-
Notifications
You must be signed in to change notification settings - Fork 0
/
botcc.rules
100 lines (94 loc) · 46.8 KB
/
botcc.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#
# Emerging Threats Botnet Command and Control drop rules.
#
# These are generated from the EXCELLENT work done by the abuse.ch folks. All Volunteers, we're grateful for their dedication!
#
# https://ransomwaretracker.abuse.ch
# https://zeustracker.abuse.ch
# https://feodotracker.abuse.ch/
#
#
# SID's are 2410000+ to avoid conflicts
#
# More information available at www.emergingthreats.net
#
# Please submit any custom rules or ideas to [email protected] or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2019, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
alert ip $HOME_NET any -> [109.196.130.50,151.13.184.200] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404000; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [154.35.64.107,154.35.64.18] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404001; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [154.35.64.54,154.35.64.82] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404002; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [174.59.20.100,176.34.209.220] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404003; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [184.106.133.130,184.73.167.34] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404004; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [188.126.73.62,190.120.228.216] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404005; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [193.107.16.224,198.245.49.5] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404006; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [199.19.215.29,203.44.1.211] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404007; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [203.70.60.179,204.188.197.205] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404008; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [204.188.221.157,205.185.113.88] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404009; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [206.176.205.101,210.135.96.98] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404010; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [212.113.137.225,213.193.246.34] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404011; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [216.18.232.151,46.165.193.136] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404012; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [46.45.190.57,50.112.120.66] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404013; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [50.18.21.241,61.31.99.67] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404014; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [64.18.139.82,64.71.165.201] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404015; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [64.85.169.114,65.19.178.15] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404016; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [65.23.156.37,65.23.157.127] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404017; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [66.154.121.231,70.85.237.252] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404018; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [72.250.175.12,74.122.159.122] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404019; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [83.68.16.198,85.25.100.223] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404020; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [85.25.109.116,89.248.162.231] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404021; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [91.121.146.118,91.121.2.214] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404022; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [91.121.67.157,92.243.30.231] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404023; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [94.23.10.157,94.23.13.5] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404024; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [94.23.157.150,94.23.36.82] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 26"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404025; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [95.211.154.159] any (msg:"ET CNC Shadowserver Reported CnC Server group 27"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404026; rev:5709; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2020_04_20;)
#Feodo Tracker
alert ip $HOME_NET any -> [100.14.117.137,100.6.23.40,101.187.104.105,101.187.14.253,101.187.243.188,101.187.97.173,101.99.23.252,102.182.145.130,102.22.62.71,103.12.161.194,103.205.177.228,103.227.147.82,103.243.173.107,103.251.141.42,103.31.232.93,103.5.231.188,103.53.44.26,103.69.216.86,103.91.228.3,103.9.226.57,103.97.95.221,104.131.41.185,104.168.96.122,104.182.56.131,104.200.80.44,104.220.134.222,104.236.161.64,104.236.28.47,104.238.80.237,104.32.141.43,105.174.6.174,105.184.106.99,105.184.191.243,105.184.237.83,105.209.235.113,105.225.156.246,105.225.161.70,105.226.195.36,105.228.147.223,105.246.66.139,105.247.123.133,106.243.237.73,106.51.0.205,107.13.149.212,107.155.137.10,107.155.137.13,107.155.137.19,107.155.137.23,107.175.133.162] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404300; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [107.175.87.113,107.184.91.187,108.170.61.186,108.179.206.219,108.190.34.69,108.6.170.195,109.107.235.152,109.236.109.159,109.2.99.144,109.94.110.79,110.143.203.200,110.143.8.89,110.145.101.66,110.145.124.178,110.145.77.103,110.232.76.39,110.37.226.196,110.93.15.98,111.235.148.46,112.68.240.21,113.160.130.116,113.160.180.109,113.160.88.86,113.161.148.81,113.182.203.150,113.190.254.245,113.193.217.34,113.193.254.82,113.61.66.94,114.109.179.60,114.143.192.242,114.79.133.102,114.79.134.49,114.79.159.169,115.132.227.247,115.160.160.134,115.166.1.82,115.65.111.148,115.75.6.2,115.79.195.246,115.93.16.173,1.163.163.199,116.73.14.186,116.90.228.177,116.90.229.22,117.197.124.51,117.2.133.44,117.247.233.82,117.3.39.85] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404301; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [117.4.120.226,117.7.236.115,118.200.116.83,118.69.70.109,118.69.71.14,118.70.126.251,119.155.153.14,119.196.94.222,119.235.90.232,119.57.36.54,120.150.246.241,120.150.247.164,120.150.66.156,120.151.135.224,120.234.52.74,121.100.19.18,121.175.22.236,121.69.90.14,121.74.198.58,122.116.104.238,122.176.109.10,122.50.6.122,123.136.174.52,123.231.21.141,123.3.103.138,123.51.98.27,124.100.221.134,124.150.175.133,124.194.66.218,12.49.146.218,125.63.106.22,125.99.106.225,125.99.17.181,128.106.71.243,129.205.201.163,130.204.245.137,130.241.35.152,131.161.253.190,132.248.38.158,133.208.252.149,134.19.217.180,134.19.217.70,134.255.221.55,136.243.205.112,137.25.7.112,137.59.227.184,138.122.96.100,138.59.18.169,139.130.242.43] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404302; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [139.60.163.56,14.161.30.33,14.161.6.60,14.192.144.194,142.105.151.124,142.129.161.136,142.163.208.70,143.0.87.101,144.139.173.73,144.139.91.187,146.185.219.29,146.185.253.108,146.185.253.122,146.185.253.132,146.185.253.157,146.185.253.176,146.185.253.179,146.185.253.191,148.102.77.148,148.103.82.211,148.240.70.74,148.245.232.121,148.251.185.164,148.251.185.186,148.69.94.166,149.135.10.19,149.202.160.202,149.62.173.247,150.107.20.18,151.237.16.5,151.237.36.220,151.80.212.114,152.168.248.128,152.168.249.64,152.170.108.99,152.170.196.157,152.170.222.65,152.231.224.62,152.231.89.226,152.32.78.6,152.89.245.207,153.160.71.129,153.174.73.130,153.181.212.155,154.72.75.82,154.73.137.131,156.67.114.199,157.100.238.225,159.118.53.150] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404303; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [161.18.233.114,162.241.92.219,162.243.125.212,162.247.155.100,162.255.112.157,163.139.237.65,163.53.180.227,164.132.255.19,164.68.115.146,164.68.120.58,164.77.130.222,164.77.131.165,166.78.243.43,167.0.166.227,167.250.193.184,168.121.59.107,168.197.252.178,169.1.71.215,170.238.117.187,170.81.48.2,170.82.195.50,170.83.53.71,171.100.142.238,173.171.132.82,173.175.79.89,173.178.223.66,173.195.204.36,173.21.26.90,173.31.172.11,174.57.150.13,174.83.116.77,174.93.130.148,175.101.89.66,175.140.115.82,175.205.73.49,175.207.12.52,176.119.159.147,176.126.83.149,176.192.20.62,176.74.89.66,176.88.227.26,176.9.43.37,177.0.241.28,177.103.159.44,177.139.131.143,177.144.130.105,177.144.135.2,177.188.121.26,177.225.150.89] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404304; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [177.230.81.0,177.231.56.40,177.240.208.251,177.242.215.230,177.243.144.248,177.38.15.151,177.6.166.4,177.66.190.130,177.73.3.204,177.74.232.124,178.134.1.238,178.141.80.155,178.153.176.124,178.156.202.157,178.156.202.222,178.156.202.228,178.156.202.251,178.157.82.127,178.157.82.80,178.201.186.245,178.20.74.212,178.209.71.63,178.62.75.204,178.95.247.58,179.127.59.210,179.13.185.19,179.13.73.220,179.184.65.222,179.41.14.199,179.50.131.35,179.52.155.151,179.60.24.164,179.62.226.22,179.62.26.236,179.8.99.239,180.180.216.177,180.222.165.169,180.92.239.110,181.10.204.106,181.112.157.42,181.118.206.6,181.122.172.67,181.126.47.7,181.129.104.139,181.129.130.82,181.129.134.18,181.129.44.226,181.129.96.162,181.13.24.83] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404305; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [181.143.108.91,181.143.53.227,181.16.18.72,181.164.215.193,181.164.25.59,181.165.31.120,181.167.31.88,181.167.35.84,181.167.53.79,181.168.130.219,181.168.74.104,181.168.80.87,181.171.28.140,181.175.23.114,181.176.191.27,181.189.212.120,181.196.207.202,181.196.27.123,181.225.24.251,181.228.204.125,181.230.116.163,181.230.129.137,181.27.124.18,181.27.126.228,181.28.109.32,181.30.126.66,181.30.69.50,181.31.211.181,181.36.42.205,181.39.51.243,181.39.96.86,181.44.96.147,181.47.235.26,181.48.22.219,181.48.236.93,181.49.236.174,181.49.247.206,181.49.96.250,181.51.214.5,181.54.149.75,181.54.182.135,181.54.245.85,181.59.253.20,181.60.244.166,181.60.247.8,181.61.253.171,182.191.75.93,182.56.134.44,182.71.147.46] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404306; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [182.71.222.187,182.72.25.180,182.73.147.218,182.73.185.122,182.75.161.42,183.179.17.211,183.82.104.189,183.82.112.154,183.82.112.28,183.82.124.191,183.91.15.80,183.91.3.63,184.145.137.151,184.149.7.49,184.164.142.43,184.57.130.8,184.68.59.166,185.105.1.187,185.11.146.101,185.129.92.210,185.141.27.225,185.141.27.243,185.141.61.101,185.14.28.34,185.14.29.141,185.14.29.63,185.14.30.134,185.14.30.152,185.14.30.45,185.14.31.252,185.14.31.98,185.155.20.82,185.161.211.215,185.17.123.90,185.174.172.16,185.174.172.60,185.177.59.163,185.186.77.216,185.198.57.75,185.20.185.109,185.203.119.173,185.234.72.193,185.234.72.24,185.234.72.50,185.244.39.65,185.65.202.115,185.66.13.65,185.68.93.105,185.90.61.62] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404307; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [185.97.32.6,185.98.87.70,185.99.2.123,185.99.2.131,185.99.2.140,185.99.2.142,185.99.2.152,185.99.2.220,185.99.2.221,185.99.2.41,185.99.2.44,185.99.2.52,185.99.2.53,185.99.2.67,185.99.2.68,186.101.235.14,186.10.92.114,186.113.19.170,186.114.207.82,186.120.159.140,186.136.185.11,186.136.29.143,186.137.231.77,186.139.184.36,186.146.1.36,186.149.140.55,186.159.1.217,186.159.122.233,186.170.25.122,186.177.126.252,186.177.165.196,186.177.174.163,186.188.152.177,186.189.228.84,186.190.192.84,186.19.202.88,186.208.123.210,186.223.86.136,186.24.240.240,186.250.113.201,186.28.36.44,186.3.223.3,186.3.232.68,186.33.185.229,186.4.196.172,186.4.234.27,186.4.242.12,186.4.4.161,186.68.199.71] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404308; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [186.68.48.204,186.70.152.218,186.80.169.128,186.82.11.76,186.87.134.176,186.89.170.142,186.90.155.228,186.90.227.239,186.90.238.36,187.131.47.157,187.137.111.0,187.144.192.126,187.144.76.174,187.147.145.48,187.148.160.52,187.148.173.68,187.153.105.212,187.162.248.237,187.163.143.13,187.163.179.73,187.163.205.19,187.163.60.63,187.167.204.28,187.169.245.45,187.176.67.240,187.188.163.98,187.188.41.242,187.188.44.32,187.189.144.131,187.192.58.207,187.193.117.191,187.198.19.70,187.199.129.111,187.202.255.212,187.207.31.55,187.212.208.8,187.220.99.192,187.228.133.187,187.235.145.190,187.243.70.172,187.247.125.144,187.250.201.195,187.51.47.26,187.72.47.161,188.0.135.237,188.119.113.114,188.119.113.60,188.120.242.75,188.122.51.199] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404309; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [188.129.197.149,188.194.63.4,188.251.213.180,188.53.210.137,189.1.185.248,189.123.239.235,189.131.147.21,189.131.47.159,189.132.43.14,189.134.34.13,189.134.53.158,189.145.144.172,189.146.217.35,189.148.190.37,189.149.3.197,189.150.218.69,189.154.128.205,189.154.188.33,189.154.68.123,189.155.150.137,189.160.15.202,189.162.104.16,189.163.192.252,189.163.44.44,189.168.169.129,189.173.41.239,189.196.140.187,189.201.197.98,189.205.123.101,189.208.126.53,189.209.255.52,189.212.199.126,189.213.205.70,189.213.208.168,189.218.186.138,189.220.246.167,189.222.109.159,189.225.148.250,189.225.165.11,189.228.101.204,189.230.124.74,189.231.145.106,189.236.139.230,189.244.154.169,189.250.216.207,189.252.30.160,189.253.56.145,189.26.118.194,190.0.1.30] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404310; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [190.0.28.219,190.100.136.117,190.100.16.210,190.10.159.242,190.102.226.91,190.104.191.159,190.104.213.38,190.104.233.88,190.108.228.62,190.109.223.50,190.111.215.3,190.11.22.92,190.114.244.182,190.117.161.108,190.12.14.75,190.128.82.61,190.128.90.22,190.129.111.12,190.130.152.209,190.131.157.113,190.131.166.199,190.13.211.174,190.13.215.114,190.13.222.120,190.136.177.34,190.136.178.52,190.138.220.6,190.139.134.60,190.140.187.200,190.143.38.211,190.143.39.231,190.145.67.178,190.146.0.108,190.146.128.35,190.146.158.142,190.146.169.53,190.146.205.227,190.147.100.8,190.147.116.32,190.147.137.153,190.147.162.82,190.147.19.32,190.147.247.215,190.147.42.32,190.147.44.151,190.147.53.140,190.15.180.250,190.158.193.245,190.160.53.126] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404311; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [190.160.8.4,190.161.186.116,190.161.45.112,190.167.214.75,190.171.135.237,190.171.153.139,190.17.160.28,190.17.195.202,190.17.44.48,190.17.94.108,190.180.124.226,190.181.235.46,190.18.153.249,190.182.134.41,190.186.70.146,190.188.46.233,190.19.178.131,190.195.199.97,190.196.143.58,190.202.39.187,190.210.223.238,190.210.236.139,190.210.38.253,190.213.249.250,190.214.13.2,190.224.219.14,190.226.34.8,190.229.148.144,190.230.171.15,190.2.31.172,190.240.175.190,190.2.43.237,190.245.10.162,190.247.62.93,190.247.9.40,190.2.50.193,190.251.235.239,190.25.54.18,190.26.98.130,190.27.27.139,190.3.183.18,190.34.215.74,190.40.100.7,190.41.82.177,190.44.153.169,190.44.204.143,190.47.217.253,190.47.227.130,190.52.161.1] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404312; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [190.52.207.190,190.53.135.159,190.55.181.54,190.55.209.82,190.57.130.142,190.57.232.244,190.60.225.114,190.6.140.136,190.6.230.215,190.63.7.166,190.72.239.156,190.72.55.98,190.73.133.66,190.79.170.161,190.8.246.18,190.85.152.185,190.85.206.228,190.85.71.218,190.86.177.157,190.94.79.239,190.97.30.167,190.97.63.104,190.98.58.170,191.183.21.190,191.92.81.199,191.99.120.221,192.210.226.106,192.241.143.52,192.3.1.208,193.111.62.50,194.5.250.115,194.5.250.118,194.5.250.138,194.5.250.143,194.5.250.150,194.5.250.174,194.5.250.175,194.5.250.200,194.5.250.201,194.5.250.46,194.5.250.47,194.5.250.69,195.123.220.178,195.123.237.105,195.123.239.192,195.123.239.194,195.123.239.29,195.133.196.151,195.244.215.206] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404313; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [195.54.162.120,196.209.233.234,196.6.119.137,197.211.244.219,197.243.230.45,197.83.236.18,197.88.29.182,198.0.227.57,198.211.121.27,198.23.252.127,198.58.119.85,199.83.161.218,200.105.164.138,200.105.211.46,200.108.250.176,200.111.255.89,200.115.53.210,200.116.145.225,200.116.191.114,200.119.193.251,200.123.110.50,200.123.150.89,200.123.183.137,200.124.245.125,200.124.27.202,200.126.171.119,200.126.171.225,200.126.228.236,200.126.237.113,200.127.51.94,200.171.101.169,200.21.90.5,200.23.18.172,200.24.248.194,200.29.111.252,200.41.121.90,200.43.231.60,200.45.187.90,200.45.57.96,200.50.177.218,200.52.75.212,200.54.18.162,200.58.180.130,200.58.78.78,200.58.83.179,200.6.186.36,200.68.111.81,200.69.224.73,200.84.36.201] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404314; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [200.85.110.240,200.86.246.50,200.93.90.133,201.103.250.229,201.110.102.182,201.142.155.203,201.152.93.218,201.155.204.151,201.17.193.151,201.173.217.124,201.180.46.22,201.183.225.39,201.190.204.249,201.192.162.109,201.192.163.160,201.196.89.80,201.200.3.74,201.212.241.162,201.212.49.159,201.213.100.141,201.214.229.79,201.220.152.101,201.220.68.11,201.228.78.117,201.231.77.11,201.235.149.157,201.235.65.61,201.236.135.104,201.236.218.36,201.236.95.82,201.238.171.6,201.245.184.16,201.248.14.67,201.91.28.210,201.97.131.88,202.187.195.57,202.29.215.114,202.51.181.50,202.52.247.178,202.62.39.111,203.122.18.234,203.122.20.90,203.122.32.74,203.122.44.152,203.153.216.182,203.163.247.170,203.176.135.102,203.198.147.4,203.213.236.70] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404315; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [203.23.128.148,204.13.253.141,204.184.24.82,206.255.201.213,207.134.189.64,207.255.226.104,207.47.71.46,208.105.77.2,208.107.52.29,208.180.47.78,209.112.181.206,209.137.209.84,209.97.168.52,210.215.155.44,210.56.10.58,210.6.85.121,210.77.89.109,211.138.24.144,211.184.5.163,211.20.154.102,211.215.86.199,212.112.113.235,212.124.117.25,212.156.219.6,212.174.19.87,212.174.57.124,212.25.55.70,212.80.216.167,212.80.217.162,212.80.217.220,212.81.22.231,212.99.204.114,213.107.110.252,213.16.213.197,213.184.244.254,213.243.211.114,216.132.25.162,216.14.176.17,216.21.168.27,216.221.68.35,216.74.200.97,216.81.19.67,216.8.172.167,217.12.209.148,217.12.209.159,217.12.209.170,217.12.209.176,217.12.209.244,217.12.70.226] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404316; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [217.13.106.160,217.145.83.44,217.165.124.206,217.165.2.29,217.199.160.224,218.214.130.200,218.255.173.106,219.94.254.93,220.128.125.18,220.130.37.13,220.132.16.114,220.161.178.6,220.210.163.76,220.213.79.166,220.253.68.95,221.133.46.86,221.162.74.239,222.104.222.145,222.235.126.213,222.97.149.122,223.197.185.60,2.28.113.59,23.227.206.170,23.254.203.51,23.92.16.164,24.14.188.26,24.157.195.134,24.164.79.147,24.167.122.146,24.179.13.119,24.179.13.67,24.194.252.25,24.196.13.216,24.232.26.157,24.232.79.140,24.240.253.67,24.248.210.137,24.249.73.48,24.37.133.84,24.48.215.63,24.51.106.145,24.53.224.19,24.53.48.176,24.63.218.229,2.47.112.152,24.71.172.74,24.94.237.248,2.50.144.32,2.50.183.165] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404317; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [2.50.28.190,27.0.180.40,27.100.25.74,27.109.116.48,27.147.163.188,27.4.100.100,27.96.91.73,31.131.20.159,31.131.21.168,31.131.21.184,31.131.26.31,31.146.61.34,36.89.106.69,36.89.88.111,36.91.45.10,37.187.150.39,37.187.159.59,37.187.72.193,37.209.252.121,37.210.228.23,37.211.44.113,37.222.74.104,37.70.131.107,39.88.192.28,41.169.20.147,41.60.200.34,42.200.102.153,42.200.178.117,42.200.191.247,45.118.136.92,45.118.32.204,45.123.3.54,45.137.151.198,45.142.215.235,45.148.120.117,45.153.185.187,45.161.242.102,45.167.12.22,45.224.52.174,45.47.32.181,45.55.179.121,45.55.65.123,45.6.16.68,45.79.75.232,46.105.131.87,46.214.11.172,46.29.143.219,46.30.175.11,46.4.167.227] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404318; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [47.146.123.171,47.150.248.161,47.153.183.211,47.156.64.4,47.41.100.58,47.47.196.171,47.50.17.78,47.6.15.79,49.176.162.90,49.207.182.22,49.248.119.186,50.101.109.25,50.116.86.205,50.35.17.13,5.102.165.159,51.148.59.233,51.254.164.243,51.254.164.244,51.254.164.245,5.128.151.213,51.38.134.203,5.1.74.124,5.1.74.249,51.77.108.17,51.77.111.116,51.81.113.25,5.182.210.178,5.182.210.191,5.182.210.55,5.182.211.24,5.187.152.115,51.89.115.104,51.89.115.108,51.89.115.112,51.89.115.121,5.189.148.98,51.89.73.158,5.196.247.14,5.196.73.88,5.230.147.179,5.255.96.186,5.255.96.187,5.255.96.217,5.255.96.218,5.2.76.29,5.2.78.118,5.2.79.140,5.32.55.214,5.32.84.54] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404319; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [5.34.158.102,54.37.5.200,54.37.77.86,54.39.180.109,54.39.187.202,5.44.210.163,58.171.38.26,58.239.33.5,58.65.178.100,58.65.211.99,5.88.27.67,58.93.151.148,59.103.164.174,59.120.5.154,59.120.74.106,59.148.227.190,59.20.65.102,59.24.156.97,59.96.244.37,60.130.173.117,60.142.249.243,60.240.221.183,60.250.78.22,61.107.76.47,61.197.37.169,61.38.71.197,61.79.164.230,62.109.11.248,62.109.28.101,62.109.30.83,62.75.143.128,62.84.75.50,63.141.2.116,63.143.74.70,64.118.8.252,64.13.225.150,64.237.68.70,64.39.179.131,64.44.133.153,65.128.138.30,65.184.222.119,65.24.85.214,66.228.228.211,66.229.161.86,66.34.201.20,66.57.212.114,67.20.141.76,67.215.46.58,67.235.68.222] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404320; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [67.254.19.89,67.77.66.132,67.79.6.38,68.115.64.219,68.183.18.169,68.202.51.4,68.203.213.226,68.42.248.45,69.70.248.98,70.118.9.166,70.127.155.33,70.166.122.236,70.167.72.96,70.178.189.123,70.182.77.205,70.28.2.171,70.48.238.90,70.57.82.196,71.10.114.255,71.125.28.55,71.222.233.135,71.42.166.139,71.91.161.118,72.132.106.183,72.231.228.196,72.29.55.174,72.38.164.146,72.44.93.233,73.176.10.71,73.185.67.141,74.105.117.118,74.130.137.231,74.58.188.22,75.108.22.7,75.109.200.232,75.110.170.175,75.133.26.185,75.86.6.174,77.122.237.72,77.44.120.62,77.44.98.67,77.69.190.139,77.69.8.132,77.74.78.80,78.12.139.80,78.141.2.164,78.186.102.195,78.186.175.183,78.186.175.54] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404321; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [78.186.23.245,78.186.26.189,78.186.5.109,78.187.173.144,78.188.170.128,78.188.44.240,78.189.109.123,78.189.165.52,78.189.173.217,78.189.180.107,78.189.207.238,79.10.57.78,79.137.101.2,79.75.233.224,79.78.139.74,80.102.134.174,80.11.158.65,80.11.163.139,80.209.136.169,80.211.32.88,80.253.241.66,80.44.121.62,81.140.49.231,81.143.197.4,81.169.202.3,81.177.22.238,81.177.3.67,81.177.3.88,81.214.142.115,81.214.253.80,81.82.203.76,82.223.70.24,83.110.100.150,83.110.108.213,83.110.212.100,83.110.80.67,84.9.167.76,85.100.122.211,85.100.125.179,85.104.56.247,85.105.145.205,85.105.205.77,85.143.221.183,85.143.223.201,85.152.174.56,85.204.116.139,85.204.116.153,85.204.116.191,85.204.116.193] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404322; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [85.204.116.195,85.204.116.57,85.97.123.102,85.99.226.42,85.99.247.228,86.247.108.13,86.42.166.147,86.43.100.19,86.43.125.152,86.56.233.166,86.98.53.59,86.98.71.253,87.127.197.7,87.201.127.70,87.225.109.55,87.252.100.28,87.66.13.80,88.174.131.38,88.247.144.128,88.247.76.191,88.248.140.80,88.249.120.205,88.249.1.225,88.249.181.174,88.250.255.12,88.253.236.157,89.120.94.134,89.186.26.179,89.211.112.137,89.215.225.15,89.32.150.160,91.117.31.181,91.183.108.184,91.191.206.60,91.200.100.84,91.200.102.125,91.200.102.6,91.217.76.15,91.219.169.180,91.231.166.124,91.235.129.144,91.235.129.199,91.235.129.223,91.235.129.60,91.242.136.103,91.242.138.11,91.73.197.186,91.93.202.142,92.11.254.135] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404323; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
alert ip $HOME_NET any -> [92.223.79.48,92.27.103.140,92.27.88.150,92.38.171.11,92.38.171.17,93.107.126.157,93.114.205.169,93.147.137.162,93.189.42.81,93.189.44.131,93.51.50.171,93.88.93.100,94.130.171.231,94.206.82.254,94.250.249.170,94.250.250.69,94.59.80.100,94.73.197.123,95.180.25.146,95.42.189.34,95.70.224.237,96.21.235.243,96.234.38.186,96.56.206.155,96.64.183.227,96.64.59.185,96.82.180.162,96.89.6.21,96.9.73.73,96.9.77.142,96.9.77.56,98.15.140.226,98.156.206.153,98.178.241.106,98.188.200.74,98.5.163.186,99.226.186.39,99.234.216.14] any (msg:"ET CNC Feodo Tracker Reported CnC Server group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404324; rev:5709; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2020_04_20;)
#Ransomware Tracker