Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
277 lines (275 sloc) 87.4 KB
# Copyright 2001-2015 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#---------------------------
# INDICATOR-SHELLCODE RULES
#---------------------------
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"spray"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26791; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"shellcode"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26790; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"retaddress"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26789; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"hspt"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26788; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"block"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26787; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"agent"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26786; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"retaddr"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25643; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"hspt"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25642; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"agent"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25641; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"payload"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25640; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"block"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25639; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"retaddress"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25638; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"retaddr"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25637; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"shellcode"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25636; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"return_address"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25635; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoder shellcode"; flow:to_client,established; content:"unescape"; content:"spray"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25634; rev:9;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic avoid_underscore_tolower encoder"; content:"|6A|"; content:"|6B 3C 24 09 60 03 0C 24 6A|"; within:9; distance:1; content:"|03 0C 24 6A 04|"; within:5; distance:1; classtype:shellcode-detect; sid:24114; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE heapspray characters detected - hexadecimal encoding"; flow:to_client,established; file_data; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:23862; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE heapspray characters detected - ASCII"; flow:to_client,established; file_data; content:"0c0c0c0c0c0c0c0c"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:23860; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-SHELLCODE heapspray characters detected - hexadecimal encoding"; flow:to_server,established; file_data; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:23859; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-SHELLCODE heapspray characters detected - ASCII"; flow:to_server,established; file_data; content:"0c0c0c0c0c0c0c0c"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:23857; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case javascript decoder"; flow:established,to_client; file_data; content:"%u5456%u3358%u5630%u3458%u5041%u4130%u4833%u3048%u3041%u4130%u4142%u4241%u4154%u5141%u4132%u3242%u4242%u4230%u5842%u3850%u4341"; fast_pattern:only; metadata:service http; classtype:shellcode-detect; sid:23236; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic avoid_utf8_tolower javascript encoder"; flow:to_client,established; file_data; content:"%u3c6b%u0b24%u0360%u240c"; nocase; content:"%u0c03%u6a24"; within:12; distance:6; nocase; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:23217; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Piecemeal exploit and shellcode construction"; flow:to_client,established; file_data; content:"xcode-(shellcode.length"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,labs.m86security.com/2012/01/web-hijacks-with-ajax/; classtype:shellcode-detect; sid:21265; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Feng-Shui heap grooming using Oleaut32"; flow:to_client, established; file_data; content:"Oleaut32"; fast_pattern:only; content:"CollectGarbage"; nocase; content:"heapLib"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.phreedom.org/research/heap-feng-shui/; classtype:shellcode-detect; sid:21258; rev:9;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic avoid_utf8_tolower encoder"; content:"|6A|"; content:"|6B 3C 24 0B 60 03 0C 24 6A|"; within:9; distance:1; content:"|03 0C 24 6A 04|"; within:5; distance:1; classtype:shellcode-detect; sid:20990; rev:4;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic single_static_bit encoder"; content:"|80 F9|"; content:"|74|"; within:1; distance:1; content:"|60 83 E9 01 74 06 B3 02 F6 F3 E2|"; within:11; distance:1; content:"|83 E0 01 6B 2F 02 09 E8 AA 61 83 ED FF 83 FD 08 75|"; within:17; distance:1; content:"|83 EF FF 31 ED|"; within:5; distance:1; classtype:shellcode-detect; sid:20989; rev:3;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_railgun_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_railgun_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_railgun_(memread|memwrite|api_multi|api)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20199; rev:3;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter networkpug_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|networkpug_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01networkpug_(start|stop)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20198; rev:3;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter espia_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|espia_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01espia_(video_get_dev_image|audio_get_dev_audio|image_get_dev_screen)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20197; rev:3;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter lanattacks_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|lanattacks_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01lanattacks_(start_dhcp|reset_dhcp|set_dhcp_option|stop_dhcp|dhcp_log|start_tftp|reset_tftp|add_tftp_file|stop_tftp)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20196; rev:3;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter priv_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|priv_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01priv_(elevate_getsystem|passwd_get_sam_hashes|fs_get_file_mace|fs_set_file_mace|fs_set_file_mace_from_file|fs_blank_file_mace|fs_blank_directory_mace)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20195; rev:3;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter sniffer_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|sniffer_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01sniffer_(interfaces|capture_start|capture_stop|capture_stats|capture_dump|capture_dump_read)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20194; rev:3;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter webcam_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|webcam_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01webcam_(list|start|get_frame|stop|audio_record)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20193; rev:3;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter incognito_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|incognito_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01incognito_(list_tokens|impersonate_token|add_user|add_group_user|add_localgroup_user|snarf_hashes)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20192; rev:3;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_net_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_net_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_net_(config_get_interfaces|config_get_routes|config_add_route|config_remove_route|udp_client|tcp_server|tcp_client|socket_tcp_shutdown)/"; metadata:policy max-detect-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20191; rev:7;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_registry_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_registry_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_registry_(load_key|unload_key|open_key|open_remote_key|create_key|delete_key|close_key|enum_key|set_value|query_value|delete_value|query_class|enum_value)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20190; rev:3;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_ui_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_ui_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_ui_(enable_keyboard|enable_mouse|get_idle_time|desktop_enum|desktop_get|desktop_set|desktop_screenshot|unlock_desktop|start_keyscan|stop_keyscan|get_keys)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20189; rev:3;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_sys_config_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_sys_config_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_sys_config_(getuid|sysinfo|rev2self|steal_token|drop_token|getprivs)/"; metadata:policy max-detect-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20188; rev:7;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_sys_eventlog_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_sys_eventlog_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_sys_eventlog_(open|numrecords|read|oldest|clear|close)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20187; rev:3;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_sys_process_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_sys_process_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_sys_process_(thread_open|thread_create|thread_get_threads|image_load|image_get_proc_address|image_unload|image_get_images|memory_allocate|memory_free|memory_read|memory_write|memory_query|memory_protect|memory_lock|memory_unlock|attach|execute|kill|getpid|get_processes|close|wait|get_info|thread_suspend|thread_resume|thread_terminate|thread_query_regs|thread_set_regs|thread_close)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20186; rev:3;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_fs_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_fs_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_fs_(separator|search|file_expand_path|md5|sha1|delete_file|stat|ls|chdir|mkdir|getwd|delete_dir)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20185; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SHELLCODE Metasploit php meterpreter stub .php file upload"; flow:established,to_server; content:"|24|GLOBALS|5B 27|msgsock_type|27 5D| = |24|s_type|3B 0A|eval"; fast_pattern:only; metadata:service http; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20184; rev:4;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode tolower encoder"; content:"|6A|"; content:"|6B 3C 24 0B 60 03 0C 24 6A|"; within:9; distance:1; fast_pattern; content:"|03 0C 24 6A 04|"; within:5; distance:1; content:"|5F 29 39 03 0C 24|"; distance:0; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19288; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode mixed encoder"; content:"YAZBABABABABkMAGB9u4JB"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19287; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode uppercase encoder"; content:"1AYAZBABABABAB30APB944JB"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19286; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic non-alpha/non-upper encoder"; content:"|66 B9 FF FF EB 19 5E 8B FE 83 C7|"; fast_pattern; content:"|8B D7 3B F2 7D 0B B0 7B F2 AE FF|"; within:11; distance:1; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19285; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic time-based context keyed encoder"; content:"|31 DB 8D 43 0D CD 80 66 31 C0|"; fast_pattern; content:"|D9 74 24 F4|"; distance:0; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19284; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic stat-based context keyed encoder"; content:"|D9 EE D9 74 24 F4 5B|"; fast_pattern; byte_jump:1,1,relative; content:"|83 C3 09 8D 53|"; within:5; content:"|31 C0 88 02 8D 4C 24 A8|"; within:8; distance:1; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19283; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic cpuid-based context keyed encoder"; content:"|31 F6 31 FF 89 F8 31 C9 0F A2 31 C6 39 F0 75 03 8D 78 01 31|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19282; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic single-byte xor countodwn encoder"; content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19281; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Possible generic javascript heap spray attempt"; flow:to_client,established; content:"%u4141%u4141"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35660; reference:cve,2009-2477; classtype:attempted-user; sid:18168; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Possible generic javascript heap spray attempt"; flow:to_client,established; content:"%u9090%u9090"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35660; reference:cve,2009-2477; classtype:attempted-user; sid:18167; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE JavaScript var heapspray"; flow:to_client,established; file_data; content:" heapspray"; nocase; pcre:"/var\s+heapspray[A-Z\d_\s]*=/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:17393; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE JavaScript var shellcode"; flow:to_client,established; file_data; content:" shellcode"; nocase; pcre:"/var\s+shellcode\s*=/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:17392; rev:11;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17345; rev:8;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic xor dword decoder"; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|83 EE FC E2 F4|"; distance:4; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17344; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode upper case decoder"; content:"Q|00|A|00|T|00|A|00|X|00|A|00|Z|00|A|00|P|00|U|00|3|00|Q|00|A|00|D|00|A|00|Z|00|A|00|B|00|"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17343; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode mixed case decoder"; content:"j|00|X|00|A|00|Q|00|A|00|D|00|A|00|Z|00|A|00|B|00|A|00|R|00|A|00|L|00|A|00|Y|00|A|00|I|00|A|00|"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17342; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha UTF8 tolower avoidance decoder"; content:"|6A|"; content:"|6B 3C 24 0B 60 03 0C 24 6A|"; distance:1; content:"03 0c 24 6a 04"; distance:1; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17341; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder"; content:"VTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8AC"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17340; rev:8;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 generic OS alpha numeric mixed case decoder"; content:"jAXP0A0AkAAQ2AB2BB0BBABXP8ABu"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17339; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 Microsoft Windows 32-bit SEH get EIP technique"; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17338; rev:8;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 Microsoft Win32 export table enumeration variant"; content:"|8B 6C 24 24 8B 45 3C 8B 7C 05 78 01 EF 8B 4F 18 8B 5F 20 01 EB 49 8B 34 8B|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17337; rev:9;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic call geteip byte xor decoder"; content:"|EB 10|"; content:"|31 C9 66 81 E9|"; distance:1; content:"|E2 FA EB 05 E8 EB FF FF FF|"; distance:5; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17336; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip byte xor decoder"; content:"|D9 E1 D9 34 24|"; content:"|E7 31 C9 66 81 E9|"; distance:6; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17335; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder variant"; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17325; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 Linux reverse connect shellcode"; content:"|31 DB 53 43 53 6A 02 6A 66 58 89 E1 CD 80|"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17324; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder unescaped"; content:"unescape"; content:"%ud9ee%u2474%u"; content:"%uf4e2"; distance:18; classtype:shellcode-detect; sid:17323; rev:3;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder"; content:"|D9 EE D9 74 24 F4|"; content:"|81|"; distance:1; content:"|13|"; distance:1; content:"|83|"; distance:1; content:"|FC E2 F4|"; distance:1; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17322; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"INDICATOR-SHELLCODE x86 PoC CVE-2003-0605"; flow:established,to_server; content:"|05 00 06 01 00 00 00 00|11111111111111111111111111111111|00 00 00 00 00 00 00 00|"; fast_pattern:only; reference:cve,2003-0605; classtype:attempted-user; sid:15903; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"INDICATOR-SHELLCODE x86 win2k-2k3 decoder base shellcode"; flow:to_server,established; content:"|C7 0B|GGGG|81|7"; content:"u|F4|"; within:2; distance:4; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,19409; reference:cve,2006-3439; classtype:attempted-user; sid:15902; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Possible generic javascript heap spray attempt"; flow:to_client,established; content:"%u0c0c%u0c0c"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35660; reference:cve,2009-2477; classtype:attempted-user; sid:15698; rev:15;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 fldz get eip shellcode"; content:"|D9 EE D9|t|24 F4|X"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:14986; rev:10;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE base64 x86 NOOP"; content:"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:12802; rev:10;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE base64 x86 NOOP"; content:"RERERERERERERERERERERERERERERERER"; classtype:shellcode-detect; sid:12801; rev:6;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE base64 x86 NOOP"; content:"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0ND"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:12800; rev:10;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE base64 x86 NOOP"; content:"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:12799; rev:10;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE base64 x86 NOOP"; content:"QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:12798; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape unicode encoded shellcode"; flow:to_client,established; content:"u|00|n|00|e|00|s|00|c|00|a|00|p|00|e|00|"; fast_pattern:only; pcre:"/(s\x00p\x00r\x00a\x00y\x00|r\x00e\x00t\x00u\x00r\x00n\x00_\x00a\x00d\x00d\x00r\x00e\x00s\x00s\x00|p\x00a\x00y\x00l\x00o\x00a\x00d\x00c\x00o\x00d\x00e\x00|s\x00h\x00e\x00l\x00l\x00c\x00o\x00d\x00e\x00|r\x00e\x00t\x00a\x00d\x00d\x00r\x00|r\x00e\x00t\x00a\x00d\x00d\x00r\x00e\x00s\x00s\x00|b\x00l\x00o\x00c\x00k\x00|p\x00a\x00y\x00l\x00o\x00a\x00d\x00|a\x00g\x00e\x00n\x00t\x00|h\x00s\x00p\x00t\x00)/smi"; pcre:"/u\x00n\x00e\x00s\x00c\x00a\x00p\x00e\x00\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:12630; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"payload"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:10505; rev:14;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"return_address"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:10504; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"/shh//bi"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1899; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"/shh//bi"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1898; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|FF FF|KADM0.0A|00 00 FB 03|"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1897; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|FF FF|KADM0.0A|00 00 FB 03|"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1895; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:nessus,15015; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894; rev:14;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 inc ecx NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; metadata:ruleset community; classtype:shellcode-detect; sid:1394; rev:15;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; metadata:policy max-detect-ips drop, ruleset community; classtype:shellcode-detect; sid:1390; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; reference:nessus,10607; classtype:shellcode-detect; sid:1327; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:12;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community; classtype:attempted-user; sid:694; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community; classtype:shellcode-detect; sid:693; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:692; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:691; rev:9;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:652; rev:15;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; fast_pattern:only; metadata:ruleset community; classtype:system-call-detect; sid:650; rev:14;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; fast_pattern:only; metadata:ruleset community; classtype:system-call-detect; sid:649; rev:14;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:shellcode-detect; sid:648; rev:18;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Oracle sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; fast_pattern:only; metadata:ruleset community; classtype:system-call-detect; sid:647; rev:14;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:646; rev:11;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:645; rev:11;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:644; rev:11;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:643; rev:13;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:642; rev:12;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:641; rev:12;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:640; rev:11;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:639; rev:11;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:638; rev:11;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit windows/shell stage transfer attempt"; flow:established; content:"|FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61 7C 02 2C 20 C1 CF 0D 01 C7 E2 F0 52 57|"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30229; rev:1;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit windows/shell stage transfer attempt"; flow:established; content:"|0B 01 00 00|"; depth:4; content:"|D9 74 24 F4|"; within:4; distance:7; content:"|C9 B1 3D|"; within:3; distance:2; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30228; rev:1;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit windows/reverse_tcp stager transfer attempt"; flow:established; content:"|FC E8 86 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61 7C 02 2C 20 C1 CF 0D 01 C7 E2 F0 52 57|"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30227; rev:1;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit windows/meterpreter stage transfer attempt"; flow:established; content:"METERPRETER_USERNAME_PROXY"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30226; rev:1;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE possible /bin/sh shellcode transfer attempt"; flow:established; content:"Rh//shh/bin"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30225; rev:1;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit shellcode linux/x86/shell_reverse_tcp single stage transfer attempt"; flow:established; content:"|31 DB F7 E3 53 43 53 6A 02 89 E1 B0 66 CD 80 93 59 B0 3F CD 80 49 79 F9 68 C0 A8 1E 01 68 02 00 11 5C 89 E1 B0 66 50 51 53 B3 03 89 E1 CD 80 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 B0 0B CD 80|"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30224; rev:1;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit shellcode linux/x86/shell stage transfer attempt"; flow:established; content:"|89 FB 6A 02 59 6A 3F 58 CD 80 49 79 F8 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80|"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30223; rev:1;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit shellcode linux/x86/meterpreter stage transfer attempt"; flow:established; content:"|6A 04 5A 89 E1 89 FB 6A 03 58 CD 80 57 B8 C0 00 00 00 BB 00 00 04 20 8B 4C 24 04 6A 07 5A 6A 32 5E 31 FF 89 FD 4F CD 80 3D 7F|"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30222; rev:1;)
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit linux/x86 reverse_tcp stager transfer attempt"; flow:established; content:"|31 DB F7 E3 53 43 53 6A 02 B0 66 89 E1 CD 80 97 5B 68|"; content:"|89 E1 6A 66 58 50 51 57 89 E1 43 CD 80 B2 07 B9 00 10 00 00 89 E3 C1 EB 0C C1 E3 0C B0 7D CD 80 5B 89 E1 99 B6 0C B0 03 CD 80 FF E1|"; within:44; distance:9; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30221; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_x64_meterpreter_reverse_https"; content:"|FC 48 83 E4 F0 E8 C8 00 00 00 41 51 41 50 52 51 56 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0|"; fast_pattern:only; classtype:shellcode-detect; sid:30480; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_x64_exec"; content:"|FC 48 83 E4 F0 E8 C0 00 00 00 41 51 41 50 52 51 56 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0|"; fast_pattern:only; classtype:shellcode-detect; sid:30479; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_speak_pwned"; content:"|66 81 E4 FC FF 31 F6 64 8B 76 30 8B 76 0C 8B 76 1C 56 66 BE AA 1A 5F 8B 6F 08 FF 37 8B 5D 3C 8B 5C 1D 78 01 EB 8B 4B 18 67 E3 EB 8B 7B 20 01 EF|"; fast_pattern:only; classtype:shellcode-detect; sid:30478; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_shell_bind_tcp_xpfw"; content:"|E8 56 00 00 00 53 55 56 57 8B 6C 24 18 8B 45 3C 8B 54 05 78 01 EA 8B 4A 18 8B 5A 20 01 EB E3 32 49 8B 34 8B 01 EE 31 FF FC 31 C0 AC 38 E0 74 07|"; fast_pattern:only; classtype:shellcode-detect; sid:30477; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_meterpreter_reverse_ord_tcp"; content:"|FC 31 DB 64 8B 43 30 8B 40 0C 8B 50 1C 8B 12 8B 72 20 AD AD 4E 03 06 3D 32 33 5F 32 75 EF 8B 6A 08 8B 45 3C 8B 4C 05 78 8B 4C 0D 1C 01 E9 8B 41|"; fast_pattern:only; classtype:shellcode-detect; sid:30476; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_meterpreter_find_tag"; content:"|FC 33 FF 64 8B 47 30 8B 40 0C 8B 58 1C 8B 1B 8B 73 20 AD AD 4E 03 06 3D 32 33 5F 32 75 EF 8B 6B 08 8B 45 3C 8B 4C 05 78 8B 4C 0D 1C 8B 5C 29 3C|"; fast_pattern:only; classtype:shellcode-detect; sid:30475; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_meterpreter_bind_tcp"; content:"|FC E8 86 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61 7C 02 2C 20 C1 CF 0D 01 C7 E2 F0 52 57|"; fast_pattern:only; classtype:shellcode-detect; sid:30474; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_meterpreter_bind_nonx_tcp"; content:"|FC 6A EB 47 E8 F9 FF FF FF 60 31 DB 8B 7D 3C 8B 7C 3D 78 01 EF 8B 57 20 01 EA 8B 34 9A 01 EE 31 C0 99 AC C1 CA 0D 01 C2 84 C0 75 F6 43 66 39 CA|"; fast_pattern:only; classtype:shellcode-detect; sid:30473; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_messagebox"; content:"|D9 EB 9B D9 74 24 F4 31 D2 B2 77 31 C9 64 8B 71 30 8B 76 0C 8B 76 1C 8B 46 08 8B 7E 20 8B 36 38 4F 18 75 F3 59 01 D1 FF E1 60 8B 6C 24 24 8B 45|"; fast_pattern:only; classtype:shellcode-detect; sid:30472; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_adduser"; content:"|FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61 7C 02 2C 20 C1 CF 0D 01 C7 E2 F0 52 57|"; fast_pattern:only; classtype:shellcode-detect; sid:30471; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_x86_shell_reverse_tcp"; content:"|68 FF D8 FF 3C 6A 65 89 E6 F7 56 04 F6 16 68 0A 07 00 2B 66 68 11 5C 66 6A 02 89 E7 6A 02 31 C0 50 50 6A 02 6A 02 B0 E6 FF D6 6A 10 57 50 31 C0|"; fast_pattern:only; classtype:shellcode-detect; sid:30470; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_x86_shell_find_port"; content:"|31 DB F7 E3 53 89 E7 68 FF D8 FF 3C 6A 65 89 E6 F7 56 04 F6 16 57 B3 91 53 53 54 B7 54 53 50 58 40 50 6A 36 58 FF D6 66|"; fast_pattern:only; classtype:shellcode-detect; sid:30469; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_x86_shell_bind_tcp"; content:"|68 FF D8 FF 3C 6A 65 89 E6 F7 56 04 F6 16 31 C0 50 68 FF 02 11 5C 89 E7 6A 02 50 50 6A 02 6A 02 B0 E6 FF D6 6A 10 57 50 31 C0 B0 E8 FF D6 5B 50|"; fast_pattern:only; classtype:shellcode-detect; sid:30468; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_sparc_shell_reverse_tcp"; content:"|9C 2B A0 07 98 10 20 01 96 1A C0 0B 94 1A C0 0B 92 10 20 02 90 10 20 02 82 10 20 E6 91 D0 20 08 D0 23 BF F8 94 10 20 03 92 10 20 09 94 A2 A0 01|"; fast_pattern:only; classtype:shellcode-detect; sid:30467; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_sparc_shell_find_port"; content:"|9C 2B A0 07 90 1A 80 0A D0 23 BF E8 90 02 20 01 90 0A 2F FF 92 10 20 10 D0 3B BF F8 94 23 A0 04 92 23 A0 18 82 10 20 F3 91 D0 20 08 94 10 20 03|"; fast_pattern:only; classtype:shellcode-detect; sid:30466; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_sparc_shell_bind_tcp"; content:"|9C 2B A0 07 98 10 20 01 96 1A C0 0B 94 1A C0 0B 92 10 20 02 90 10 20 02 82 10 20 E6 91 D0 20 08 D0 23 BF F8 21 00 00 84 A0 14 21 5C E0 23 BF F0|"; fast_pattern:only; classtype:shellcode-detect; sid:30465; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload ruby_shell_reverse_tcp_ssl"; content:"|63 6F 64 65 20 3D 20 25 28 63 6D 56 78 64 57 6C 79 5A 53 41 6E 63 32 39 6A 61 32 56 30 4A 7A 74 79 5A 58 46 31 61 58 4A 6C 49 43 64 76 63 47 56|"; fast_pattern:only; classtype:shellcode-detect; sid:30464; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload ruby_shell_reverse_tcp"; content:"|63 6F 64 65 20 3D 20 25 28 63 6D 56 78 64 57 6C 79 5A 53 41 6E 63 32 39 6A 61 32 56 30 4A 7A 74 6A 50 56 52 44 55 46 4E 76 59 32 74 6C 64 43 35|"; fast_pattern:only; classtype:shellcode-detect; sid:30463; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload ruby_shell_bind_tcp"; content:"|63 6F 64 65 20 3D 20 25 28 63 6D 56 78 64 57 6C 79 5A 53 41 6E 63 32 39 6A 61 32 56 30 4A 7A 74 7A 50 56 52 44 55 46 4E 6C 63 6E 5A 6C 63 69 35|"; fast_pattern:only; classtype:shellcode-detect; sid:30462; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload python_shell_reverse_tcp_ssl"; content:"|65 78 65 63 28 27 61 57 31 77 62 33 4A 30 49 48 4E 76 59 32 74 6C 64 43 78 7A 64 57 4A 77 63 6D 39 6A 5A 58 4E 7A 4C 47 39 7A 4C 48 4E 7A 62 41|"; fast_pattern:only; classtype:shellcode-detect; sid:30461; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload python_meterpreter_bind_tcp"; content:"|69 6D 70 6F 72 74 20 62 61 73 65 36 34 3B 20 65 78 65 63 28 62 61 73 65 36 34 2E 62 36 34 64 65 63 6F 64 65 28 27 61 57 31 77 62 33 4A 30 49 48|"; fast_pattern:only; classtype:shellcode-detect; sid:30460; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_shell_findsock"; content:"|65 72 72 6F 72 5F 72 65 70 6F 72 74 69 6E 67 28 30 29 3B 0A 70 72 69 6E 74 28 22 3C 68 74 6D 6C 3E 3C 62 6F 64 79 3E 22 29 3B 0A 66 6C 75 73 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30459; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_reverse_php"; content:"|20 65 6C 73 65 20 69 66 20 28 73 75 62 73 74 72 28 24 63 2C 30 2C 34 29 20 3D 3D 20 27 71 75 69 74 27 20 7C 7C 20 73 75 62 73 74 72 28 24 63 2C|"; fast_pattern:only; classtype:shellcode-detect; sid:30458; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_reverse_perl"; content:"|62 61 73 65 36 34 5F 64 65 63 6F 64 65 28 27 63 47 56 79 62 43 41 74 54 55 6C 50 49 43 31 6C 49 43 63 6B 63 44 31 6D 62 33 4A 72 4F 32 56 34 61|"; fast_pattern:only; classtype:shellcode-detect; sid:30457; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_meterpreter_reverse_tcp"; content:"|69 66 20 28 21 69 73 73 65 74 28 24 47 4C 4F 42 41 4C 53 5B 27 63 68 61 6E 6E 65 6C 73 27 5D 29 29 20 7B 20 24 47 4C 4F 42 41 4C 53 5B 27 63 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30456; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_meterpreter_bind_tcp"; content:"|23 3C 3F 70 68 70 0A 0A 23 20 54 68 65 20 70 61 79 6C 6F 61 64 20 68 61 6E 64 6C 65 72 20 6F 76 65 72 77 72 69 74 65 73 20 74 68 69 73 20 77 69|"; fast_pattern:only; classtype:shellcode-detect; sid:30455; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_exec"; content:"|24 63 20 3D 20 62 61 73 65 36 34 5F 64 65 63 6F 64 65 28 22 4C 32 4A 70 62 69 39 7A 61 41 3D 3D 22 29 3B 20 40 73 65 74 5F 74 69 6D 65 5F 6C 69|"; fast_pattern:only; classtype:shellcode-detect; sid:30454; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_download_exec"; content:"|20 20 20 20 69 66 20 28 21 66 75 6E 63 74 69 6F 6E 5F 65 78 69 73 74 73 28 27 73 79 73 5F 67 65 74 5F 74 65 6D 70 5F 64 69 72 27 29 29 20 7B 0A|"; fast_pattern:only; classtype:shellcode-detect; sid:30453; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_bind_perl"; content:"|73 79 73 74 65 6D 28 62 61 73 65 36 34 5F 64 65 63 6F 64 65 28 27 63 47 56 79 62 43 41 74 54 55 6C 50 49 43 31 6C 49 43 63 6B 63 44 31 6D 62 33|"; fast_pattern:only; classtype:shellcode-detect; sid:30452; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_vforkshell_reverse_tcp"; content:"|31 C0 99 50 40 50 40 50 52 B0 61 CD 80 72 6D 89 C7 52 52 68 0A 07 00 2B 68 00 02 11 5C 89 E3 6A 10 53 57 52 B0 62 CD 80 72 52 31 DB 83 EB 01 43|"; fast_pattern:only; classtype:shellcode-detect; sid:30451; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_vforkshell_bind_tcp"; content:"|31 C0 99 50 40 50 40 50 52 B0 61 CD 80 0F 82 7E 00 00 00 89 C6 52 52 52 68 00 02 11 5C 89 E3 6A 10 53 56 52 B0 68 CD 80 72 67 52 56 52 B0 6A CD|"; fast_pattern:only; classtype:shellcode-detect; sid:30450; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_shell_find_port"; content:"|50 6A 5A 58 CD 80 FF 4F F0 79 F6 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 54 54 53 50 B0 3B CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30449; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_isight_reverse_tcp"; content:"|31 C0 99 50 40 50 40 50 52 B0 61 CD 80 72 6C 89 C7 52 52 68 0A 07 00 2B 68 00 02 11 5C 89 E3 6A 10 53 57 52 B0 62 CD 80 72 51 89 E5 83 EC 08 31|"; fast_pattern:only; classtype:shellcode-detect; sid:30448; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_isight_bind_tcp"; content:"|31 C0 99 50 40 50 40 50 52 B0 61 CD 80 0F 82 7D 00 00 00 89 C6 52 52 52 68 00 02 11 5C 89 E3 6A 10 53 56 52 B0 68 CD 80 72 66 52 56 52 B0 6A CD|"; fast_pattern:only; classtype:shellcode-detect; sid:30447; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_exec"; content:"|31 C0 E8 08 00 00 00 2F 62 69 6E 2F 73 68 00 5B 50 50 53 B0 3B 50 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30446; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_shell_reverse_tcp"; content:"|B8 61 00 00 02 6A 02 5F 6A 01 5E 48 31 D2 0F 05 49 89 C4 48 89 C7 B8 62 00 00 02 48 31 F6 56 48 BE 00 02 11 5C 0A 07 00 2B 56 48 89 E6 6A 10 5A|"; fast_pattern:only; classtype:shellcode-detect; sid:30445; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_shell_find_tag"; content:"|48 31 FF 57 48 89 E6 6A 04 5A 48 8D 4A FE 4D 31 C0 4D 31 C9 48 FF CF 48 FF C7 B8 1D 00 00 02 0F 05 81 3C 24 4E 45 4D 4F 75 ED 48 31 C9 B8 1D 00|"; fast_pattern:only; classtype:shellcode-detect; sid:30444; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_say"; content:"|48 31 C0 B8 3B 00 00 02 E8 14 00 00 00 2F 75 73 72 2F 62 69 6E 2F 73 61 79 00 48 65 6C 6C 6F 21 00 48 8B 3C 24 4C 8D 57 0D 48 31 D2 52 41 52 57|"; fast_pattern:only; classtype:shellcode-detect; sid:30443; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_exec"; content:"|48 31 D2 E8 08 00 00 00 2F 62 69 6E 2F 73 68 00 5F 52 57 48 89 E6 48 C7 C0 3B 00 00 02 0F 05|"; fast_pattern:only; classtype:shellcode-detect; sid:30442; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_dupandexecve_reverse_tcp"; content:"|B8 61 00 00 02 6A 02 5F 6A 01 5E 48 31 D2 0F 05 49 89 C5 48 89 C7 B8 62 00 00 02 48 31 F6 56 48 BE 00 02 11 5C 0A 07 00 2B 56 48 89 E6 6A 10 5A|"; fast_pattern:only; classtype:shellcode-detect; sid:30441; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_dupandexecve_bind_tcp"; content:"|B8 61 00 00 02 6A 02 5F 6A 01 5E 48 31 D2 0F 05 48 89 C7 B8 68 00 00 02 48 31 F6 56 BE 00 02 11 5C 56 48 89 E6 6A 10 5A 0F 05 B8 6A 00 00 02 48|"; fast_pattern:only; classtype:shellcode-detect; sid:30440; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_ppc_shell_reverse_tcp"; content:"|38 60 00 02 38 80 00 01 38 A0 00 06 38 00 00 61 44 00 00 02 7C 00 02 78 7C 7E 1B 78 48 00 00 0D 00 02 11 5C 0A 07 00 2B 7C 88 02 A6 38 A0 00 10|"; fast_pattern:only; classtype:shellcode-detect; sid:30439; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_ppc_shell_find_tag"; content:"|3B A0 0F FF 3B C0 0F FF 37 9D F0 02 7F DC F0 51 41 80 FF F0 38 1D F0 67 7F C3 F3 78 38 81 EF F8 38 A0 0F FF 38 DD F0 81 44 FF FF 02 7C C6 32 79|"; fast_pattern:only; classtype:shellcode-detect; sid:30438; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_ppc_shell_bind_tcp"; content:"|38 60 00 02 38 80 00 01 38 A0 00 06 38 00 00 61 44 00 00 02 7C 00 02 78 7C 7E 1B 78 48 00 00 0D 00 02 11 5C 00 00 00 00 7C 88 02 A6 38 A0 00 10|"; fast_pattern:only; classtype:shellcode-detect; sid:30437; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_armle_vibrate"; content:"|20 08 A0 E1 04 F0 1F E5 74 F9 9E 31 44 44 EA 03|"; fast_pattern:only; classtype:shellcode-detect; sid:30436; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_armle_shell_reverse_tcp"; content:"|02 00 A0 E3 01 10 A0 E3 06 20 A0 E3 61 C0 A0 E3 80 00 00 EF 00 A0 A0 E1 01 00 00 EB 00 02 11 5C 0A 07 00 2B 0A 00 A0 E1 0E 10 A0 E1 10 20 A0 E3|"; fast_pattern:only; classtype:shellcode-detect; sid:30435; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_armle_shell_bind_tcp"; content:"|02 00 A0 E3 01 10 A0 E3 06 20 A0 E3 61 C0 A0 E3 80 00 00 EF 00 A0 A0 E1 01 00 00 EB 00 02 11 5C 00 00 00 00 0A 00 A0 E1 0E 10 A0 E1 10 20 A0 E3|"; fast_pattern:only; classtype:shellcode-detect; sid:30434; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload nodejs_shell_bind_tcp"; content:"|20 28 66 75 6E 63 74 69 6F 6E 28 29 7B 20 76 61 72 20 72 65 71 75 69 72 65 20 3D 20 67 6C 6F 62 61 6C 2E 72 65 71 75 69 72 65 20 7C 7C 20 67 6C|"; fast_pattern:only; classtype:shellcode-detect; sid:30433; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload netware_shell_reverse_tcp"; content:"|EB 41 57 51 31 FF 8B 54 BD 00 85 D2 74 24 31 F6 8B 5A 08 8A 03 84 C0 74 0D 43 0F B6 0B C1 CE 0D 01 CE FE C8 EB EF 3B 74 24 0C 74 11 8B 12 85 D2|"; fast_pattern:only; classtype:shellcode-detect; sid:30432; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_reverse_tcp2"; content:"|31 DB 53 43 53 6A 02 6A 66 58 89 E1 CD 80 93 59 B0 3F CD 80 49 79 F9 5B 5A 68 0A 07 00 2B 66 68 11 5C 43 66 53 89 E1 B0 66 50 51 53 89 E1 43 CD|"; fast_pattern:only; classtype:shellcode-detect; sid:30431; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_reverse_tcp"; content:"|31 DB F7 E3 53 43 53 6A 02 89 E1 B0 66 CD 80 93 59 B0 3F CD 80 49 79 F9 68 0A 07 00 2B 68 02 00 11 5C 89 E1 B0 66 50 51 53 B3 03 89 E1 CD 80 52|"; fast_pattern:only; classtype:shellcode-detect; sid:30430; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_find_port"; content:"|75 F1 5B 6A 02 59 B0 3F CD 80 49 79 F9 50 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 53 89 E1 99 B0 0B CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30429; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_bind_tcp_random_port"; content:"|31 DB F7 E3 B0 66 43 52 53 6A 02 89 E1 CD 80 52 50 89 E1 B0 66 B3 04 CD 80 B0 66 43 CD 80 59 93 6A 3F 58 CD 80 49 79 F8 B0 0B 68 2F 2F 73 68 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30428; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_bind_tcp"; content:"|31 DB F7 E3 53 43 53 6A 02 89 E1 B0 66 CD 80 5B 5E 52 68 02 00 11 5C 6A 10 51 50 89 E1 6A 66 58 CD 80 89 41 04 B3 04 B0 66 CD 80 43 B0 66 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30427; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_bind_ipv6_tcp"; content:"|31 DB 53 43 53 6A 0A 89 E1 6A 66 58 CD 80 96 99 52 52 52 52 52 52 66 68 11 5C 66 68 0A 00 89 E1 6A 1C 51 56 89 E1 43 6A 66 58 CD 80 B0 66 B3 04|"; fast_pattern:only; classtype:shellcode-detect; sid:30426; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_reverse_tcp"; content:"|31 DB F7 E3 53 43 53 6A 02 B0 66 89 E1 CD 80 97 5B 68 0A 07 00 2B 68 02 00 11 5C 89 E1 6A 66 58 50 51 57 89 E1 43 CD 80 B2 07 B9 00 10 00 00 89|"; fast_pattern:only; classtype:shellcode-detect; sid:30425; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_reverse_nonx_tcp"; content:"|31 DB 53 43 53 6A 02 6A 66 58 89 E1 CD 80 97 5B 68 0A 07 00 2B 66 68 11 5C 66 53 89 E1 6A 66 58 50 51 57 89 E1 43 CD 80 5B 99 B6 0C B0 03 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30424; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_reverse_ipv6_tcp"; content:"|31 DB 53 43 53 6A 0A 89 E1 6A 66 58 CD 80 96 99 68 00 00 00 00 68 0A 07 00 2B 68 00 00 5E FE 68 00 00 00 00 68 FE 80 00 00 52 66 68 11 5C 66 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30423; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_find_tag"; content:"|31 DB 53 89 E6 6A 40 B7 0A 53 56 53 89 E1 86 FB 66 FF 01 6A 66 58 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30422; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_bind_tcp"; content:"|6A 7D 58 99 B2 07 B9 00 10 00 00 89 E3 66 81 E3 00 F0 CD 80 31 DB F7 E3 53 43 53 6A 02 89 E1 B0 66 CD 80 5B 5E 52 68 02 00 11 5C 6A 10 51 50 89|"; fast_pattern:only; classtype:shellcode-detect; sid:30421; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_bind_nonx_tcp"; content:"|31 DB 53 43 53 6A 02 6A 66 58 99 89 E1 CD 80 96 43 52 66 68 11 5C 66 53 89 E1 6A 66 58 50 51 56 89 E1 CD 80 B0 66 D1 E3 CD 80 52 52 56 43 89 E1|"; fast_pattern:only; classtype:shellcode-detect; sid:30420; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_bind_ipv6_tcp"; content:"|6A 7D 58 99 B2 07 B9 00 10 00 00 89 E3 66 81 E3 00 F0 CD 80 31 DB F7 E3 11 5C 53 6A 0A 89 E1 B0 66 CD 80 43 52 52 52 52 52 52 68 0A 00 BF BF 89|"; fast_pattern:only; classtype:shellcode-detect; sid:30419; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_exec"; content:"|6A 0B 58 99 52 66 68 2D 63 89 E7 68 2F 73 68 00 68 2F 62 69 6E 89 E3 52 E8 08 00 00 00 2F 62 69 6E 2F 73 68 00 57 53 89 E1 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30418; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_chmod"; content:"|99 6A 0F 58 52 E8 0C 00 00 00 2F 65 74 63 2F 73 68 61 64 6F 77 00 5B 68 B6 01 00 00 59 CD 80 6A 01 58 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30417; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_adduser"; content:"|31 C9 89 CB 6A 46 58 CD 80 6A 05 58 31 C9 51 68 73 73 77 64 68 2F 2F 70 61 68 2F 65 74 63 89 E3 41 B5 04 CD 80 93 E8 28 00 00 00 6D 65 74 61 73|"; fast_pattern:only; classtype:shellcode-detect; sid:30416; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x64_shell_reverse_tcp"; content:"|6A 29 58 99 6A 02 5F 6A 01 5E 0F 05 48 97 48 B9 02 00 11 5C 0A 07 00 2B 51 48 89 E6 6A 10 5A 6A 2A 58 0F 05 6A 03 5E 48 FF CE 6A 21 58 0F 05 75|"; fast_pattern:only; classtype:shellcode-detect; sid:30415; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x64_shell_find_port"; content:"|48 31 FF 48 31 DB B3 14 48 29 DC 48 8D 14 24 48 8D 74 24 04 6A 34 58 0F 05 48 FF C7 66 81 7E 02|"; fast_pattern:only; classtype:shellcode-detect; sid:30414; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x64_shell_bind_tcp_random_port"; content:"|48 31 F6 48 F7 E6 FF C6 6A 02 5F B0 29 0F 05 52 5E 50 5F B0 32 0F 05 B0 2B 0F 05 57 5E 48 97 FF CE B0 21 0F 05 75 F8 52 48 BF 2F 2F 62 69 6E 2F|"; fast_pattern:only; classtype:shellcode-detect; sid:30413; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x64_shell_bind_tcp"; content:"|6A 29 58 99 6A 02 5F 6A 01 5E 0F 05 48 97 52 C7 04 24 02 00 11 5C 48 89 E6 6A 10 5A 6A 31 58 0F 05 6A 32 58 0F 05 48 31 F6 6A 2B 58 0F 05 48 97|"; fast_pattern:only; classtype:shellcode-detect; sid:30412; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x64_exec"; content:"|6A 3B 58 99 48 BB 2F 62 69 6E 2F 73 68 00 53 48 89 E7 68 2D 63 00 00 48 89 E6 52 E8 08 00 00 00 2F 62 69 6E 2F 73 68 00 56 57 48 89 E6 0F 05|"; fast_pattern:only; classtype:shellcode-detect; sid:30411; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_ppc_shell_find_port"; content:"|7F FF FA 78 3B A0 01 FF 97 E1 FF FC 7C 3C 0B 78 3B 7D FE 11 97 61 FF FC 7C 3A 0B 78 97 41 FF FC 97 81 FF FC 97 E1 FF FC 3B FF 01 FF 3B FF FE 02|"; fast_pattern:only; classtype:shellcode-detect; sid:30410; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_ppc_shell_bind_tcp"; content:"|7F FF FA 78 3B A0 01 FF 3B 9D FE 02 3B 7D FE 03 97 E1 FF FC 97 81 FF FC 97 61 FF FC 7C 24 0B 78 38 7D FE 02 38 1D FE 67 44 FF FF 02 7C 7A 1B 78|"; fast_pattern:only; classtype:shellcode-detect; sid:30409; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_ppc64_shell_find_port"; content:"|7F FF FA 78 3B A0 01 FF 97 E1 FF FC 7C 3C 0B 78 3B 7D FE 11 97 61 FF FC 7C 3A 0B 78 FB 41 FF F9 FB 81 FF F9 FB E1 FF F9 3B FF 01 FF 3B FF FE 02|"; fast_pattern:only; classtype:shellcode-detect; sid:30408; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_ppc64_shell_bind_tcp"; content:"|7F FF FA 78 3B A0 01 FF 3B 9D FE 02 3B 7D FE 03 FB E1 FF F9 FB 81 FF F9 FB 61 FF F9 7C 24 0B 78 38 7D FE 02 38 1D FE 67 44 FF FF 02 7C 7A 1B 78|"; fast_pattern:only; classtype:shellcode-detect; sid:30407; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_mipsle_shell_reverse_tcp"; content:"|FA FF 0F 24 27 78 E0 01 FD FF E4 21 FD FF E5 21 FF FF 06 28 57 10 02 24 0C 01 01 01 FF FF A2 AF FF FF A4 8F FD FF 0F 34 27 78 E0 01 E2 FF AF AF|"; fast_pattern:only; classtype:shellcode-detect; sid:30406; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_mipsle_shell_bind_tcp"; content:"|E0 FF BD 27 FD FF 0E 24 27 20 C0 01 27 28 C0 01 FF FF 06 28 57 10 02 24 0C 01 01 01 FF FF 50 30 EF FF 0E 24 27 70 C0 01 11 5C 0D 24 04 68 CD 01|"; fast_pattern:only; classtype:shellcode-detect; sid:30405; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_mipsle_reboot"; content:"|21 43 06 3C DC FE C6 34 12 28 05 3C 69 19 A5 34 E1 FE 04 3C AD DE 84 34 F8 0F 02 24 0C 01 01 01|"; fast_pattern:only; classtype:shellcode-detect; sid:30404; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_mipsbe_shell_reverse_tcp"; content:"|24 0F FF FA 01 E0 78 27 21 E4 FF FD 21 E5 FF FD 28 06 FF FF 24 02 10 57 01 01 01 0C AF A2 FF FF 8F A4 FF FF 34 0F FF FD 01 E0 78 27 AF AF FF E0|"; fast_pattern:only; classtype:shellcode-detect; sid:30403; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_mipsbe_shell_bind_tcp"; content:"|27 BD FF E0 24 0E FF FD 01 C0 20 27 01 C0 28 27 28 06 FF FF 24 02 10 57 01 01 01 0C 30 50 FF FF 24 0E FF EF 01 C0 70 27 24 0D FF FD 01 A0 68 27|"; fast_pattern:only; classtype:shellcode-detect; sid:30402; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_armle_shell_reverse_tcp"; content:"|02 00 A0 E3 01 10 A0 E3 05 20 81 E2 8C 70 A0 E3 8D 70 87 E2 00 00 00 EF 00 60 A0 E1 84 10 8F E2 10 20 A0 E3 8D 70 A0 E3 8E 70 87 E2 00 00 00 EF|"; fast_pattern:only; classtype:shellcode-detect; sid:30401; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_armle_shell_bind_tcp"; content:"|02 00 A0 E3 01 10 A0 E3 06 20 A0 E3 01 70 A0 E3 07 74 A0 E1 19 70 87 E2 00 00 00 EF 00 60 A0 E1 A4 10 8F E2 10 20 A0 E3 01 70 A0 E3 07 74 A0 E1|"; fast_pattern:only; classtype:shellcode-detect; sid:30400; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_armle_exec"; content:"|01 30 8F E2 13 FF 2F E1 78 46 0A 30 01 90 01 A9 92 1A 0B 27 01 DF 2F 62 69 6E 2F 73 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30399; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_armle_adduser"; content:"|05 50 45 E0 01 50 8F E2 15 FF 2F E1 78 46 5C 30 FF 21 FF 31 FF 31 FF 31 45 31 DC 22 C8 32 05 27 01 DF 80 46 41 46 08 1C 79 46 18 31 C0 46 28 22|"; fast_pattern:only; classtype:shellcode-detect; sid:30398; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload java_shell_reverse_tcp"; content:"|24 00 00 18 00 00 00 6D 65 74 61 73 70 6C 6F 69 74 2F 50 61 79 6C 6F 61 64 2E 63 6C 61 73 73 95 59 09 7C 14 E5 15 7F EF DB 63 66 27 43 12 06 16|"; fast_pattern:only; classtype:shellcode-detect; sid:30397; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload java_jsp_shell_bind_tcp"; content:"|67 65 74 52 75 6E 74 69 6D 65 28 29 2E 65 78 65 63 28 20 22 63 6D 64 2E 65 78 65 22 20 29 3B 0A 20 20 20 20 28 20 6E 65 77 20 53 74 72 65 61 6D|"; fast_pattern:only; classtype:shellcode-detect; sid:30396; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload firefox_shell_bind_tcp"; content:"|73 68 2E 69 6E 69 74 57 69 74 68 50 61 74 68 28 22 43 3A 5C 5C 57 69 6E 64 6F 77 73 5C 5C 53 79 73 74 65 6D 33 32 5C 5C 77 73 63 72 69 70 74 2E|"; fast_pattern:only; classtype:shellcode-detect; sid:30395; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload firefox_exec"; content:"|73 68 2E 69 6E 69 74 57 69 74 68 50 61 74 68 28 22 43 3A 5C 5C 57 69 6E 64 6F 77 73 5C 5C 53 79 73 74 65 6D 33 32 5C 5C 63 6D 64 2E 65 78 65 22|"; fast_pattern:only; classtype:shellcode-detect; sid:30394; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_reverse_ruby"; content:"|5C 22 34 34 34 34 5C 22 29 3B 77 68 69 6C 65 28 63 6D 64 3D 63 2E 67 65 74 73 29 3B 49 4F 2E 70 6F 70 65 6E 28 63 6D 64 2C 5C 22 72 5C 22 29 7B|"; fast_pattern:only; classtype:shellcode-detect; sid:30393; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_reverse_powershell"; content:"|70 6F 77 65 72 73 68 65 6C 6C 20 2D 77 20 68 69 64 64 65 6E 20 2D 6E 6F 70 20 2D 63 20 66 75 6E 63 74 69 6F 6E 20 52 53 43 7B 69 66 20 28 24 63|"; fast_pattern:only; classtype:shellcode-detect; sid:30392; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_reverse_perl"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 22 24 70 3D 66 6F 72 6B 3B 65 78 69 74 2C 69 66 28 24 70 29 3B 24 63 3D 6E 65 77 20 49 4F 3A 3A 53 6F 63|"; fast_pattern:only; classtype:shellcode-detect; sid:30391; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_download_exec_vbs"; content:"|2E 65 78 65 22 2C 32 3A 43 72 65 61 74 65 4F 62 6A 65 63 74 28 22 57 53 63 72 69 70 74 2E 53 68 65 6C 6C 22 29 2E 52 75 6E 20 22|"; fast_pattern:only; classtype:shellcode-detect; sid:30390; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_bind_ruby"; content:"|72 75 62 79 20 2D 72 73 6F 63 6B 65 74 20 2D 65 20 22 73 3D 54 43 50 53 65 72 76 65 72 2E 6E 65 77 28 5C 22 34 34 34 34 5C 22 29 3B 77 68 69 6C|"; fast_pattern:only; classtype:shellcode-detect; sid:30389; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_bind_perl_ipv6"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 22 77 68 69 6C 65 28 24 63 3D 6E 65 77 20 49 4F 3A 3A 53 6F 63 6B 65 74 3A 3A 49 4E 45 54 36 28 4C 6F 63|"; fast_pattern:only; classtype:shellcode-detect; sid:30388; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_bind_perl"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 22 77 68 69 6C 65 28 24 63 3D 6E 65 77 20 49 4F 3A 3A 53 6F 63 6B 65 74 3A 3A 49 4E 45 54 28 4C 6F 63 61|"; fast_pattern:only; classtype:shellcode-detect; sid:30387; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_adduser"; content:"|63 6D 64 2E 65 78 65 20 2F 63 20 6E 65 74 20 75 73 65 72 20 6D 65 74 61 73 70 6C 6F 69 74 20 4D 65 74 61 73 70 6C 6F 69 74 24 31 20 2F 41 44 44|"; fast_pattern:only; classtype:shellcode-detect; sid:30386; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_zsh"; content:"|20 34 34 34 34 3B 77 68 69 6C 65 20 72 65 61 64 20 2D 72 20 63 6D 64 20 3C 26 24 52 45 50 4C 59 3B 64 6F 20 65 76 61 6C 20 24 7B 63 6D 64 7D 20|"; fast_pattern:only; classtype:shellcode-detect; sid:30385; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_ruby_ssl"; content:"|72 75 62 79 20 2D 72 73 6F 63 6B 65 74 20 2D 72 6F 70 65 6E 73 73 6C 20 2D 65 20 27 65 78 69 74 20 69 66 20 66 6F 72 6B 3B 63 3D 4F 70 65 6E 53|"; fast_pattern:only; classtype:shellcode-detect; sid:30384; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_ruby"; content:"|72 75 62 79 20 2D 72 73 6F 63 6B 65 74 20 2D 65 20 27 65 78 69 74 20 69 66 20 66 6F 72 6B 3B 63 3D 54 43 50 53 6F 63 6B 65 74 2E 6E 65 77 28 22|"; fast_pattern:only; classtype:shellcode-detect; sid:30383; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_python"; content:"|70 79 74 68 6F 6E 20 2D 63 20 22 65 78 65 63 28 27 61 57 31 77 62 33 4A 30 49 48 4E 76 59 32 74|"; fast_pattern:only; classtype:shellcode-detect; sid:30382; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_php_ssl"; content:"|6F 29 3B 24 6F 3D 69 6D 70 6C 6F 64 65 28 22 5C 6E 22 2C 24 6F 29 3B 24 6F 2E 3D 22 5C 6E 22 3B 66 70 75 74 73 28 24 73 2C 24 6F 29 3B 7D 27 26|"; fast_pattern:only; classtype:shellcode-detect; sid:30381; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl_ssl"; content:"|70 65 72 6C 20 2D 65 20 27 75 73 65 20 49 4F 3A 3A 53 6F 63 6B 65 74 3A 3A 53 53 4C 3B 24 70 3D 66 6F 72 6B 3B 65 78 69 74 2C 69 66 28 24 70 29|"; fast_pattern:only; classtype:shellcode-detect; sid:30380; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 27 24 70 3D 66 6F 72 6B 3B 65 78 69 74 2C 69 66 28 24 70 29 3B 66 6F 72 65 61 63 68 20 6D 79 20 24 6B 65|"; fast_pattern:only; classtype:shellcode-detect; sid:30379; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_openssl"; content:"|3A 34 34 34 34 7C 77 68 69 6C 65 20 3A 20 3B 20 64 6F 20 73 68 20 26 26 20 62 72 65 61 6B 3B 20 64 6F 6E 65 20 32 3E 26 31 7C 6F 70 65 6E 73 73|"; fast_pattern:only; classtype:shellcode-detect; sid:30378; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_lua"; content:"|6C 75 61 20 2D 65 20 22 6C 6F 63 61 6C 20 73 3D 72 65 71 75 69 72 65 28 27 73 6F 63 6B 65 74 27 29 3B 6C 6F 63 61 6C 20 74 3D 61 73 73 65 72 74|"; fast_pattern:only; classtype:shellcode-detect; sid:30377; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_awk"; content:"|2F 34 34 34 34 22 3B 66 6F 72 28 3B 73 7C 26 67 65 74 6C 69 6E 65 20 63 3B 63 6C 6F 73 65 28 63 29 29 77 68 69 6C 65 28 63 7C 67 65 74 6C 69 6E|"; fast_pattern:only; classtype:shellcode-detect; sid:30376; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse"; content:"|20 34 34 34 34 7C 77 68 69 6C 65 20 3A 20 3B 20 64 6F 20 73 68 20 26 26 20 62 72 65 61 6B 3B 20 64 6F 6E 65 20 32 3E 26 31 7C 74 65 6C 6E 65 74|"; fast_pattern:only; classtype:shellcode-detect; sid:30375; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_zsh"; content:"|7A 6D 6F 64 6C 6F 61 64 20 7A 73 68 2F 6E 65 74 2F 74 63 70 3B 7A 74 63 70 20 2D 6C 20 34 34 34 34 3B 7A 74 63 70 20 2D 61 20 24 52 45 50 4C 59|"; fast_pattern:only; classtype:shellcode-detect; sid:30374; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_ruby"; content:"|72 75 62 79 20 2D 72 73 6F 63 6B 65 74 20 2D 65 20 27 65 78 69 74 20 69 66 20 66 6F 72 6B 3B 73 3D 54 43 50 53 65 72 76 65 72 2E 6E 65 77 28 22|"; fast_pattern:only; classtype:shellcode-detect; sid:30373; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_perl_ipv6"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 27 24 70 3D 66 6F 72 6B 28 29 3B 65 78 69 74 2C 69 66 24 70 3B 24 63 3D 6E 65 77 20 49 4F 3A 3A 53 6F 63|"; fast_pattern:only; classtype:shellcode-detect; sid:30372; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_perl"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 27 24 70 3D 66 6F 72 6B 28 29 3B 65 78 69 74 2C 69 66 24 70 3B 66 6F 72 65 61 63 68 20 6D 79 20 24 6B 65|"; fast_pattern:only; classtype:shellcode-detect; sid:30371; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_nodejs"; content:"|6E 6F 64 65 20 2D 65 20 27 65 76 61 6C 28 22 5C 78 32 30 5C 78 32 38 5C 78 36 36 5C 78 37 35 5C 78 36 65 5C 78 36 33 5C 78 37 34 5C 78 36 39 5C|"; fast_pattern:only; classtype:shellcode-detect; sid:30370; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_netcat_gaping_ipv6"; content:"|6E 63 20 2D 36 20 2D 6C 70 20 34 34 34 34 20 2D 65 20 2F 62 69 6E 2F 73 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30369; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_netcat_gaping"; content:"|6E 63 20 2D 6C 20 2D 70 20 34 34 34 34 20 2D 65 20 2F 62 69 6E 2F 73 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30368; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_netcat"; content:"|20 28 6E 63 20 2D 6C 20 2D 70 20 34 34 34 34 20 7C 7C 6E 63 20 2D 6C 20 34 34 34 34 29 30 3C 2F 74 6D 70 2F|"; fast_pattern:only; classtype:shellcode-detect; sid:30367; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_lua"; content:"|6C 75 61 20 2D 65 20 22 6C 6F 63 61 6C 20 73 3D 72 65 71 75 69 72 65 28 27 73 6F 63 6B 65 74 27 29 3B 6C 6F 63 61 6C 20 73 3D 61 73 73 65 72 74|"; fast_pattern:only; classtype:shellcode-detect; sid:30366; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_inetd"; content:"|20 73 74 72 65 61 6D 20 74 63 70 20 6E 6F 77 61 69 74 20 72 6F 6F 74 20 2F 62 69 6E 2F 73 68 20 73 68 3E 2F 74 6D 70|"; fast_pattern:only; classtype:shellcode-detect; sid:30365; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_awk"; content:"|61 77 6B 20 27 42 45 47 49 4E 7B 73 3D 22 2F 69 6E 65 74 2F 74 63 70 2F 34 34 34 34 2F 30 2F 30 22 3B 66 6F 72 28 3B 73 7C 26 67 65 74 6C 69 6E|"; fast_pattern:only; classtype:shellcode-detect; sid:30364; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsdi_x86_shell_find_port"; content:"|50 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 54 53|"; fast_pattern:only; classtype:shellcode-detect; sid:30363; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_shell_reverse_tcp"; content:"|68 0A 07 00 2B 68 FF 02 11 5C 89 E7 31 C0 50 6A 01 6A 02 6A 10 B0 61 CD 80 57 50 50 6A 62 58 CD 80 50 6A 5A 58 CD 80 FF 4F E8 79 F6 68 2F 2F 73|"; fast_pattern:only; classtype:shellcode-detect; sid:30362; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_shell_reverse_ipv6_tcp"; content:"|31 C0 50 40 50 6A 1C 6A 61 58 50 CD 80 EB 0E 59 6A 1C 51 50 97 6A 62 58 50 CD 80 EB 21 E8 ED FF FF FF 1C 1C 11 5C 00 00 00 00 FE 80 00 00 00 00|"; fast_pattern:only; classtype:shellcode-detect; sid:30361; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_shell_find_port"; content:"|EE 50 6A 5A 58 CD 80 FF 4F F0 79 F6 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 54 53 50 B0 3B CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30360; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_shell_bind_tcp"; content:"|31 C0 50 68 FF 02 11 5C 89 E7 50 6A 01 6A 02 6A 10 B0 61 CD 80 57 50 50 6A 68 58 CD 80 89 47 EC B0 6A CD 80 B0 1E CD 80 50 50 6A 5A 58 CD 80 FF|"; fast_pattern:only; classtype:shellcode-detect; sid:30359; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_shell_bind_ipv6_tcp"; content:"|31 C0 50 40 50 6A 1C 6A 61 58 50 CD 80 89 C3 31 D2 52 52 52 52 52 52 68 1C 1C 11 5C 89 E1 6A 1C 51 50 6A 68 58 50 CD 80 B0 6A CD 80 52 53 B6 10|"; fast_pattern:only; classtype:shellcode-detect; sid:30358; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_exec"; content:"|6A 3B 58 99 52 68 2D 63 00 00 89 E7 52 68 6E 2F 73 68 68 2F 2F 62 69 89 E3 52 E8 08 00 00 00 2F 62 69 6E 2F 73 68 00 57 53 89 E1 52 51 53 50 CD|"; fast_pattern:only; classtype:shellcode-detect; sid:30357; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_sparc_shell_reverse_tcp"; content:"|9C 2B A0 07 94 1A C0 0B 92 10 20 01 90 10 20 02 82 10 20 61 91 D0 20 08 D0 23 BF F8 92 10 20 03 92 A2 60 01 82 10 20 5A 91 D0 20 08 12 BF FF FD|"; fast_pattern:only; classtype:shellcode-detect; sid:30356; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_sparc_shell_bind_tcp"; content:"|9C 2B A0 07 94 1A C0 0B 92 10 20 01 90 10 20 02 82 10 20 61 91 D0 20 08 D0 23 BF F8 21 3F C0 80 E0 23 BF F0 C0 23 BF F4 92 23 A0 10 94 10 20 10|"; fast_pattern:only; classtype:shellcode-detect; sid:30355; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload android_shell_reverse_tcp"; content:"|BB F5 F2 DF 82 54 99 5E 7C A7 92 76 3F 1B F0 EF 72 B4 B4 5B 07 FF 7E 8C 7F 19 1D 92 DF 97 F1 2F 93 98 FC 0D EA BF 50 4B 03 04 14 00 00 00 08 00|"; fast_pattern:only; classtype:shellcode-detect; sid:30354; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload aix_ppc_shell_reverse_tcp"; content:"|7C A5 2A 79 40 82 FF FD 7F C8 02 A6 3B DE 01 FF 3B DE FE 25 7F C9 03 A6 4E 80 04 20 FF 02 11 5C 0A 07 00 2B 4C C6 33 42 44 FF FF 02 3B DE FF F8|"; fast_pattern:only; classtype:shellcode-detect; sid:30353; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload aix_ppc_shell_interact"; content:"|7C A5 2A 79 40 82 FF FD 7F E8 02 A6 3B FF 01 20 38 7F FF 08 38 9F FF 10 90 7F FF 10 90 BF FF 14 88 5F FF 0F 98 BF FF 0F 4C C6 33 42 44 FF FF 02|"; fast_pattern:only; classtype:shellcode-detect; sid:30352; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload aix_ppc_shell_find_port"; content:"|7F FF FA 79 40 82 FF FD 7F C8 02 A6 3B DE 01 FF 3B DE FE 1D 7F C9 03 A6 4E 80 04 20 4C C6 33 42 44 FF FF 02 3B DE FF F8 3B A0 07 FF 97 E1 FF FC|"; fast_pattern:only; classtype:shellcode-detect; sid:30351; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload aix_ppc_shell_bind_tcp"; content:"|7F FF FA 79 40 82 FF FD 7F C8 02 A6 3B DE 01 FF 3B DE FE 1D 7F C9 03 A6 4E 80 04 20 4C C6 33 42 44 FF FF 02 3B DE FF F8 3B A0 07 FF 7C A5 2A 78|"; fast_pattern:only; classtype:shellcode-detect; sid:30350; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE heapspray characters detected - ASCII"; flow:to_client,established; file_data; content:"0d0d0d0d"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,sf-freedom.blogspot.com/2006/07/heap-spraying-internet-exploiter.html; classtype:attempted-user; sid:33339; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-SHELLCODE percent encoded heapspray detected"; flow:to_server,established; file_data; content:"%68%65%61%70%73%70%72%61%79"; fast_pattern:only; metadata:service smtp; classtype:shellcode-detect; sid:34019; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE percent encoded heapspray detected"; flow:to_client,established; file_data; content:"%68%65%61%70%73%70%72%61%79"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:34018; rev:1;)