc; content:"SINFO"; nocase; content:"PONG"; distance:0; nocase; pcre:"/^SINFO\x3B[^\r\n]{1,20}\x3BPONG\x3B/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/o/outbreak/Outbreak0.2.7.html; classtype:trojan-activity; sid:7732; rev:3;)
# alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR http rat runtime detection - http"; flow:to_client,established; content:"<html><head><title>HTTP_RAT</title>"; nocase; content:"<h3>z0mbie's HTTP_RAT"; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076346; classtype:trojan-activity; sid:6398; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR glacier runtime detection - initial connection and directory browse"; flow:to_server,established; content:"|F5 CB C9 CF C6 F5 C8 C8 CE C7 F5|"; depth:11; content:"|F5 D5 D1 D5 F5|"; distance:0; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.symantec.com/avcenter/attack_sigs/s20302.html; classtype:trojan-activity; sid:7758; rev:3;)
# alert udp $HOME_NET 10167 -> $EXTERNAL_NET 10220 (msg:"BACKDOOR portal of doom runtime detection - udp stc"; flow:to_client; content:"KeepAlive"; depth:9; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,megasecurity.org/trojans/p/portalofdoom/Portalofdoom3.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4684; classtype:trojan-activity; sid:7802; rev:4;)
# alert tcp $HOME_NET 201 -> $EXTERNAL_NET any (msg:"BACKDOOR one runtime detection"; flow:from_server,established; content:"OK "; depth:16; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/o/one/One0.12b.html; classtype:trojan-activity; sid:10168; rev:3;)
# alert tcp $HOME_NET 667 -> $EXTERNAL_NET 666 (msg:"BACKDOOR snipernet 2.1 runtime detection"; flow:from_server,established; flowbits:isset,snipernet; content:"pingback"; depth:8; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/s/snipernet/Snipernet2.1.html; classtype:trojan-activity; sid:7646; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR backage 3.1 runtime detection"; flow:to_server,established; content:"ExecuteUnloadAll"; depth:16; nocase; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1186; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=698; classtype:trojan-activity; sid:6107; rev:3;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR icmp cmd 1.0 runtime detection - pskill"; itype:0; content:"pskill"; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077250; classtype:trojan-activity; sid:10108; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"BACKDOOR dkangel runtime detection - udp client-to-server"; flow:to_server; content:"This is made by yyt_hac!"; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278; classtype:trojan-activity; sid:6127; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR bersek 1.0 runtime detection - start remote shell"; flow:to_server,established; flowbits:isset,Backdoor.Bersek.Remoteshell; content:"|23|[shellrs]"; depth:10; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/b/bersek/Bersek1.0.html; classtype:trojan-activity; sid:9663; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 33229 (msg:"BACKDOOR amitis runtime command detection attacker to victim"; flow:to_server,established; content:"["; depth:1; content:"]"; distance:0; pcre:"/^\[[A-z]+\]/si"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=669; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072405; classtype:trojan-activity; sid:7711; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1111 (msg:"BACKDOOR xbkdr runtime detection"; flow:to_server,established; content:"|7C|"; depth:1; offset:3; pcre:"/^(?=[abchimoprswx])(acs|bin|c(ap|ls)|h(di|ms|tb)|iex|m(oo|tx|ws)|opn|pwr|rst|s(h[di]|ms|tb|wm)|wrd|xls)\x7C/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/x/x-bkdr/X-bkdr1.4.html; classtype:trojan-activity; sid:7822; rev:3;)
# alert tcp $HOME_NET 33229 -> $EXTERNAL_NET any (msg:"BACKDOOR amitis runtime detection victim to attacker"; flow:to_client,established; content:"["; depth:1; content:"]"; distance:0; pcre:"/^\[[A-z]+\]/si"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=669; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072405; classtype:trojan-activity; sid:7712; rev:3;)
# alert udp $EXTERNAL_NET 8012 -> $HOME_NET any (msg:"BACKDOOR ptakks2.1 runtime detection - keepalive acknowledgement"; flow:to_client; flowbits:isset,PtakkS_Keepalive; content:",jRj,"; threshold:type limit, track by_src, count 1, seconds 3000; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079909; classtype:trojan-activity; sid:6321; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4444 (msg:"BACKDOOR alexmessomalex runtime detection - grab"; flow:to_server,established; content:"grab|3A|"; depth:5; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/a/alexmessomalex/Alexmessomalex_b2.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=45547; classtype:trojan-activity; sid:7739; rev:3;)
# alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR cookie monster 0.24 runtime detection - file explorer"; flow:from_server,established; flowbits:isset,CookieMonster_FileExplorer; content:"ls|01|.|01|..|01|"; depth:8; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084262; classtype:trojan-activity; sid:6174; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR wow 23 runtime detection"; flow:from_server,established; content:"R|00|23"; depth:4; threshold:type both, track by_src, count 3, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/0_9/23/23_0.3.html; classtype:trojan-activity; sid:10184; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR mantis runtime detection - sent notify option client-to-server 2"; flow:to_server,established; flowbits:isset,Mantis_Notify2; content:"notifsubject"; depth:12; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6146; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20001 (msg:"BACKDOOR millenium v1.0 runtime detection"; flow:to_server,established; content:"Millenium"; depth:9; nocase; pcre:"/^Millenium\s+\d+\x2E\d+\x2D/smi"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076392; classtype:trojan-activity; sid:6122; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR sun shadow 1.70 runtime detection - keep alive"; flow:to_server,established; content:"|FF 01 03 03 00 00 00 00|"; depth:8; nocase; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/s/sunshadow/Sunshadow1.7.0.html; classtype:trojan-activity; sid:9839; rev:3;)
# alert udp $HOME_NET 47262 -> $EXTERNAL_NET any (msg:"BACKDOOR delta source 0.5 beta runtime detection - ping"; flow:to_client; content:"Delta"; depth:5; nocase; content:"Source"; distance:0; nocase; pcre:"/^Delta\s+Source\s+\d+\x2E\d+/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=840; classtype:trojan-activity; sid:7068; rev:4;)
# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR small uploader 1.01 runtime detection - remote shell"; flow:from_server,established; flowbits:isset,smalluploader_remotesh; content:"DoScAp"; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/f/fearless/Smalluploader1.01.html; classtype:trojan-activity; sid:7655; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32418 (msg:"BACKDOOR acidbattery 1.0 runtime detection - sniff info"; flow:to_server,established; content:"SNIFF/"; depth:6; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=109; classtype:trojan-activity; sid:10443; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR guptachar 2.0 runtime detection"; flow:from_server,established; content:"Server|3A|"; nocase; content:"Guptachar"; distance:0; nocase; pcre:"/^Server\x3A\s+Guptachar\s+\d+\x2E\d+/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073814; classtype:trojan-activity; sid:6176; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR reversable ver1.0 runtime detection - execute command"; flow:to_server,established; flowbits:isset,ReVerSaBle_ExecuteCommand; content:"COMMENFile"; depth:10; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/r/reversable/Reversable1.0.html; classtype:trojan-activity; sid:7727; rev:3;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR only 1 rat runtime detection - icmp request"; itype:8; content:"Pinging from Delphi code written by F. Piette"; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Only%201%20RAT&threatid=40632; classtype:trojan-activity; sid:10452; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR 51d 1b runtime detection - icq notification"; flow:to_server,established; uricontent:"/wwp/msg/1,,,00.html"; nocase; uricontent:"Uin=223220036"; nocase; uricontent:"Name=51D"; nocase; uricontent:"Send="; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084229; classtype:trojan-activity; sid:10447; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR glacier runtime detection - screen capture"; flow:to_server,established; content:"|F5 CA C7 C7 C6 F5 C8 C8 CE C7 F5|"; depth:11; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.symantec.com/avcenter/attack_sigs/s20302.html; classtype:trojan-activity; sid:7759; rev:3;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 8012 (msg:"BACKDOOR ptakks2.1 runtime detection - command pattern"; flow:to_server; content:",|3A|,j"; nocase; content:"G,o,,y,"; distance:0; nocase; pcre:"/\x2C\x3A\x2C\x6A[^\r\n]*\x47\x2C\x6F\x2C\x2C\x79\x2C/"; threshold:type limit, track by_src, count 1, seconds 3000; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079909; classtype:trojan-activity; sid:6322; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR bersek 1.0 runtime detection - init connection"; flow:to_server,established; flowbits:isset,Backdoor.Bersek.Init; content:"|23|[version]1.0"; depth:13; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/b/bersek/Bersek1.0.html; classtype:trojan-activity; sid:9657; rev:3;)
# alert udp $EXTERNAL_NET 10220 -> $HOME_NET 10167 (msg:"BACKDOOR portal of doom runtime detection - udp cts"; flow:to_server; content:"pod"; depth:3; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,megasecurity.org/trojans/p/portalofdoom/Portalofdoom3.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4684; classtype:trojan-activity; sid:7801; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR y3k 1.2 runtime detection - user-agent string detected"; flow:to_server,established; content:"ipwHTTP"; nocase; http_header; content:"devSoft"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*devSoft\x27s\s+ipwHTTP\s+Component/smi"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7118; rev:6;)
# alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BACKDOOR minicom lite runtime detection - udp"; content:"|04 03 02 01|n|00 00 00|"; depth:8; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/m/minicom/Minicom4.5.html; reference:url,www.spywareguide.com/product_show.php?id=910; classtype:trojan-activity; sid:7647; rev:3;)
# alert tcp $HOME_NET 7425 -> $EXTERNAL_NET any (msg:"BACKDOOR remote control 1.7 runtime detection - data communication"; flow:from_server,established; content:"|19 00 C8 00 01 00|"; depth:6; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080063; classtype:trojan-activity; sid:7624; rev:3;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR icmp cmd 1.0 runtime detection - pslist"; itype:0; content:"pslist"; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077250; classtype:trojan-activity; sid:10107; rev:3;)
# alert tcp $HOME_NET 12624 -> $EXTERNAL_NET any (msg:"BACKDOOR buttman v0.9p runtime detection - remote control"; flow:from_server,established; flowbits:isset,buttman.1; content:"|23|+|0D 0A|"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=684; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453089720; classtype:trojan-activity; sid:6336; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BACKDOOR zxshell runtime detection - setting information retrieve"; flow:from_server,established; content:"[zxconfig]"; nocase; content:"MyIP="; nocase; content:"Port="; nocase; content:"Password="; nocase; content:"Banner="; nocase; content:"BackConnect="; nocase; content:"ServerID="; nocase; content:"LocalPort="; nocase; threshold:type limit, track by_src, count 2, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453081617; classtype:trojan-activity; sid:8549; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR apofis 1.0 runtime detection - remote controlling"; flow:from_server,established; flowbits:isset,Backdoor.Apofis.Remotecontrol; content:"Troyano"; nocase; content:"Apofis"; distance:0; nocase; pcre:"/Troyano\s+Apofis\s+1\x2E0/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/a/apofis/Apofis1.0.html; classtype:trojan-activity; sid:9655; rev:3;)
# alert tcp $HOME_NET 47221 -> $EXTERNAL_NET any (msg:"BACKDOOR 3xBackdoor runtime detection"; flow:from_server,established; flowbits:isset,bit.3xBackdoorconnection; content:"Raport|3A| serwer aktywny"; depth:22; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/0_9/3xbackdoor/3xbackdoor.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084228; classtype:trojan-activity; sid:6324; rev:3;)
# alert udp $EXTERNAL_NET 1275 -> $HOME_NET 1276 (msg:"BACKDOOR matrix 1.03 by mtronic runtime detection - init connection"; content:"RequestConnect"; depth:14; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/m/matrix/Matrix1.03.html; classtype:trojan-activity; sid:10169; rev:3;)
# alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR netthief runtime detection"; content:"|00 00 00 00 00 00 00 82|"; depth:8; offset:17; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=16078; classtype:trojan-activity; sid:7760; rev:3;)
# alert udp $HOME_NET 47262 -> $EXTERNAL_NET any (msg:"BACKDOOR delta source 0.5 beta runtime detection - pc info"; flow:to_client; content:"Server"; depth:6; nocase; content:"info|3A|"; distance:0; nocase; content:"Delta"; distance:0; nocase; content:"Source"; distance:0; nocase; pcre:"/^Server\s+info\x3A\x0D\x0ADelta\s+Source\s+v\d+\x2E\d+/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=840; classtype:trojan-activity; sid:7069; rev:4;)
# alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"BACKDOOR minicom lite runtime detection - server-to-client"; flow:from_server,established; flowbits:isset,MinicomLite; content:"|04 03 02 01|"; depth:4; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/m/minicom/Minicom4.5.html; reference:url,www.spywareguide.com/product_show.php?id=910; classtype:trojan-activity; sid:7649; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR x-door runtime detection"; flow:to_server,established; content:"[XShell Backdoor"; nocase; content:"xshell>"; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www.xfocus.net/tools/200610/1197.html; classtype:trojan-activity; sid:10185; rev:4;)
# alert tcp $HOME_NET 6116 -> $EXTERNAL_NET any (msg:"BACKDOOR am remote client runtime detection - server-to-client"; flow:from_server,established; flowbits:isset,AM_Remote_Client; pcre:"/^\d+\x01/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/a/amrc/Amrc1.1.html; classtype:trojan-activity; sid:7642; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR w32.dumaru.gen@mm runtime detection - cmd"; flow:to_server,established; uricontent:"/admin/socks/bot/cmd.txt"; nocase; content:"Host|3A|"; nocase; content:"backtrust.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*backtrust\x2Ecom/smi"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www.vil.mcafeesecurity.com/vil/content/v_125643.htm; classtype:trojan-activity; sid:7074; rev:4;)
# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"BACKDOOR omniquad instant remote control runtime detection - initial connection"; flow:from_server,established; flowbits:isset,Omniquad_IRC_InitConnection; content:"|00 00 00|h|FF|SMB%|00 00 00|"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080053; classtype:trojan-activity; sid:7706; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR abremote pro 3.1 runtime detection - init connection"; flow:from_server,established; content:"&&**"; depth:4; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.heibai.net/download/Soft/Soft_6836.htm; classtype:trojan-activity; sid:11317; rev:3;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR dkangel runtime detection - icmp echo reply client-to-server"; itype:0; content:"This is made by yyt_hac!"; nocase; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278; classtype:trojan-activity; sid:6128; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 16454 (msg:"BACKDOOR superra runtime detection - issue remote control command"; flow:to_server,established; content:"|05 00 00|"; depth:3; offset:1; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; classtype:trojan-activity; sid:9667; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32418 (msg:"BACKDOOR acidbattery 1.0 runtime detection - get server info"; flow:to_server,established; content:"SERVER/NFO"; depth:10; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=109; classtype:trojan-activity; sid:10446; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR Pushdo client communication attempt"; flow:to_server,established; uricontent:"/40e800"; depth:7; nocase; pcre:"/^\x2F40e800[0-9A-F]{30,}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.eweek.com/c/a/Security/Inside-a-Modern-Malware-Distribution-System/; classtype:trojan-activity; sid:15165; rev:2;)
# alert tcp $EXTERNAL_NET 9999 -> $HOME_NET any (msg:"BACKDOOR evade runtime detection - file manager"; flow:from_server,established; flowbits:isset,Evade_File_Manager1; content:"FRESH +"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/e/evade/Evade1.1b.html; classtype:trojan-activity; sid:7691; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan-downloader.win32.delf.phh runtime detection - sft_ver1.1454.0.exe"; flow:to_server,established; uricontent:"/sft/cvs/cache/sft_ver1.1454.0.exe"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Win32.Delf.phh&threatid=449585; reference:url,www.threatexpert.com/report.aspx?uid=37b59ba2-9a43-458f-8e8e-d150ab422b5c; classtype:trojan-activity; sid:16102; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR td.exe runtime detection - download"; flow:to_server,established; content:"/download.php"; nocase; content:"id="; distance:0; nocase; content:"Submit=Download+Crack+and+Keygen"; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.siteadvisor.cn/sites/anycracks.com; reference:url,www.spywareremove.com/removetdexe.html; classtype:trojan-activity; sid:16096; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan-downloader.win32.zlob.wwv runtime detection - childhe"; flow:to_server,established; uricontent:"/pas/apstpldr.dll.html?affid=152174"; content:"Host|3A|"; nocase; content:"childhe.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*childhe\x2ecom/smi"; reference:url,www.threatexpert.com/report.aspx?uid=0f289bca-21bb-40ac-bec6-8eef22a6172a; classtype:trojan-activity; sid:16110; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan-dropper.win32.agent.wdv runtime detection"; flow:to_server,established; uricontent:"/new.rar"; nocase; content:"Host|3A|"; nocase; content:"htfc8.cn"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*htfc8\x2ecn/smi"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malstartpa.html; reference:url,www.spywaredetector.net/spyware_encyclopedia/Clicker.Agent.htm; classtype:trojan-activity; sid:16099; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan-downloader.win32.delf.phh runtime detection - file.exe"; flow:to_server,established; uricontent:"/files/56/v2test7/file.exe"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Win32.Delf.phh&threatid=449585; reference:url,www.threatexpert.com/report.aspx?uid=37b59ba2-9a43-458f-8e8e-d150ab422b5c; classtype:trojan-activity; sid:16100; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan-downloader.win32.zlob.wwv runtime detection - onestoponlineshop"; flow:to_server,established; uricontent:"/templates/onestoponlineshop.net/images/css.css"; content:"Host|3A|"; nocase; content:"onestoponlineshop.net"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*onestoponlineshop\x2enet/smi"; reference:url,www.threatexpert.com/report.aspx?uid=0f289bca-21bb-40ac-bec6-8eef22a6172a; classtype:trojan-activity; sid:16109; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan downloader exchan.gen variant runtime detection"; flow:to_server,established; uricontent:"/ftpgd.exe"; nocase; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojexchangen.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-041717-0829-99&tabid=2; classtype:trojan-activity; sid:16094; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan win32.agent.vvm runtime detection"; flow:to_server,established; uricontent:"/?"; nocase; uricontent:"mode=gen"; nocase; uricontent:"gd="; nocase; uricontent:"affid="; nocase; uricontent:"W10="; nocase; uricontent:"subid="; nocase; uricontent:"prov="; nocase; uricontent:"ua="; nocase; content:"Referer|3A|"; nocase; content:"www.zabeedly.com/search.php?q="; distance:0; nocase; pcre:"/^Referer\x3a[^\r\n]*www\x2ezabeedly\x2ecom\x2fsearch\x2ephp\x3fq\x3d/smi"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Win32.Agent.vvm&threatid=367475; reference:url,www.kaspersky.co.jp/viruswatchlite?hour_offset=-4&search_virus=dropper&page=1; classtype:trojan-activity; sid:16097; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan downloader.agent.vhb runtime detection - contact remote server"; flow:to_server,established; uricontent:"/post.asp?"; nocase; uricontent:"HD="; nocase; content:"Host|3A|"; nocase; content:"rebot1.whatthisdown.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*rebot1\x2ewhatthisdown\x2ecom/smi"; reference:url,www.threatexpert.com/report.aspx?uid=c9798b3a-0b55-4bb6-82a7-c744ef3ba261; reference:url,www.virustotal.com/analisis/0326fdbb9ff5e2fa6fa847a095ec9e45; classtype:trojan-activity; sid:16112; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR synrat 2.1 pro runtime detection - init"; flow:from_server,established; flowbits:isset,SynRat2.1_initconn; content:"CON"; depth:3; nocase; pcre:"/^CON\w+\d+\xAE/smi"; classtype:trojan-activity; sid:16107; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan.zlob runtime detection - topqualityads"; flow:to_server,established; uricontent:"/servlet/ajrotator/9105"; content:"Host|3A|"; nocase; content:"servedby.topqualityads.net"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*servedby\x2etopqualityads\x2enet/smi"; threshold:type limit, track by_src, count 1, seconds 300; reference:url,research.sunbeltsoftware.com/threatdisplay.aspx?name=Adware.Agent.gen&threatid=164680; reference:url,www.threatexpert.com/report.aspx?uid=8b81ce31-7f67-4880-8ec0-8359f96d6303; classtype:trojan-activity; sid:16105; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR lost door 3.0 runtime detection - init"; flow:from_server,established; content:"v1ct1m"; depth:6; nocase; flowbits:set,LostDoor3_InitConn; flowbits:noalert; classtype:trojan-activity; sid:16103; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan-downloader.win32.zlob.wwv installtime detection"; flow:to_server,established; uricontent:"/Setup_ver1.1427.0.exe"; content:"Host|3A|"; nocase; content:"slpm12345.googlepages.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*slpm12345\x2egooglepages\x2ecom/smi"; reference:url,www.threatexpert.com/report.aspx?uid=0f289bca-21bb-40ac-bec6-8eef22a6172a; classtype:trojan-activity; sid:16111; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8392 (msg:"BACKDOOR torpig-mebroot command and control checkin"; flow:established,to_server; content:"|00 00|O|95 00 00 00 04|echo"; depth:12; metadata:policy security-ips drop; reference:url,www.f-secure.com/weblog/archives/00001393.html; classtype:trojan-activity; sid:16140; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan-downloader.win32.delf.phh runtime detection - 57329.exe"; flow:to_server,established; uricontent:"/lm/57329.exe"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Win32.Delf.phh&threatid=449585; reference:url,www.threatexpert.com/report.aspx?uid=37b59ba2-9a43-458f-8e8e-d150ab422b5c; classtype:trojan-activity; sid:16101; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan downloader.agent.vhb runtime detection - request login page"; flow:to_server,established; uricontent:"/login.htm"; nocase; content:"Host|3A|"; nocase; content:"www.sf123.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*www\x2esf123\x2ecom/smi"; reference:url,www.threatexpert.com/report.aspx?uid=c9798b3a-0b55-4bb6-82a7-c744ef3ba261; reference:url,www.virustotal.com/analisis/0326fdbb9ff5e2fa6fa847a095ec9e45; classtype:trojan-activity; sid:16113; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan downloader exchanger.gen2 runtime detection"; flow:to_server,established; uricontent:"/ldr/client01/ldrctl.php"; content:"os="; nocase; content:"ver="; nocase; content:"idx="; nocase; content:"user="; nocase; content:"ioctl="; nocase; content:"data="; nocase; pcre:"/os\x3d.*\x26ver\x3d.*\x26idx\x3d.*\x26user\x3d.*\x26ioctl\x3d.*\x26data\x3d.*/smi"; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/4275/tr_dldr.exchanger.dw.html; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453143306; classtype:trojan-activity; sid:16108; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR td.exe runtime detection - getfile"; flow:to_server,established; content:"/getfiles.php"; nocase; content:"id="; distance:0; nocase; content:"sid=anycrc"; distance:0; nocase; content:"Host|3A|"; nocase; content:"flz.anycracks.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*flz\x2eanycracks\x2ecom/smi"; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.siteadvisor.cn/sites/anycracks.com; reference:url,www.spywareremove.com/removetdexe.html; classtype:trojan-activity; sid:16095; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR win32.cekar variant runtime detection"; flow:to_server,established; uricontent:"/ljs.txt"; nocase; content:"User-Agent|3A|"; nocase; content:"winssco.exe"; distance:0; nocase; pcre:"/^User-Agent\x3a[^\r\n]*winssco\x2eexe/smi"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Worm/Cekar.A&threatid=180592; reference:url,vil.nai.com/vil/content/v_141463.htm; classtype:trojan-activity; sid:16098; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR win32.delf.jwh runtime detection"; flow:to_server,established; content:"/wm.php"; nocase; content:"ver="; distance:0; nocase; content:"MAX_EXECUTE_TIME="; distance:0; nocase; content:"RELOAD_JOBS="; distance:0; nocase; content:"BROWSER_DELAY="; distance:0; nocase; content:"CONTROL_PAGE="; distance:0; nocase; content:"lastlogcount="; distance:0; nocase; content:"REPORTS_PAGE="; distance:0; nocase; content:"TICKETS_PAGE="; distance:0; nocase; content:"botid="; distance:0; nocase; content:"REG_NAME="; distance:0; nocase; content:"botlogin="; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 6000; reference:url,www.emsisoft.com/en/malware/?Backdoor.Win32.Delf.jwh; classtype:trojan-activity; sid:16092; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR bugsprey runtime detection - initial connection"; flow:from_server,established; content:"GHOST|0D 0A|"; depth:7; nocase; flowbits:set,BugsPrey_detection; flowbits:noalert; classtype:trojan-activity; sid:16093; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR synrat 2.1 pro runtime detection - init"; flow:to_server,established; content:"Sin"; depth:3; nocase; pcre:"/^Sin[^\r\n]*\x0D\x0A\d+\x0D\x0A/smi"; flowbits:set,SynRat2.1_initconn; flowbits:noalert; classtype:trojan-activity; sid:16106; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR lost door 3.0 runtime detection - init"; flow:to_server,established; flowbits:isset,LostDoor3_InitConn; content:"v1ct1m[|5C|AS/]"; depth:12; nocase; classtype:trojan-activity; sid:16104; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan-dropper.irc.tkb runtime detection - dxcpm"; flow:to_server,established; uricontent:"/images/dxcpm"; content:"Host|3A| www.dxcpm.com"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Dropper.IRC.TKB&threatid=174269; reference:url,www.threatexpert.com/report.aspx?md5=e77f4df496a182bf5d16172cda47b91f; classtype:trojan-activity; sid:16273; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software xp police antivirus install-timedetection"; flow:to_server,established; uricontent:"/controller.php"; nocase; uricontent:"action="; nocase; uricontent:"guid="; nocase; uricontent:"rnd="; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151932; classtype:trojan-activity; sid:16245; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software xp-shield runtime detection"; flow:to_server,established; uricontent:"/purchase.htm?aid"; content:"Host|3A| www.xp-shield.cn"; nocase; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453133950; classtype:trojan-activity; sid:16262; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software spyware protect 2009 runtime detection - block"; flow:to_server,established; uricontent:"/block.php?"; nocase; uricontent:"r=19.0"; nocase; content:"Host|3A| browser-security.microsoft.com"; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151948; classtype:trojan-activity; sid:16247; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan.tdss.1.gen install-time detection - findzproportal1.com"; flow:to_server,established; uricontent:"/botmon/readdata/"; content:"Host|3A| findzproportal1.com"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.TDss.Gen&threatid=414535; reference:url,www.threatexpert.com/files/TDSSserv.sys.html; reference:url,www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627; classtype:trojan-activity; sid:16269; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR srat 1.6 runtime detection"; flow:from_server,established; flowbits:isset,SRat_1.6; content:"|00 00 00 00 00 00 00|"; depth:7; offset:1; content:"|AA AA AA AA|"; within:4; distance:4; fast_pattern; threshold:type limit, track by_src, count 1, seconds 300; classtype:trojan-activity; sid:16271; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software xp antivirus protection runtime detection - installation"; flow:to_server,established; uricontent:"/firstrun.php"; nocase; uricontent:"product=XPA"; nocase; uricontent:"aff="; nocase; content:"Host|3A| liveresponsesite.com"; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453122012; classtype:trojan-activity; sid:16260; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue-software windows antivirus 2008 runtime detection - registration and payment page"; flow:to_server,established; uricontent:"/purchase/secure.php?"; uricontent:"frame="; nocase; uricontent:"orderid="; nocase; uricontent:"orderid1="; nocase; uricontent:"orderid2="; nocase; uricontent:"disc="; nocase; uricontent:"product_name=Windows+Antivirus+2008"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=288214; reference:url,www.spywareremove.com/removeWindowsAntivirus2008.html; classtype:trojan-activity; sid:16280; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software perfect defender 2009 runtime detection - purchase"; flow:to_server,established; uricontent:"/buy.php"; content:"Host|3A| www.pdefender2009.com"; nocase; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453144750; classtype:trojan-activity; sid:16258; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software win pc defender installtime detection"; flow:to_server,established; uricontent:"/installed.php?"; nocase; uricontent:"id="; nocase; content:"Host|3A| win-pc-defender.com"; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453153970; classtype:trojan-activity; sid:16251; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software pc antispyware 2010 runtime detection - buy"; flow:to_server,established; uricontent:"/buy.html"; content:"Host|3A| pc-antispy2010.com"; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453172046; classtype:trojan-activity; sid:16266; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software system security 2009 installtime detection"; flow:to_server,established; uricontent:"/in.php"; uricontent:"url="; uricontent:"affid="; flowbits:set,systemsecurity2009; flowbits:noalert; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453154339; classtype:trojan-activity; sid:16254; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR downloader-ash.gen.b runtime detection - adload"; flow:to_server,established; uricontent:"/adv/058/adload.php"; content:"Host|3A| all1count.net"; nocase; reference:url,www.ca.com/hk/securityadvisor/pest/pest.aspx?id=453143372; reference:url,www.threatexpert.com/report.aspx?md5=bffe465b5949e78821ffb76b0ed25bb4; classtype:trojan-activity; sid:16242; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software ms antispyware 2009 runtime detection - pay"; flow:to_server,established; uricontent:"/pay/"; content:"Host|3A| sales.buy-msantispyware2009.com"; nocase; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453146855; classtype:trojan-activity; sid:16249; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software system security 2009 runtime detection"; flow:to_server,established; uricontent:"/cards/"; uricontent:"affid="; content:"Host|3A| electronicbillinghost.com"; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453154339; classtype:trojan-activity; sid:16253; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software coreguard antivirus 2009 runtime detection"; flow:to_server,established; uricontent:"/c.dat"; content:"Host|3A| guardlab2009.com"; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453157038; classtype:trojan-activity; sid:16256; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue-software windows antivirus 2008 runtime detection - pre-sale page"; flow:to_server,established; uricontent:"/buy.php?"; uricontent:"frame="; uricontent:"advid="; content:"Host|3A| winavsentry.com"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=288214; reference:url,www.spywareremove.com/removeWindowsAntivirus2008.html; classtype:trojan-activity; sid:16279; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software win pc defender runtime detection"; flow:to_server,established; uricontent:"/pp/?id="; nocase; content:"Host|3A| billingpayment.net"; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453153970; classtype:trojan-activity; sid:16250; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software 007 anti-spyware runtime detection - update"; flow:to_server,established; uricontent:"/007AS/update/Update.ini"; content:"Host|3A| www.webslt.com"; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-073120-1433-99; classtype:trojan-activity; sid:16264; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software xp police antivirus runtime detection - purchase"; flow:to_server,established; uricontent:"/xpbuy/"; nocase; content:"Host|3A| xp-police.com"; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151932; classtype:trojan-activity; sid:16244; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan-dropper.irc.tkb runtime detection - lordhack"; flow:to_server,established; uricontent:"/includes/editor/"; content:"Host|3A| www.lordhack.com"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Dropper.IRC.TKB&threatid=174269; reference:url,www.threatexpert.com/report.aspx?md5=e77f4df496a182bf5d16172cda47b91f; classtype:trojan-activity; sid:16272; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software xp-shield runtime detection - installation"; flow:to_server,established; uricontent:"/install/?aid"; content:"Host|3A| www.xp-shield.cn"; nocase; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453133950; classtype:trojan-activity; sid:16263; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software antivirusdoktor2009 runtime detection"; flow:to_server,established; uricontent:"/join.html"; content:"Host|3A| www.antivirus-doktor.com"; nocase; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453164387; classtype:trojan-activity; sid:16259; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software pro antispyware 2009 runtime detection - purchase"; flow:to_server,established; uricontent:"/pay/"; content:"Host|3A| sales.proantispyware-2009-buy.com"; nocase; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453144054; classtype:trojan-activity; sid:16252; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR srat 1.6 runtime detection"; flow:to_server,established; content:"|00 00 00 00 00 00 00|"; depth:7; offset:1; content:"|AA AA AA AA|"; within:4; distance:4; fast_pattern; flowbits:set,SRat_1.6; flowbits:noalert; classtype:trojan-activity; sid:16270; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software spyware protect 2009 runtime detection - purchase request"; flow:to_server,established; uricontent:"/purchase?"; nocase; uricontent:"r="; nocase; content:"Host|3A| spywprotect.com"; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453151948; classtype:trojan-activity; sid:16246; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software xp antivirus protection runtime detection - runtime"; flow:to_server,established; uricontent:"/order_xp.php"; nocase; uricontent:"ver="; content:"Host|3A| liveresponsesite.com"; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453122012; classtype:trojan-activity; sid:16261; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BACKDOOR rogue software system security 2009 installtime detection"; flow:from_server,established; flowbits:isset,systemsecurity2009; content:"location|3A| in.php?url="; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453154339; classtype:trojan-activity; sid:16255; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software pc antispyware 2010 runtime detection - files"; flow:to_server,established; uricontent:"/files"; content:"Host|3A| gomafobianiotas.com"; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453172046; classtype:trojan-activity; sid:16267; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR trojan.tdss.1.gen install-time detection - yournewsblog.net"; flow:to_server,established; uricontent:"/tdss/"; content:"Host|3A| yournewsblog.net"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.TDss.Gen&threatid=414535; reference:url,www.threatexpert.com/files/TDSSserv.sys.html; reference:url,www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627; classtype:trojan-activity; sid:16268; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software ms antispyware 2009 runtime detection - start"; flow:to_server,established; uricontent:"/stat.php"; uricontent:"func="; nocase; content:"Host|3A| int.ms-asreport1.com"; nocase; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453146855; classtype:trojan-activity; sid:16248; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software perfect defender 2009 runtime detection - update"; flow:to_server,established; uricontent:"/upd1.php"; uricontent:"dbbasediv="; content:"Host|3A| download.pdefender2009.com"; nocase; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453144750; classtype:trojan-activity; sid:16257; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR downloader-ash.gen.b runtime detection - 3264.php"; flow:to_server,established; uricontent:"/32647543ygwvrhbjt3h4evjrbgnrt.php"; content:"Host|3A| all1count.net"; nocase; reference:url,www.ca.com/hk/securityadvisor/pest/pest.aspx?id=453143372; reference:url,www.threatexpert.com/report.aspx?md5=bffe465b5949e78821ffb76b0ed25bb4; classtype:trojan-activity; sid:16243; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR rogue software 007 anti-spyware runtime detection - register"; flow:to_server,established; uricontent:"/register"; content:"Host|3A| www.007antispyware.com"; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-073120-1433-99; classtype:trojan-activity; sid:16265; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR Clob bot traffic"; flow:to_server; content:"/l1/ms32clod.dll"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=1474e6d74aa29127c5d6df716650d724; classtype:trojan-activity; sid:16289; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR fear 0.2 runtime detection - initial connection"; flow:to_server,established; flowbits:isset,fear_0_2.conn.1; content:"QTAz"; depth:4; nocase; flowbits:set,fear_0_2.conn.2; flowbits:unset,fear_0_2.conn.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6045; rev:4;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR bifrose 1.1 runtime detection"; flow:from_server,established; flowbits:isset,bifrose.rev_conn.1; content:"|02 00 00 00|4x"; flowbits:set,bifrose.rev_conn.2; flowbits:unset,bifrose.rev_conn.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1464; classtype:trojan-activity; sid:6056; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR cybernetic 1.62 runtime detection - reverse connection flowbit 1"; flow:to_server,established; flowbits:isset,backdoor.cybernetic.1.62.rev.conn.1; content:"DmInf"; depth:5; nocase; pcre:"/^DmInf\^[^\r\n]*\^\d+\x2E\d+\x2E\d+\x2E\d+\^/smi"; flowbits:set,backdoor.cybernetic.1.62.rev.conn.2; flowbits:unset,backdoor.cybernetic.1.62.rev.conn.1; flowbits:noalert; metadata:policy security-ips drop; reference:url,research.sunbelt-software.com/threat_display.cfm?name=CyberNetic&threatid=41745; classtype:trojan-activity; sid:7066; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR theef 2.0 runtime detection - connection request with password - flowbit 2"; flow:to_server,established; flowbits:isset,theef20.1; content:"|FA CB D9 D9 EB DE DE D6 9B 98 99|"; depth:11; flowbits:set,theef20.2; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:7618; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR bugsprey runtime detection - initial connection"; flow:to_server,established; flowbits:isset,BugsPrey_detection; content:"GHOST,"; depth:6; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BugsPrey&threatid=42567; reference:url,www.econsultant.com/spyware-database/b/bugsprey-a.html; classtype:trojan-activity; sid:16358; rev:1;)

Change log

41b25fc2e260 by mich...@michael-laptop on Apr 3, 2010   Diff
Added snort rules
Go to: 
Sign in to write a code review

Older revisions

All revisions of this file

File info

Size: 328547 bytes, 857 lines
Powered by Google Project Hosting