alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware browserpal runtime detection - post user info to server"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"Browser"; distance:0; nocase; content:"Pal"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*Browser\s+Pal/smi"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074906; classtype:successful-recon-limited; sid:5954; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker isearch runtime detection - toolbar information request"; flow:to_server,established; uricontent:"/xml.php"; nocase; uricontent:"tid="; nocase; uricontent:"ref="; nocase; content:"User-Agent|3A|"; nocase; content:"Toolbar"; distance:0; nocase; pcre:"/tid\x3D\x7B([0-9A-z]+\x2D){4}[0-9A-z]+\x7D/smi"; pcre:"/^User-Agent\x3A[^\r\n]*Toolbar/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=732; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740; classtype:misc-activity; sid:5861; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker getmirar runtime detection - search request"; flow:to_server,established; uricontent:"/?"; nocase; uricontent:"KEYWORD="; nocase; uricontent:"T="; nocase; uricontent:"ERROR="; nocase; content:"Host|3A|"; nocase; content:"websearch.getmirar.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*websearch\.getmirar\.com/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077933; classtype:misc-activity; sid:5991; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker begin2search runtime detection - ico query"; flow:to_server, established; uricontent:"/toolbar/ico/"; nocase; uricontent:".ico"; nocase; pcre:"/\x2Ftoolbar\x2Fico\x2F[a-zA-Z0-9_%]*\.ico/Ui"; content:"Host|3A|"; nocase; content:"begin2search.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*begin2search\.com/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5765; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware hithopper runtime detection - search"; flow:to_server, established; uricontent:"?search="; nocase; content:"Host|3A|"; nocase; content:"www.hithopper.com"; distance:0; nocase; pcre:"/\x2Fs(earch)?\x2Ephp3?\x3Fsearch\x3D/Ui"; pcre:"/^Host\x3A[^\r\n]*www\.hithopper\.com/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=746; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079079; classtype:misc-activity; sid:5787; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware dogpile runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"Infospace"; distance:0; nocase; content:"Toolbar"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*Infospace\s+Toolbar/smi"; threshold:type limit, track by_src, count 1, seconds 1800; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=651; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079953; classtype:misc-activity; sid:5750; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker searchfast detection - search request"; flow:to_server,established; uricontent:"/fstdirectory/searchResults.php?searchTerm="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5963; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SPYWARE-PUT Hacker-Tool stealthredirector runtime detection - view netstat"; flow:from_server,established; flowbits:isset,StealthRedirector_ViewNetstat; content:"Proto"; nocase; content:"Local"; distance:0; nocase; content:"IP"; distance:0; nocase; pcre:"/^Proto\s+Local\s+IP/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=687; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076952; classtype:misc-activity; sid:5823; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler VX2/ABetterInternet transponder thinstaller runtime detection - post information"; flow:to_server,established; content:"/bi/servlet/Thinstall"; nocase; content:"User-Agent|3A|"; nocase; content:".exe"; distance:0; nocase; pcre:"/\x2Fbi\x2Fservlet\x2FThinstall(Pre|Result).*^User-Agent\x3A[^\r\n]*\.exe[^\r\n]*\x7B[\dA-Za-z]{8}-[\dA-Za-z]{4}-[\dA-Za-z]{4}-[\dA-Za-z]{4}-[\dA-Za-z]{12}\x7D\x7C[\dA-Za-z]{8}\x7C\d{5}-\d{3}-\d{7}-\d{5}/smi"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips drop; reference:url,research.sunbelt-software.com/threat_display.cfm?name=ABetterInternet&threatid=14797; reference:url,www.doxdesk.com/parasite/Transponder.html; reference:url,www.geekstogo.com/forum/Aurora_spyware_Nailexe-t24344.html; classtype:misc-activity; sid:5871; rev:4;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shopathomeselect runtime detection"; flow:to_server,established; content:"SAHSelect=GUID="; nocase; content:"CustomerID="; nocase; content:"stealth="; nocase; content:"InstallerLocation="; nocase; content:"LastPrefs="; nocase; content:"AgentVersion="; nocase; content:"CTG="; nocase; content:"WSS_GW="; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074921; classtype:misc-activity; sid:5807; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker copernic meta toolbar runtime detection - ie autosearch & search assistant hijack"; flow:to_server,established; uricontent:"/copern.light/redirs_all.htm?"; nocase; uricontent:"pgtarg="; nocase; uricontent:"qcat="; nocase; uricontent:"qkw="; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5885; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware ucmore runtime detection - get sponsor/ad links"; flow:to_server,established; content:"/iis2ucms_getsponsorlinks.asp"; nocase; content:"RequestString="; distance:0; nocase; content:"UCMXML"; distance:0; nocase; content:"User-Agent|3A|"; nocase; content:"EI"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*EI/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=776; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype:successful-recon-limited; sid:5838; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker funbuddyicons runtime detection - mysaconfg request"; flow:to_server,established; uricontent:"/mysaconfg.jsp?"; nocase; uricontent:"s="; nocase; uricontent:"p=ZB"; nocase; uricontent:"v="; nocase; uricontent:"l="; nocase; uricontent:"c="; nocase; uricontent:"a="; nocase; content:"User-Agent|3A|"; nocase; content:"MyWebSearchSearchAssistant"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*MyWebSearchSearchAssistant/smi"; metadata:policy security-ips drop; reference:url,www.pchell.com/support/funbuddyicons.shtml; classtype:misc-activity; sid:5857; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar runtime detection - track activity 2"; flow:to_server,established; uricontent:"/__utm.gif?"; nocase; uricontent:"utmwv="; nocase; uricontent:"utmn="; nocase; uricontent:"utmsr="; nocase; uricontent:"utmsc="; nocase; uricontent:"utmul="; nocase; uricontent:"utmhn="; nocase; uricontent:"utmp="; nocase; content:"Host|3A|"; nocase; content:"myway.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*myway\.com/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5802; rev:3;)alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPYWARE-PUT shop at home select installation in progress - clsid detected"; flow:to_client,established; content:"C0EF89EE-EEC7-4535-A041-F1EBF79560A7"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0EF89EE-EEC7-4535-A041-F1EBF79560A7/si"; metadata:policy security-ips drop; reference:url,www.nuker.com/container/details/shop_at_home_select.php; classtype:misc-activity; sid:5811; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware adtools-screenmate runtime detection - generate desktop alert"; flow:to_server,established; uricontent:"/roche.asp?"; nocase; uricontent:"zip="; nocase; content:"User-Agent|3A|"; nocase; content:"AdTools"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*AdTools/smi"; content:"Host|3A|"; nocase; content:"www.flustar.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*www\.flustar\.com/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798; classtype:successful-recon-limited; sid:5899; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker copernic meta toolbar runtime detection - check toolbar & category info"; flow:to_server,established; uricontent:"/software/meta/Update/VersionCheckInfo.ini?c="; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5884; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SPYWARE-PUT Keylogger runtime detection - hwpe shell file logs"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"HWPE"; distance:0; nocase; content:"Shell/File"; distance:0; nocase; content:"LOG"; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*HWPE\s+Shell\x2FFile\s+LOG/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=436; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851; classtype:successful-recon-limited; sid:5779; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT trackware searchinweb detection - click result links"; flow:to_server,established; uricontent:"/click.php?"; nocase; uricontent:"id="; nocase; uricontent:"PHPSESSID="; nocase; content:"Referer|3A|"; nocase; content:"www.searchinweb.com/search.php?said=bar&q="; distance:0; nocase; pcre:"/^Referer\x3A[^\r\n]*http\x3A\x2F\x2Fwww\.searchinweb\.com\x2Fsearch\.php\?said=bar/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1787; classtype:successful-recon-limited; sid:5967; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker ezcybersearch runtime detection - check toolbar setting"; flow:to_server,established; uricontent:"/ezsb"; nocase; uricontent:"/bar_pl/chk_bar.fcgi?"; nocase; uricontent:"aff_id="; nocase; uricontent:"cid="; nocase; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fchk_bar\.fcgi/Ui"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5757; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"SPYWARE-PUT Hacker-Tool ghostvoice 1.02 runtime detection"; flow:from_server,established; content:"!Request!"; depth:9; flowbits:set,GhostVoice_InitConnection_withpassword; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; sid:5957; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker daosearch runtime detection - search hijack"; flow:to_server,established; uricontent:"o.php?"; nocase; uricontent:"id="; nocase; uricontent:"url="; nocase; content:"Host|3A|"; nocase; content:"daosearch.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*daosearch\x2Ecom/smi"; metadata:policy security-ips drop; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.daosearch.html; classtype:misc-activity; sid:5860; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware push toolbar runtime detection - toolbar information request"; flow:to_server,established; uricontent:"/searchv2tb0200.php"; nocase; uricontent:"barid="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1786; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079100; classtype:successful-recon-limited; sid:5985; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware ucmore runtime detection - track activity"; flow:to_server,established; content:"/iis2ucms.asp"; nocase; content:"RequestString="; distance:0; nocase; content:"UCMXML"; distance:0; nocase; content:"User-Agent|3A|"; nocase; content:"EI"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*EI/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=776; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype:successful-recon-limited; sid:5837; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker isearch runtime detection - search hijack 1"; flow:to_server,established; uricontent:"/dns.php?"; nocase; uricontent:"text="; nocase; content:"Host|3A|"; nocase; content:"auto.isearch.com"; distance:0; nocase; pcre:"/^Host\x3A[^\r\n]*auto\x2Eisearch\x2Ecom/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=732; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740; classtype:misc-activity; sid:5862; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hacker-Tool kontiki runtime detection"; flow:to_server, established; content:"User-Agent|3A|"; nocase; content:"Kontiki"; distance:0; nocase; content:"Client"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*Kontiki\s+Client/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www.extremetech.com/article2/0,3973,365073,00.asp; classtype:misc-activity; sid:5797; rev:2;)