File: proxy-malware.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (114 lines) | stat: -rw-r--r-- 22,083 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# Sagan proxy-malware.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# These rules can be used to detect malware connections from generic proxy devices.  For example, Squid, Apache, 
# Fortigate firewalls,  Bluecoat proxies,  etc.   They are generic rules meant to look for indications of malware
# within a network based on "access" type logs.
#*************************************************************

#alert any $HOME_NET any -> $EXTERNAL_NET $HTTP_PORT (msg: "[PROXY-MALWARE] Pony Trojan"; content: "ponyb/gate.php"; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: exploit-attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5001739; sid: 5001739; rev:1;)

# Rules create by Robert Nunley (rnunley@quadrantsec.com) - 01/08/2013

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 1"; content: "/Gallery/IMAG0081.GIF"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001882; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 2"; content: "/btn001/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001883; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 3"; content: "/bugzy/i.cfg"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001884; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 4"; content: "/cfg2"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001885; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 5"; content: "/cfg3.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001886; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 6"; content: "/cnf/trl.jpg"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001887; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 7"; content: "/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001888; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 8"; content: "/dzen/misc.inc.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001889; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 9"; content: "/film/video.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001890; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 10"; content: "/ftr/vosmoipoint.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001891; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 11"; content: "/ftr/vosmoipont.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001892; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 12"; content: "/gkt/gld44.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001893; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 13"; content: "/good/tlz/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001894; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 14"; content: "/gus/pool.doc"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001895; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 15"; content: "/ii1IGh.aeL8uf"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001896; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 16"; content: "/im/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001897; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 17"; content: "/img/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001898; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 18"; content: "/index_files/4jpg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001899; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 19"; content: "/inmake/lds/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001900; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 20"; content: "/kartos/kartos.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001901; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 21"; content: "/ldr/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001902; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 22"; content: "/n2.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001903; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 23"; content: "/norma/cf5.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001904; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 24"; content: "/ribbn.tar"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001905; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 25"; content: "/s2/non.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001906; rev:3;)


# Triggers to much on valid sites - 04/12/2014 - Champ Clark III
##alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 26"; content: "/sell.jpg"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001907; rev:3;)

#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 27"; content: "/test/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001908; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 28"; content: "/ukk/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001909; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 29"; content: "/web/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001910; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 30"; content: "/z/config1.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001911; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 31"; content: "/z_bot/what.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001912; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 32"; content: "/zend/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001913; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 33"; content: "/zeus/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001914; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 34"; content: "/zs/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001915; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 35"; content: "/~am/szkolapanel/zs/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001916; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus bin Request 36"; content: "/~update/serv/updtsys.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001917; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 1"; content: "/4vnrye74mugh.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001918; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 2"; content: "/4vnrye74vmugh.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001919; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 3"; content: "/DZ3LOrAFpl.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001920; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 4"; content: "/back11/stat1.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001921; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 5"; content: "/btn001/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001922; rev:3;)

# Triggers to much on valid sites - 04/12/2014 - Champ Clark III
##alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 6"; content: "/buy.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001923; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 7"; content: "/dd7ejr8ehd8jrf.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001924; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 8"; content: "/dzen/as9965767.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001925; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 9"; content: "/free/wthong.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001926; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 10"; content: "/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001927; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 11"; content: "/good/socialnetworks/all4love/peage.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001928; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 12"; content: "/iXeij7Ai.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001929; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 13"; content: "/im/s.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001930; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 14"; content: "/img/s.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001931; rev:3;)

# Triggers to much on valid sites - 04/12/2014 - Champ Clark III
##alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 15"; content: "/index1.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001932; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 16"; content: "/inmake/page/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001933; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 17"; content: "/kartos/youyou.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001934; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 18"; content: "/test/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001935; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 19"; content: "/trl/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001936; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 20"; content: "/vvn/ci_g.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001937; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 21"; content: "/web/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001938; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 22"; content: "/z/s.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001939; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 23"; content: "/z_bot/bot_adented.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001940; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 24"; content: "/zend/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001941; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Zeus php Request 25"; content: "/zs/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5001942; rev:3;) 

# Triggers on tor2web services - 06/09/2014 - Champ Clark III

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Tor2www Request"; content: ".tor2www."; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.tor2www.com; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5002061; rev:3;)
#alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Tor2web Request"; content: ".tor2web."; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.tor2web.org; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5002062; rev:3;)

# https://isc.sans.edu/forums/diary/PCRE+for+malware+audits/18949

alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[PROXY-MALWARE] Fiesta malware request"; pcre: "/(http:\/\/[^\x2f]+\/[a-z0-9]{6,}_[0-9]+_[a-f0-9]{32}\.html|\/[a-f0-9]{60,66}(?:\x3b\d+){1,4}|\/\??[a-f0-9]{60,}\x3b1\d{5}\x3b\d{1,3}|\/[0-9a-z]{32}.php\?[a-z]{1,3}=[0-9a-z]{32})/"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,wiki.quadrantsec.com/bin/view/Main/5002214; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype:trojan-activity; sid: 5002214; rev:3;)