Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
minerchk/monero-snort.rules
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
180 lines (180 sloc)
24.4 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for cloudflare.hashfor.cash"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0a|cloudflare|07|hashfor|04|cash"; nocase; distance:0; sid:9000000; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for cryptoescrow.eu"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0c|cryptoescrow|02|eu"; nocase; distance:0; sid:9000001; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for cryptonotepool.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0e|cryptonotepool|03|org"; nocase; distance:0; sid:9000002; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for fcn-mro.pool.minergate.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|07|fcn-mro|04|pool|09|minergate|03|com"; nocase; distance:0; sid:9000003; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for hash-to-coins.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0d|hash-to-coins|03|com"; nocase; distance:0; sid:9000004; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for kippo.eu"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|05|kippo|02|eu"; nocase; distance:0; sid:9000005; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for linux-repository-updates.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|18|linux-repository-updates|03|com"; nocase; distance:0; sid:9000006; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for litecoinpool.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0c|litecoinpool|03|org"; nocase; distance:0; sid:9000007; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for mine.moneropool.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|04|mine|0a|moneropool|03|com"; nocase; distance:0; sid:9000008; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for mine.sumo.fairpool.cloud"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|04|mine|04|sumo|08|fairpool|05|cloud"; nocase; distance:0; sid:9000009; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for monero.crypto-pool.fr"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|06|monero|0b|crypto-pool|02|fr"; nocase; distance:0; sid:9000010; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for monero.farm"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|06|monero|04|farm"; nocase; distance:0; sid:9000011; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for monerohash.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0a|monerohash|03|com"; nocase; distance:0; sid:9000012; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for monerominers.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0c|monerominers|03|net"; nocase; distance:0; sid:9000013; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for mro.extrmepool.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|03|mro|0a|extrmepool|03|org"; nocase; distance:0; sid:9000014; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for mro.poolto.be"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|03|mro|06|poolto|02|be"; nocase; distance:0; sid:9000015; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for pool.minexmr.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|04|pool|07|minexmr|03|com"; nocase; distance:0; sid:9000016; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for pool-nyc.supportxmr.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|08|pool-nyc|0a|supportxmr|03|com"; nocase; distance:0; sid:9000017; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for pool-proxy.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0a|pool-proxy|03|com"; nocase; distance:0; sid:9000018; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for pool.sumokoin.hashvault.pro"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|04|pool|08|sumokoin|09|hashvault|03|pro"; nocase; distance:0; sid:9000019; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for pool-vegas.xmrpool.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0a|pool-vegas|07|xmrpool|03|net"; nocase; distance:0; sid:9000020; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for webcoin.me"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|07|webcoin|02|me"; nocase; distance:0; sid:9000021; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xcnpool2.1gh.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|08|xcnpool2|03|1gh|03|com"; nocase; distance:0; sid:9000022; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xdn.miner.center"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|03|xdn|05|miner|06|center"; nocase; distance:0; sid:9000023; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmr.crypto-pool.fr"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|03|xmr|0b|crypto-pool|02|fr"; nocase; distance:0; sid:9000024; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmr-eu1.nanopool.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|07|xmr-eu1|08|nanopool|03|org"; nocase; distance:0; sid:9000025; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmr-eu2.nanopool.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|07|xmr-eu2|08|nanopool|03|org"; nocase; distance:0; sid:9000026; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmr-eu.dwarfpool.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|06|xmr-eu|09|dwarfpool|03|com"; nocase; distance:0; sid:9000027; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmr-eu.nanopool.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|06|xmr-eu|08|nanopool|03|org"; nocase; distance:0; sid:9000028; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmr.hashinvest.ws"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|03|xmr|0a|hashinvest|02|ws"; nocase; distance:0; sid:9000029; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmrpool.eu"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|07|xmrpool|02|eu"; nocase; distance:0; sid:9000030; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmr.pool.minergate.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|03|xmr|04|pool|09|minergate|03|com"; nocase; distance:0; sid:9000031; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmr.prohash.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|03|xmr|07|prohash|03|net"; nocase; distance:0; sid:9000032; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for yescrypt.mine.zpool.ca"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|08|yescrypt|04|mine|05|zpool|02|ca"; nocase; distance:0; sid:9000033; rev:0;) | |
| alert ip any any <> 163.172.204.219 any (msg:"Traffic to known Monero Miner IP (163.172.204.219)"; sid:9000034; rev:0;) | |
| alert ip any any <> 163.172.207.69 any (msg:"Traffic to known Monero Miner IP (163.172.207.69)"; sid:9000035; rev:0;) | |
| alert ip any any <> 163.172.226.120 any (msg:"Traffic to known Monero Miner IP (163.172.226.120)"; sid:9000036; rev:0;) | |
| alert ip any any <> 163.172.204.213 any (msg:"Traffic to known Monero Miner IP (163.172.204.213)"; sid:9000037; rev:0;) | |
| alert ip any any <> 163.172.226.131 any (msg:"Traffic to known Monero Miner IP (163.172.226.131)"; sid:9000038; rev:0;) | |
| alert ip any any <> 163.172.207.198 any (msg:"Traffic to known Monero Miner IP (163.172.207.198)"; sid:9000039; rev:0;) | |
| alert ip any any <> 163.172.207.71 any (msg:"Traffic to known Monero Miner IP (163.172.207.71)"; sid:9000040; rev:0;) | |
| alert ip any any <> 163.172.226.137 any (msg:"Traffic to known Monero Miner IP (163.172.226.137)"; sid:9000041; rev:0;) | |
| alert ip any any <> 213.32.74.219 any (msg:"Traffic to known Monero Miner IP (213.32.74.219)"; sid:9000042; rev:0;) | |
| alert ip any any <> 198.251.88.16 any (msg:"Traffic to known Monero Miner IP (198.251.88.16)"; sid:9000043; rev:0;) | |
| alert ip any any <> 79.137.82.104 any (msg:"Traffic to known Monero Miner IP (79.137.82.104)"; sid:9000044; rev:0;) | |
| alert ip any any <> 207.154.213.72 any (msg:"Traffic to known Monero Miner IP (207.154.213.72)"; sid:9000045; rev:0;) | |
| alert ip any any <> 213.32.29.143 any (msg:"Traffic to known Monero Miner IP (213.32.29.143)"; sid:9000046; rev:0;) | |
| alert ip any any <> 149.202.43.126 any (msg:"Traffic to known Monero Miner IP (149.202.43.126)"; sid:9000047; rev:0;) | |
| alert ip any any <> 207.154.194.32 any (msg:"Traffic to known Monero Miner IP (207.154.194.32)"; sid:9000048; rev:0;) | |
| alert ip any any <> 213.32.29.168 any (msg:"Traffic to known Monero Miner IP (213.32.29.168)"; sid:9000049; rev:0;) | |
| alert ip any any <> 92.222.180.118 any (msg:"Traffic to known Monero Miner IP (92.222.180.118)"; sid:9000050; rev:0;) | |
| alert ip any any <> 164.132.109.110 any (msg:"Traffic to known Monero Miner IP (164.132.109.110)"; sid:9000051; rev:0;) | |
| alert ip any any <> 92.222.180.119 any (msg:"Traffic to known Monero Miner IP (92.222.180.119)"; sid:9000052; rev:0;) | |
| alert ip any any <> 198.251.88.21 any (msg:"Traffic to known Monero Miner IP (198.251.88.21)"; sid:9000053; rev:0;) | |
| alert ip any any <> 138.197.183.116 any (msg:"Traffic to known Monero Miner IP (138.197.183.116)"; sid:9000054; rev:0;) | |
| alert ip any any <> 79.137.82.5 any (msg:"Traffic to known Monero Miner IP (79.137.82.5)"; sid:9000055; rev:0;) | |
| alert ip any any <> 198.251.88.14 any (msg:"Traffic to known Monero Miner IP (198.251.88.14)"; sid:9000056; rev:0;) | |
| alert ip any any <> 79.137.82.70 any (msg:"Traffic to known Monero Miner IP (79.137.82.70)"; sid:9000057; rev:0;) | |
| alert ip any any <> 213.32.74.230 any (msg:"Traffic to known Monero Miner IP (213.32.74.230)"; sid:9000058; rev:0;) | |
| alert ip any any <> 213.32.29.150 any (msg:"Traffic to known Monero Miner IP (213.32.29.150)"; sid:9000059; rev:0;) | |
| alert ip any any <> 159.89.11.225 any (msg:"Traffic to known Monero Miner IP (159.89.11.225)"; sid:9000060; rev:0;) | |
| alert ip any any <> 92.222.72.197 any (msg:"Traffic to known Monero Miner IP (92.222.72.197)"; sid:9000061; rev:0;) | |
| alert ip any any <> 164.132.108.171 any (msg:"Traffic to known Monero Miner IP (164.132.108.171)"; sid:9000062; rev:0;) | |
| alert ip any any <> 213.32.74.157 any (msg:"Traffic to known Monero Miner IP (213.32.74.157)"; sid:9000063; rev:0;) | |
| alert ip any any <> 207.154.226.213 any (msg:"Traffic to known Monero Miner IP (207.154.226.213)"; sid:9000064; rev:0;) | |
| alert ip any any <> 149.56.122.79 any (msg:"Traffic to known Monero Miner IP (149.56.122.79)"; sid:9000065; rev:0;) | |
| alert ip any any <> 188.165.199.78 any (msg:"Traffic to known Monero Miner IP (188.165.199.78)"; sid:9000066; rev:0;) | |
| alert ip any any <> 37.187.154.79 any (msg:"Traffic to known Monero Miner IP (37.187.154.79)"; sid:9000067; rev:0;) | |
| alert ip any any <> 37.59.43.131 any (msg:"Traffic to known Monero Miner IP (37.59.43.131)"; sid:9000068; rev:0;) | |
| alert ip any any <> 78.46.91.171 any (msg:"Traffic to known Monero Miner IP (78.46.91.171)"; sid:9000069; rev:0;) | |
| alert ip any any <> 176.31.117.82 any (msg:"Traffic to known Monero Miner IP (176.31.117.82)"; sid:9000070; rev:0;) | |
| alert ip any any <> 37.59.45.174 any (msg:"Traffic to known Monero Miner IP (37.59.45.174)"; sid:9000071; rev:0;) | |
| alert ip any any <> 94.23.212.204 any (msg:"Traffic to known Monero Miner IP (94.23.212.204)"; sid:9000072; rev:0;) | |
| alert ip any any <> 94.23.41.130 any (msg:"Traffic to known Monero Miner IP (94.23.41.130)"; sid:9000073; rev:0;) | |
| alert ip any any <> 37.59.44.193 any (msg:"Traffic to known Monero Miner IP (37.59.44.193)"; sid:9000074; rev:0;) | |
| alert ip any any <> 188.165.254.85 any (msg:"Traffic to known Monero Miner IP (188.165.254.85)"; sid:9000075; rev:0;) | |
| alert ip any any <> 94.130.164.60 any (msg:"Traffic to known Monero Miner IP (94.130.164.60)"; sid:9000076; rev:0;) | |
| alert ip any any <> 46.105.103.169 any (msg:"Traffic to known Monero Miner IP (46.105.103.169)"; sid:9000077; rev:0;) | |
| alert ip any any <> 94.23.206.130 any (msg:"Traffic to known Monero Miner IP (94.23.206.130)"; sid:9000078; rev:0;) | |
| alert ip any any <> 37.59.55.60 any (msg:"Traffic to known Monero Miner IP (37.59.55.60)"; sid:9000079; rev:0;) | |
| alert ip any any <> 78.46.89.102 any (msg:"Traffic to known Monero Miner IP (78.46.89.102)"; sid:9000080; rev:0;) | |
| alert ip any any <> 188.165.214.76 any (msg:"Traffic to known Monero Miner IP (188.165.214.76)"; sid:9000081; rev:0;) | |
| alert ip any any <> 78.46.91.134 any (msg:"Traffic to known Monero Miner IP (78.46.91.134)"; sid:9000082; rev:0;) | |
| alert ip any any <> 91.121.87.10 any (msg:"Traffic to known Monero Miner IP (91.121.87.10)"; sid:9000083; rev:0;) | |
| alert ip any any <> 37.59.54.205 any (msg:"Traffic to known Monero Miner IP (37.59.54.205)"; sid:9000084; rev:0;) | |
| alert ip any any <> 178.63.48.196 any (msg:"Traffic to known Monero Miner IP (178.63.48.196)"; sid:9000085; rev:0;) | |
| alert ip any any <> 198.251.81.82 any (msg:"Traffic to known Monero Miner IP (198.251.81.82)"; sid:9000086; rev:0;) | |
| alert ip any any <> 107.191.99.227 any (msg:"Traffic to known Monero Miner IP (107.191.99.227)"; sid:9000087; rev:0;) | |
| alert ip any any <> 138.201.31.12 any (msg:"Traffic to known Monero Miner IP (138.201.31.12)"; sid:9000088; rev:0;) | |
| alert ip any any <> 138.201.31.13 any (msg:"Traffic to known Monero Miner IP (138.201.31.13)"; sid:9000089; rev:0;) | |
| alert ip any any <> 138.201.31.14 any (msg:"Traffic to known Monero Miner IP (138.201.31.14)"; sid:9000090; rev:0;) | |
| alert ip any any <> 178.63.62.94 any (msg:"Traffic to known Monero Miner IP (178.63.62.94)"; sid:9000091; rev:0;) | |
| alert ip any any <> 138.201.206.47 any (msg:"Traffic to known Monero Miner IP (138.201.206.47)"; sid:9000092; rev:0;) | |
| alert ip any any <> 178.21.23.4 any (msg:"Traffic to known Monero Miner IP (178.21.23.4)"; sid:9000093; rev:0;) | |
| alert ip any any <> 212.83.158.14 any (msg:"Traffic to known Monero Miner IP (212.83.158.14)"; sid:9000094; rev:0;) | |
| alert ip any any <> 72.52.179.175 any (msg:"Traffic to known Monero Miner IP (72.52.179.175)"; sid:9000095; rev:0;) | |
| alert ip any any <> 54.72.9.51 any (msg:"Traffic to known Monero Miner IP (54.72.9.51)"; sid:9000096; rev:0;) | |
| alert ip any any <> 176.9.147.178 any (msg:"Traffic to known Monero Miner IP (176.9.147.178)"; sid:9000097; rev:0;) | |
| alert ip any any <> 176.9.47.243 any (msg:"Traffic to known Monero Miner IP (176.9.47.243)"; sid:9000098; rev:0;) | |
| alert ip any any <> 109.201.135.43 any (msg:"Traffic to known Monero Miner IP (109.201.135.43)"; sid:9000099; rev:0;) | |
| alert ip any any <> 178.21.23.4 any (msg:"Traffic to known Monero Miner IP (178.21.23.4)"; sid:9000100; rev:0;) | |
| alert ip any any <> 45.63.37.176 any (msg:"Traffic to known Monero Miner IP (45.63.37.176)"; sid:9000101; rev:0;) | |
| alert ip any any <> 54.72.9.51 any (msg:"Traffic to known Monero Miner IP (54.72.9.51)"; sid:9000102; rev:0;) | |
| alert ip any any <> 51.255.163.106 any (msg:"Traffic to known Monero Miner IP (51.255.163.106)"; sid:9000103; rev:0;) | |
| alert ip any any <> 72.52.179.175 any (msg:"Traffic to known Monero Miner IP (72.52.179.175)"; sid:9000104; rev:0;) | |
| alert ip any any <> 64.70.19.203 any (msg:"Traffic to known Monero Miner IP (64.70.19.203)"; sid:9000105; rev:0;) | |
| alert ip any any <> 192.64.119.154 any (msg:"Traffic to known Monero Miner IP (192.64.119.154)"; sid:9000106; rev:0;) | |
| alert ip any any <> 104.140.201.42 any (msg:"Traffic to known Monero Miner IP (104.140.201.42)"; sid:9000107; rev:0;) | |
| alert ip any any <> 104.140.244.186 any (msg:"Traffic to known Monero Miner IP (104.140.244.186)"; sid:9000108; rev:0;) | |
| alert ip any any <> 104.140.201.58 any (msg:"Traffic to known Monero Miner IP (104.140.201.58)"; sid:9000109; rev:0;) | |
| alert ip any any <> 217.182.65.224 any (msg:"Traffic to known Monero Miner IP (217.182.65.224)"; sid:9000110; rev:0;) | |
| alert ip any any <> 149.202.43.126 any (msg:"Traffic to known Monero Miner IP (149.202.43.126)"; sid:9000111; rev:0;) | |
| alert ip any any <> 92.222.180.118 any (msg:"Traffic to known Monero Miner IP (92.222.180.118)"; sid:9000112; rev:0;) | |
| alert ip any any <> 79.137.82.104 any (msg:"Traffic to known Monero Miner IP (79.137.82.104)"; sid:9000113; rev:0;) | |
| alert ip any any <> 217.182.169.148 any (msg:"Traffic to known Monero Miner IP (217.182.169.148)"; sid:9000114; rev:0;) | |
| alert ip any any <> 213.32.74.230 any (msg:"Traffic to known Monero Miner IP (213.32.74.230)"; sid:9000115; rev:0;) | |
| alert ip any any <> 149.202.57.197 any (msg:"Traffic to known Monero Miner IP (149.202.57.197)"; sid:9000116; rev:0;) | |
| alert ip any any <> 79.137.82.5 any (msg:"Traffic to known Monero Miner IP (79.137.82.5)"; sid:9000117; rev:0;) | |
| alert ip any any <> 164.132.109.110 any (msg:"Traffic to known Monero Miner IP (164.132.109.110)"; sid:9000118; rev:0;) | |
| alert ip any any <> 92.222.180.119 any (msg:"Traffic to known Monero Miner IP (92.222.180.119)"; sid:9000119; rev:0;) | |
| alert ip any any <> 151.80.59.84 any (msg:"Traffic to known Monero Miner IP (151.80.59.84)"; sid:9000120; rev:0;) | |
| alert ip any any <> 217.182.66.25 any (msg:"Traffic to known Monero Miner IP (217.182.66.25)"; sid:9000121; rev:0;) | |
| alert ip any any <> 198.251.88.16 any (msg:"Traffic to known Monero Miner IP (198.251.88.16)"; sid:9000122; rev:0;) | |
| alert ip any any <> 213.32.29.168 any (msg:"Traffic to known Monero Miner IP (213.32.29.168)"; sid:9000123; rev:0;) | |
| alert ip any any <> 213.32.29.150 any (msg:"Traffic to known Monero Miner IP (213.32.29.150)"; sid:9000124; rev:0;) | |
| alert ip any any <> 213.32.74.219 any (msg:"Traffic to known Monero Miner IP (213.32.74.219)"; sid:9000125; rev:0;) | |
| alert ip any any <> 79.137.82.70 any (msg:"Traffic to known Monero Miner IP (79.137.82.70)"; sid:9000126; rev:0;) | |
| alert ip any any <> 213.32.29.143 any (msg:"Traffic to known Monero Miner IP (213.32.29.143)"; sid:9000127; rev:0;) | |
| alert ip any any <> 92.222.72.197 any (msg:"Traffic to known Monero Miner IP (92.222.72.197)"; sid:9000128; rev:0;) | |
| alert ip any any <> 198.251.88.21 any (msg:"Traffic to known Monero Miner IP (198.251.88.21)"; sid:9000129; rev:0;) | |
| alert ip any any <> 198.251.88.14 any (msg:"Traffic to known Monero Miner IP (198.251.88.14)"; sid:9000130; rev:0;) | |
| alert ip any any <> 213.32.74.157 any (msg:"Traffic to known Monero Miner IP (213.32.74.157)"; sid:9000131; rev:0;) | |
| alert ip any any <> 164.132.108.171 any (msg:"Traffic to known Monero Miner IP (164.132.108.171)"; sid:9000132; rev:0;) | |
| alert ip any any <> 136.243.102.157 any (msg:"Traffic to known Monero Miner IP (136.243.102.157)"; sid:9000133; rev:0;) | |
| alert ip any any <> 94.130.64.225 any (msg:"Traffic to known Monero Miner IP (94.130.64.225)"; sid:9000134; rev:0;) | |
| alert ip any any <> 94.130.48.154 any (msg:"Traffic to known Monero Miner IP (94.130.48.154)"; sid:9000135; rev:0;) | |
| alert ip any any <> 136.243.94.27 any (msg:"Traffic to known Monero Miner IP (136.243.94.27)"; sid:9000136; rev:0;) | |
| alert ip any any <> 78.46.23.253 any (msg:"Traffic to known Monero Miner IP (78.46.23.253)"; sid:9000137; rev:0;) | |
| alert ip any any <> 176.9.0.89 any (msg:"Traffic to known Monero Miner IP (176.9.0.89)"; sid:9000138; rev:0;) | |
| alert ip any any <> 46.4.120.155 any (msg:"Traffic to known Monero Miner IP (46.4.120.155)"; sid:9000139; rev:0;) | |
| alert ip any any <> 136.243.88.145 any (msg:"Traffic to known Monero Miner IP (136.243.88.145)"; sid:9000140; rev:0;) | |
| alert ip any any <> 176.9.47.243 any (msg:"Traffic to known Monero Miner IP (176.9.47.243)"; sid:9000141; rev:0;) | |
| alert ip any any <> 176.9.147.178 any (msg:"Traffic to known Monero Miner IP (176.9.147.178)"; sid:9000142; rev:0;) | |
| alert ip any any <> 94.130.9.194 any (msg:"Traffic to known Monero Miner IP (94.130.9.194)"; sid:9000143; rev:0;) | |
| alert ip any any <> 94.23.251.22 any (msg:"Traffic to known Monero Miner IP (94.23.251.22)"; sid:9000144; rev:0;) | |
| alert ip any any <> 176.31.105.53 any (msg:"Traffic to known Monero Miner IP (176.31.105.53)"; sid:9000145; rev:0;) | |
| alert ip any any <> 146.0.77.83 any (msg:"Traffic to known Monero Miner IP (146.0.77.83)"; sid:9000146; rev:0;) | |
| alert ip any any <> 192.99.14.195 any (msg:"Traffic to known Monero Miner IP (192.99.14.195)"; sid:9000147; rev:0;) | |
| alert ip any any <> 79.137.57.106 any (msg:"Traffic to known Monero Miner IP (79.137.57.106)"; sid:9000148; rev:0;) | |
| alert ip any any <> 178.32.145.31 any (msg:"Traffic to known Monero Miner IP (178.32.145.31)"; sid:9000149; rev:0;) | |
| alert ip any any <> 178.32.196.217 any (msg:"Traffic to known Monero Miner IP (178.32.196.217)"; sid:9000150; rev:0;) | |
| alert ip any any <> 88.99.68.228 any (msg:"Traffic to known Monero Miner IP (88.99.68.228)"; sid:9000151; rev:0;) | |
| alert ip any any <> 217.182.169.148 any (msg:"Traffic to known Monero Miner IP (217.182.169.148)"; sid:9000152; rev:0;) | |
| alert ip any any <> 51.255.34.118 any (msg:"Traffic to known Monero Miner IP (51.255.34.118)"; sid:9000153; rev:0;) | |
| alert ip any any <> 5.196.26.96 any (msg:"Traffic to known Monero Miner IP (5.196.26.96)"; sid:9000154; rev:0;) | |
| alert ip any any <> 92.222.10.59 any (msg:"Traffic to known Monero Miner IP (92.222.10.59)"; sid:9000155; rev:0;) | |
| alert ip any any <> 151.80.59.84 any (msg:"Traffic to known Monero Miner IP (151.80.59.84)"; sid:9000156; rev:0;) | |
| alert ip any any <> 92.222.180.118 any (msg:"Traffic to known Monero Miner IP (92.222.180.118)"; sid:9000157; rev:0;) | |
| alert ip any any <> 92.222.72.197 any (msg:"Traffic to known Monero Miner IP (92.222.72.197)"; sid:9000158; rev:0;) | |
| alert ip any any <> 51.255.34.79 any (msg:"Traffic to known Monero Miner IP (51.255.34.79)"; sid:9000159; rev:0;) | |
| alert ip any any <> 51.255.34.80 any (msg:"Traffic to known Monero Miner IP (51.255.34.80)"; sid:9000160; rev:0;) | |
| alert ip any any <> 5.196.23.240 any (msg:"Traffic to known Monero Miner IP (5.196.23.240)"; sid:9000161; rev:0;) | |
| alert ip any any <> 151.80.144.188 any (msg:"Traffic to known Monero Miner IP (151.80.144.188)"; sid:9000162; rev:0;) | |
| alert ip any any <> 151.80.144.253 any (msg:"Traffic to known Monero Miner IP (151.80.144.253)"; sid:9000163; rev:0;) | |
| alert ip any any <> 198.251.88.16 any (msg:"Traffic to known Monero Miner IP (198.251.88.16)"; sid:9000164; rev:0;) | |
| alert ip any any <> 149.202.42.174 any (msg:"Traffic to known Monero Miner IP (149.202.42.174)"; sid:9000165; rev:0;) | |
| alert ip any any <> 5.196.13.29 any (msg:"Traffic to known Monero Miner IP (5.196.13.29)"; sid:9000166; rev:0;) | |
| alert ip any any <> 217.182.66.25 any (msg:"Traffic to known Monero Miner IP (217.182.66.25)"; sid:9000167; rev:0;) | |
| alert ip any any <> 92.222.180.119 any (msg:"Traffic to known Monero Miner IP (92.222.180.119)"; sid:9000168; rev:0;) | |
| alert ip any any <> 217.182.65.224 any (msg:"Traffic to known Monero Miner IP (217.182.65.224)"; sid:9000169; rev:0;) | |
| alert ip any any <> 149.202.57.197 any (msg:"Traffic to known Monero Miner IP (149.202.57.197)"; sid:9000170; rev:0;) | |
| alert ip any any <> 149.202.43.126 any (msg:"Traffic to known Monero Miner IP (149.202.43.126)"; sid:9000171; rev:0;) | |
| alert ip any any <> 199.231.85.124 any (msg:"Traffic to known Monero Miner IP (199.231.85.124)"; sid:9000172; rev:0;) | |
| alert ip any any <> 162.213.38.63 any (msg:"Traffic to known Monero Miner IP (162.213.38.63)"; sid:9000173; rev:0;) | |
| alert ip any any <> 45.76.23.212 any (msg:"Traffic to known Monero Miner IP (45.76.23.212)"; sid:9000174; rev:0;) | |
| alert ip any any <> 5.196.42.127 any (msg:"Traffic to known Monero Miner IP (5.196.42.127)"; sid:9000175; rev:0;) | |
| alert ip any any <> 51.254.238.27 any (msg:"Traffic to known Monero Miner IP (51.254.238.27)"; sid:9000176; rev:0;) | |
| alert udp any any -> any 53 (msg:"Suspicious DNS lookup for mine.sumo.fairpool.cloud"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|04|mine|04|sumo|08|fairpool|05|cloud"; nocase; distance:0; sid:9000177; rev:0;) | |
| alert ip any any <> 88.80.187.187 any (msg:"Traffic to known Monero Miner IP (88.80.187.187)"; sid:9000178; rev:0;) | |
| alert ip any any <> 149.210.234.234 any (msg:"Traffic to known Monero Miner IP (149.210.234.234)"; sid:9000179; rev:0;) |