#
# Emerging Threats Botnet Command and Control drop rules. 
#
#These are generated from the EXCELLENT work done by the Shadowserver team!
#
#  http://www.shadowserver.org
#
#
# SID's are 2410000+ to avoid conflicts
#
# More information available at www.emergingthreats.net
#
# Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
#  Copyright (c) 2003-2009, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
alert ip $HOME_NET any -> [115.146.18.137,116.125.35.40,116.127.121.18,117.106.254.1,118.127.21.62,119.110.82.239,12.31.165.81,12.31.165.82,121.78.52.198,123.164.66.62,123.176.7.35,123.242.183.2,124.217.239.7,125.160.17.71,125.160.17.72,125.206.228.158,128.121.20.113,128.194.112.48,128.237.157.136,128.39.2.28,129.125.101.62,130.237.188.200,130.240.22.201,137.82.84.68,140.135.14.97,140.138.148.205,140.211.166.64,141.213.238.252,145.89.150.59,145.97.193.206,147.32.127.200,147.46.222.80,148.245.157.217,149.9.1.16,151.189.0.165,152.74.52.87,158.36.131.20,158.38.8.251,163.22.73.7,164.77.114.237,173.45.226.241,174.129.231.136,174.132.181.27,174.132.181.28,174.133.157.214,174.133.18.27,174.133.57.54,174.133.94.181,174.137.57.29,174.138.58.102,174.143.240.27,187.17.224.22,188.40.240.42,190.144.79.210,190.208.121.13,190.210.15.141,190.5.6.196,192.116.231.44,192.188.242.12,193.108.43.213] any (msg:"ET DROP Known Bot C&C Server Traffic (group 1) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404000; rev:1585;)
alert ip $HOME_NET any -> [193.109.122.77,193.138.229.10,193.138.229.11,193.138.229.18,193.163.220.3,193.19.210.1,193.200.193.4,193.219.61.23,193.27.229.245,193.37.152.18,193.68.150.140,193.71.199.6,194.109.129.220,194.109.129.222,194.109.20.90,194.109.206.106,194.109.206.107,194.109.64.131,194.117.194.78,194.117.246.5,194.124.229.59,194.126.217.2,194.135.22.24,194.146.132.68,194.149.73.154,194.149.73.161,194.149.73.55,194.149.73.80,194.159.164.195,194.159.164.211,194.169.192.229,194.187.213.123,194.19.26.193,194.204.14.151,194.204.19.34,194.25.24.122,194.68.45.50,194.8.194.65,194.9.28.201,195.111.64.195,195.13.58.57,195.140.202.142,195.144.12.5,195.169.138.124,195.18.164.194,195.186.6.186,195.188.16.5,195.189.140.80,195.2.117.33,195.22.174.130,195.222.5.209,195.225.204.134,195.225.204.22,195.228.45.37,195.23.131.68,195.244.8.135,195.244.8.145,195.244.8.146,195.244.8.155,195.244.8.156] any (msg:"ET DROP Known Bot C&C Server Traffic (group 2) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404001; rev:1585;)
alert ip $HOME_NET any -> [195.244.8.165,195.244.8.166,195.244.8.167,195.244.8.168,195.244.8.176,195.244.8.178,195.28.165.201,195.28.165.48,195.40.6.67,195.43.138.206,195.5.111.250,195.50.191.12,195.50.191.14,195.54.159.109,195.68.206.250,195.68.221.221,195.70.51.164,195.8.251.35,195.85.200.10,195.85.200.11,195.85.200.12,195.85.200.13,195.85.200.14,195.85.200.15,195.85.200.16,196.2.17.10,196.34.88.5,196.46.143.88,198.163.216.60,198.247.173.216,198.252.144.2,198.252.195.2,198.3.160.3,200.175.44.161,200.199.223.5,200.27.248.67,200.28.222.214,200.29.0.66,200.35.145.10,200.45.0.67,200.57.64.85,200.83.0.116,200.88.241.226,200.95.144.26,201.159.131.102,201.166.52.202,201.218.128.67,202.0.155.69,202.134.0.13,202.134.0.199,202.138.162.114,202.156.1.18,202.158.3.23,202.169.224.12,202.182.57.54,202.91.34.9,202.91.37.40,203.113.137.164,203.116.95.51,203.128.94.21] any (msg:"ET DROP Known Bot C&C Server Traffic (group 3) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404002; rev:1585;)
alert ip $HOME_NET any -> [203.146.127.52,203.146.215.22,203.146.251.62,203.150.2.225,203.154.27.138,203.158.16.157,203.171.78.52,203.199.253.217,203.211.134.46,203.27.221.42,203.70.60.179,203.94.175.139,203.97.23.182,204.122.31.13,204.15.225.42,204.16.200.180,204.8.223.157,204.8.223.188,204.8.34.130,204.92.73.10,205.134.185.250,205.188.234.121,205.210.145.3,206.126.142.60,206.41.117.195,206.41.117.22,206.41.117.9,206.53.60.129,206.53.60.50,207.114.175.51,207.150.167.55,207.162.194.151,207.179.120.238,207.182.240.68,207.182.240.74,207.192.71.197,207.192.72.43,207.192.72.99,207.192.73.110,207.210.208.16,207.44.152.199,207.44.172.76,207.44.216.9,207.45.69.69,208.100.20.83,208.100.20.90,208.101.58.27,208.11.181.33,208.110.65.135,208.110.69.227,208.110.87.101,208.111.34.13,208.111.35.75,208.118.122.50,208.127.252.72,208.146.35.105,208.146.35.106,208.167.237.120,208.185.80.131,208.185.80.180] any (msg:"ET DROP Known Bot C&C Server Traffic (group 4) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404003; rev:1585;)
alert ip $HOME_NET any -> [208.185.80.72,208.185.80.74,208.185.80.85,208.185.80.87,208.185.81.205,208.185.81.237,208.185.81.243,208.185.82.128,208.185.92.26,208.185.92.31,208.186.16.34,208.27.69.193,208.51.40.10,208.51.40.2,208.53.132.202,208.53.141.187,208.53.146.4,208.53.148.111,208.53.148.250,208.53.148.8,208.53.163.194,208.53.172.67,208.72.157.63,208.86.225.84,208.86.227.45,208.87.96.226,208.89.220.170,208.98.11.131,208.98.11.132,208.98.11.133,208.98.11.134,208.98.11.135,208.98.11.136,208.98.11.137,208.98.11.138,208.98.11.139,208.98.11.140,208.98.11.141,208.98.14.11,208.98.14.19,208.98.22.225,208.98.22.253,208.98.23.140,208.98.23.184,208.98.28.208,208.98.28.209,208.98.28.242,208.98.29.170,208.98.3.16,208.98.31.223,208.98.33.59,208.98.34.139,208.98.34.149,208.98.34.157,208.98.42.113,208.98.42.87,208.98.46.145,208.98.47.28,208.98.47.50,208.98.47.7] any (msg:"ET DROP Known Bot C&C Server Traffic (group 5) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404004; rev:1585;)
alert ip $HOME_NET any -> [208.98.49.44,208.98.54.207,208.98.54.212,208.98.54.213,208.98.57.104,208.98.60.53,208.98.61.29,208.98.61.40,208.98.62.222,208.98.62.228,208.98.9.208,208.99.193.130,208.99.193.134,208.99.199.218,209.11.244.124,209.11.244.82,209.133.11.161,209.133.11.179,209.133.11.185,209.133.11.189,209.133.11.209,209.133.8.83,209.133.8.84,209.133.8.97,209.133.9.43,209.133.9.50,209.133.9.56,209.133.9.66,209.133.9.76,209.133.9.77,209.144.21.66,209.195.87.214,209.20.65.73,209.234.102.231,209.239.112.16,209.239.112.164,209.249.249.126,209.250.225.51,209.31.183.74,209.33.98.58,210.1.199.247,210.112.170.142,210.135.96.98,210.162.89.245,210.166.209.121,210.166.223.51,210.169.184.149,210.175.52.80,210.18.59.30,210.220.188.245,210.221.154.111,210.95.9.243,211.162.77.26,211.179.172.219,211.20.210.173,211.215.19.254,211.233.36.76,211.233.5.206,211.55.138.3,211.68.23.186] any (msg:"ET DROP Known Bot C&C Server Traffic (group 6) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404005; rev:1585;)
alert ip $HOME_NET any -> [211.81.241.17,212.101.123.10,212.101.123.11,212.101.123.12,212.101.123.4,212.101.123.5,212.101.123.6,212.101.123.7,212.101.123.8,212.101.123.9,212.114.18.231,212.114.96.89,212.116.225.118,212.117.163.190,212.117.167.13,212.117.168.128,212.12.121.77,212.175.122.250,212.175.122.251,212.175.141.119,212.175.141.66,212.178.133.174,212.180.41.149,212.182.63.110,212.206.19.183,212.227.105.24,212.24.104.227,212.27.60.46,212.40.5.191,212.59.199.130,212.59.199.131,212.71.19.100,212.71.19.106,212.73.209.227,212.79.239.14,212.79.239.42,212.79.239.46,212.79.239.47,212.79.239.52,212.79.239.54,212.79.239.60,212.79.239.81,212.79.239.99,212.91.161.18,212.95.38.66,212.95.45.25,212.95.46.147,212.95.59.145,212.98.160.166,213.131.156.50,213.131.156.51,213.145.209.132,213.146.63.33,213.149.240.81,213.158.233.60,213.161.196.11,213.17.153.11,213.179.57.50,213.193.228.163,213.202.224.142] any (msg:"ET DROP Known Bot C&C Server Traffic (group 7) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404006; rev:1585;)
alert ip $HOME_NET any -> [213.202.245.12,213.202.247.102,213.202.247.105,213.206.95.11,213.215.31.19,213.219.249.66,213.228.128.112,213.229.128.99,213.232.93.3,213.239.131.28,213.239.210.140,213.247.49.2,213.247.51.21,213.251.173.180,213.48.150.3,213.48.150.5,213.53.107.38,213.60.223.219,213.82.152.172,216.110.190.30,216.128.229.170,216.144.229.107,216.151.169.91,216.152.66.62,216.152.66.65,216.155.143.196,216.167.221.54,216.18.20.147,216.19.178.155,216.19.178.163,216.193.223.223,216.218.163.69,216.245.206.39,216.25.44.119,216.25.44.122,216.25.44.16,216.25.44.2,216.36.247.102,216.38.54.227,216.55.154.12,216.65.38.11,216.8.177.23,216.82.127.45,216.82.127.46,216.82.127.91,216.87.78.181,217.11.227.38,217.145.83.231,217.17.33.10,217.195.117.140,217.26.49.12,217.29.87.254,217.56.249.26,217.67.230.218,217.69.160.134,217.69.165.160,217.75.128.65,217.79.190.131,217.8.243.11,218.10.16.78] any (msg:"ET DROP Known Bot C&C Server Traffic (group 8) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404007; rev:1585;)
alert ip $HOME_NET any -> [218.152.48.227,218.214.33.30,218.44.249.117,218.61.22.10,218.93.205.19,218.93.205.23,218.93.205.24,219.127.89.221,219.166.12.212,219.90.118.136,219.94.145.47,220.130.193.209,220.132.189.48,220.194.57.11,220.87.44.169,221.130.185.22,221.143.48.246,221.214.240.13,221.230.140.209,221.5.74.39,221.5.74.40,222.122.43.42,222.214.216.29,24.102.58.125,24.166.48.221,24.178.173.208,24.240.168.165,24.70.211.23,38.113.2.12,38.99.109.26,58.143.214.246,58.23.111.92,58.251.59.9,59.106.12.140,60.190.63.18,60.199.200.163,60.242.177.155,60.28.11.24,61.120.62.28,61.121.247.163,61.136.69.197,61.195.154.6,61.201.51.238,61.29.60.169,61.64.167.250,61.7.241.69,61.90.201.167,62.128.152.250,62.141.48.112,62.141.49.112,62.181.209.201,62.211.73.230,62.211.73.232,62.215.231.188,62.221.199.131,62.24.64.27,62.45.52.82,62.75.143.63,62.75.243.185,62.90.138.114] any (msg:"ET DROP Known Bot C&C Server Traffic (group 9) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404008; rev:1585;)
alert ip $HOME_NET any -> [63.167.66.151,63.168.242.226,63.168.242.229,63.223.110.193,63.243.153.236,63.243.153.239,63.243.153.243,63.243.153.247,63.245.208.159,63.245.212.23,63.246.154.67,64.113.1.99,64.118.84.105,64.12.165.56,64.124.159.66,64.124.180.114,64.124.180.128,64.125.185.222,64.127.41.211,64.127.41.238,64.127.41.30,64.13.134.60,64.15.77.71,64.150.180.13,64.150.181.198,64.150.183.52,64.150.183.54,64.16.210.102,64.161.255.100,64.18.129.228,64.18.130.101,64.18.131.126,64.18.132.178,64.18.139.82,64.235.252.145,64.237.34.150,64.246.16.149,64.32.10.91,64.32.12.118,64.32.13.136,64.32.13.140,64.32.13.142,64.32.13.143,64.32.13.152,64.32.13.153,64.32.14.171,64.32.14.183,64.32.18.45,64.32.19.10,64.32.2.200,64.32.2.210,64.32.2.214,64.32.2.219,64.32.2.221,64.32.2.228,64.32.20.127,64.32.21.85,64.32.24.190,64.34.161.121,64.34.178.41] any (msg:"ET DROP Known Bot C&C Server Traffic (group 10) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404009; rev:1585;)
alert ip $HOME_NET any -> [64.34.183.88,64.34.183.94,64.34.202.227,64.62.141.92,64.62.190.245,64.62.190.36,64.62.190.73,64.79.217.99,64.85.160.108,64.85.160.252,64.85.160.30,64.85.161.140,64.85.162.207,64.85.163.126,64.85.163.51,64.85.164.73,64.85.165.21,64.85.165.252,64.85.170.44,64.86.133.136,64.86.133.165,64.89.27.36,65.110.41.130,65.110.62.181,65.110.62.93,65.111.168.18,65.19.178.15,65.23.153.98,65.23.155.47,65.23.156.37,65.23.157.127,65.23.159.63,65.41.154.19,65.60.32.58,66.111.35.104,66.111.36.61,66.154.99.150,66.160.135.21,66.160.197.76,66.184.117.12,66.186.60.34,66.196.40.219,66.198.80.67,66.205.65.100,66.207.164.29,66.207.212.113,66.220.1.185,66.220.1.44,66.220.1.59,66.220.9.230,66.225.200.20,66.225.200.30,66.225.200.52,66.225.223.109,66.225.223.112,66.225.223.115,66.225.223.16,66.225.223.38,66.225.223.52,66.225.223.63] any (msg:"ET DROP Known Bot C&C Server Traffic (group 11) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404010; rev:1585;)
alert ip $HOME_NET any -> [66.225.223.70,66.225.223.91,66.225.225.225,66.225.225.66,66.225.231.50,66.234.250.3,66.246.149.4,66.249.128.230,66.249.4.38,66.249.9.224,66.252.1.110,66.252.1.203,66.252.1.210,66.252.10.203,66.252.10.205,66.252.10.213,66.252.10.217,66.252.10.222,66.252.10.230,66.252.10.234,66.252.10.249,66.252.11.15,66.252.11.23,66.252.11.244,66.252.11.248,66.252.11.41,66.252.11.68,66.252.11.69,66.252.11.73,66.252.11.76,66.252.11.9,66.252.12.48,66.252.12.51,66.252.12.53,66.252.12.54,66.252.12.55,66.252.13.131,66.252.13.132,66.252.13.134,66.252.13.178,66.252.13.188,66.252.13.202,66.252.13.212,66.252.13.214,66.252.13.221,66.252.13.224,66.252.13.226,66.252.13.231,66.252.13.238,66.252.13.239,66.252.13.243,66.252.13.250,66.252.13.253,66.252.13.254,66.252.16.151,66.252.19.10,66.252.19.34,66.252.19.40,66.252.19.41,66.252.19.43] any (msg:"ET DROP Known Bot C&C Server Traffic (group 12) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404011; rev:1585;)
alert ip $HOME_NET any -> [66.252.19.57,66.252.19.74,66.252.19.80,66.252.19.86,66.252.21.77,66.252.21.78,66.252.24.167,66.252.24.178,66.252.24.3,66.252.24.47,66.252.24.53,66.252.24.8,66.252.25.126,66.252.27.195,66.252.28.119,66.252.28.120,66.252.28.128,66.252.28.182,66.252.28.201,66.252.28.205,66.252.29.229,66.252.29.33,66.252.30.109,66.252.30.110,66.252.30.122,66.252.30.123,66.252.30.168,66.252.30.200,66.252.30.205,66.252.30.242,66.252.31.208,66.252.31.210,66.252.31.212,66.252.5.101,66.252.5.102,66.252.5.36,66.252.5.43,66.252.5.52,66.252.5.57,66.252.6.57,66.252.7.132,66.252.7.137,66.252.7.148,66.252.7.149,66.252.7.150,66.252.8.10,66.252.8.11,66.252.8.12,66.252.8.13,66.252.8.14,66.252.8.15,66.252.8.16,66.252.8.17,66.252.8.19,66.252.8.2,66.252.8.20,66.252.8.21,66.252.8.22,66.252.8.23,66.252.8.24] any (msg:"ET DROP Known Bot C&C Server Traffic (group 13) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404012; rev:1585;)
alert ip $HOME_NET any -> [66.252.8.25,66.252.8.26,66.252.8.29,66.252.8.3,66.252.8.30,66.252.8.4,66.252.8.5,66.252.8.6,66.252.8.8,66.252.9.10,66.252.9.131,66.252.9.133,66.252.9.140,66.252.9.141,66.252.9.59,66.252.9.61,66.252.9.69,66.45.234.200,66.46.183.34,66.71.252.90,66.79.167.139,66.79.170.102,66.90.105.115,66.90.108.46,66.90.80.2,66.90.82.222,66.90.82.25,66.90.82.8,66.90.84.138,66.90.84.146,66.90.84.147,67.101.75.211,67.115.175.163,67.121.15.194,67.159.17.231,67.159.2.119,67.159.37.246,67.159.55.60,67.161.253.188,67.18.176.176,67.18.208.96,67.19.227.196,67.198.195.194,67.202.106.29,67.202.107.13,67.202.107.94,67.202.67.130,67.202.80.195,67.202.81.97,67.203.69.177,67.21.87.136,67.21.87.138,67.210.234.18,67.212.185.171,67.212.185.172,67.212.185.173,67.212.185.174,67.220.65.248,67.220.66.147,67.220.66.72] any (msg:"ET DROP Known Bot C&C Server Traffic (group 14) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404013; rev:1585;)
alert ip $HOME_NET any -> [67.220.66.83,67.220.66.86,67.220.67.118,67.220.71.84,67.220.71.90,67.220.73.102,67.220.73.107,67.220.74.70,67.220.78.43,67.223.228.31,67.228.162.69,67.228.162.71,67.23.7.58,67.43.164.86,67.43.226.2,67.43.226.242,67.43.226.243,67.43.226.244,67.43.226.245,67.43.226.246,67.43.226.7,67.43.227.10,67.43.230.226,67.43.232.178,67.43.232.34,67.43.232.35,67.43.232.36,67.43.232.37,67.43.232.38,67.43.233.66,67.43.236.66,67.43.236.67,67.43.236.68,67.43.236.69,67.43.236.98,67.43.236.99,67.43.238.213,67.43.238.222,67.43.238.225,67.43.238.253,67.43.238.43,67.79.111.165,67.86.164.128,68.189.58.43,68.75.207.189,68.99.69.14,69.147.228.155,69.147.233.10,69.147.233.143,69.147.233.144,69.147.233.170,69.147.236.18,69.16.172.2,69.162.121.16,69.162.80.43,69.175.13.226,69.175.13.42,69.197.151.219,69.20.226.82,69.20.231.81] any (msg:"ET DROP Known Bot C&C Server Traffic (group 15) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404014; rev:1585;)
alert ip $HOME_NET any -> [69.30.232.148,69.36.111.69,69.39.45.12,69.42.210.47,69.42.210.56,69.42.212.20,69.42.214.59,69.42.215.10,69.42.215.12,69.42.215.14,69.42.215.16,69.42.215.161,69.42.215.20,69.42.215.22,69.42.215.24,69.42.215.4,69.42.215.6,69.42.215.8,69.42.216.219,69.42.217.171,69.42.217.188,69.42.218.3,69.42.219.194,69.42.219.44,69.42.219.53,69.42.219.94,69.42.221.253,69.42.222.17,69.56.173.120,69.56.229.18,69.60.110.195,69.60.123.192,69.61.21.115,69.61.67.149,69.64.35.234,69.64.38.217,69.64.39.194,69.64.39.201,69.64.39.202,69.64.43.197,69.64.49.244,69.64.50.245,69.64.50.61,69.64.53.247,69.64.58.106,69.65.51.27,69.7.104.155,69.90.157.210,69.93.229.206,69.93.9.12,70.34.192.50,70.85.129.195,70.85.129.223,70.85.156.114,70.85.220.98,70.86.153.78,70.86.9.234,70.99.166.219,71.120.69.120,71.6.152.187] any (msg:"ET DROP Known Bot C&C Server Traffic (group 16) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404015; rev:1585;)
alert ip $HOME_NET any -> [71.6.199.68,72.10.172.210,72.10.172.211,72.10.172.212,72.10.172.213,72.10.172.214,72.10.174.153,72.11.129.187,72.11.142.40,72.14.177.106,72.14.182.171,72.20.1.162,72.20.13.57,72.20.13.85,72.20.14.10,72.20.14.197,72.20.14.205,72.20.14.212,72.20.14.220,72.20.14.221,72.20.14.254,72.20.15.131,72.20.15.157,72.20.15.167,72.20.15.189,72.20.15.196,72.20.15.197,72.20.15.208,72.20.15.215,72.20.15.219,72.20.15.229,72.20.15.234,72.20.15.246,72.20.15.252,72.20.17.132,72.20.17.133,72.20.17.136,72.20.17.139,72.20.17.147,72.20.17.149,72.20.17.152,72.20.17.167,72.20.17.168,72.20.17.178,72.20.17.238,72.20.18.161,72.20.18.199,72.20.18.204,72.20.18.218,72.20.2.130,72.20.2.174,72.20.21.117,72.20.21.178,72.20.21.3,72.20.21.35,72.20.21.36,72.20.21.59,72.20.21.96,72.20.23.102,72.20.23.107] any (msg:"ET DROP Known Bot C&C Server Traffic (group 17) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404016; rev:1585;)
alert ip $HOME_NET any -> [72.20.23.113,72.20.23.74,72.20.23.77,72.20.23.92,72.20.24.1,72.20.24.12,72.20.24.14,72.20.24.15,72.20.24.18,72.20.24.21,72.20.24.28,72.20.24.31,72.20.24.32,72.20.24.40,72.20.24.42,72.20.24.44,72.20.24.56,72.20.24.57,72.20.24.9,72.20.25.140,72.20.25.181,72.20.25.194,72.20.25.249,72.20.26.183,72.20.27.113,72.20.27.120,72.20.28.204,72.20.28.211,72.20.28.217,72.20.28.218,72.20.28.226,72.20.28.234,72.20.28.237,72.20.28.238,72.20.28.241,72.20.28.245,72.20.32.19,72.20.35.120,72.20.35.135,72.20.35.183,72.20.35.191,72.20.35.70,72.20.36.57,72.20.37.151,72.20.37.185,72.20.37.189,72.20.38.9,72.20.39.112,72.20.39.118,72.20.40.249,72.20.40.35,72.20.40.36,72.20.40.52,72.20.41.174,72.20.42.116,72.20.42.98,72.20.45.81,72.20.45.82,72.20.45.83,72.20.45.84] any (msg:"ET DROP Known Bot C&C Server Traffic (group 18) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404017; rev:1585;)
alert ip $HOME_NET any -> [72.20.45.85,72.20.45.86,72.20.46.115,72.20.46.133,72.20.46.85,72.20.46.9,72.20.46.98,72.20.48.111,72.20.48.56,72.20.48.95,72.20.50.70,72.20.50.74,72.20.51.121,72.20.51.90,72.20.52.75,72.20.54.120,72.20.54.121,72.20.54.124,72.20.54.67,72.20.54.69,72.20.54.74,72.20.54.90,72.20.54.97,72.20.56.126,72.20.56.24,72.20.56.59,72.20.57.120,72.20.58.13,72.233.106.120,72.233.43.40,72.250.175.12,72.32.146.136,72.36.180.130,72.44.39.110,72.52.115.80,72.64.146.9,72.8.134.254,72.8.156.23,72.8.167.147,72.8.167.149,72.8.167.150,72.8.167.151,72.8.167.153,72.8.167.53,72.8.167.79,72.90.219.110,72.90.73.67,74.196.197.207,74.208.101.128,74.208.66.154,74.213.166.37,74.217.45.85,74.217.45.86,74.3.40.137,74.41.18.106,74.57.208.4,74.63.78.55,74.82.1.95,74.86.38.110,75.102.26.70] any (msg:"ET DROP Known Bot C&C Server Traffic (group 19) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404018; rev:1585;)
alert ip $HOME_NET any -> [75.125.212.250,75.140.129.21,75.150.126.241,75.22.172.193,76.184.242.90,76.191.126.200,76.191.99.14,76.73.31.50,76.74.250.94,76.76.11.208,76.76.6.168,77.104.223.209,77.104.235.49,77.243.235.61,77.59.219.91,77.66.33.10,77.78.112.1,77.91.226.45,77.92.94.9,78.129.140.235,78.129.228.10,78.129.228.23,78.129.228.30,78.129.228.32,78.129.228.39,78.129.228.51,78.129.228.54,78.129.228.7,78.140.23.25,78.154.19.124,78.157.104.207,78.159.108.41,78.159.117.100,78.159.125.24,78.24.188.201,78.32.173.145,78.40.138.14,78.46.50.203,78.86.125.127,79.125.11.206,79.125.12.23,79.132.211.24,79.143.254.153,8.7.233.233,8.7.233.36,8.7.233.44,80.101.63.84,80.126.201.245,80.13.162.101,80.13.218.125,80.154.33.35,80.154.61.188,80.179.146.140,80.184.19.245,80.190.246.162,80.241.173.191,80.246.82.188,80.64.138.34,80.64.140.13,80.68.89.201] any (msg:"ET DROP Known Bot C&C Server Traffic (group 20) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404019; rev:1585;)
alert ip $HOME_NET any -> [80.88.108.18,81.149.127.127,81.167.229.172,81.169.134.201,81.169.136.37,81.169.168.122,81.169.188.116,81.171.46.226,81.173.19.74,81.195.92.94,81.26.211.130,81.29.65.57,81.31.33.35,81.95.6.62,82.114.87.44,82.114.87.46,82.136.2.130,82.138.241.146,82.138.241.208,82.146.51.115,82.146.51.130,82.146.51.178,82.146.51.180,82.146.52.106,82.146.52.135,82.146.52.223,82.146.53.247,82.146.53.30,82.146.54.69,82.146.59.188,82.165.139.95,82.165.154.249,82.165.228.122,82.182.115.167,82.196.213.250,82.207.117.160,82.94.222.186,82.96.75.46,83.136.68.32,83.136.81.183,83.137.41.33,83.138.189.110,83.140.162.126,83.140.172.210,83.140.172.211,83.140.172.212,83.141.130.16,83.142.48.72,83.142.85.10,83.149.112.40,83.149.112.7,83.151.149.100,83.167.180.110,83.170.81.10,83.170.81.4,83.170.81.9,83.176.253.77,83.226.248.189,83.226.249.197,83.227.140.135] any (msg:"ET DROP Known Bot C&C Server Traffic (group 21) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404020; rev:1585;)
alert ip $HOME_NET any -> [83.243.45.143,83.243.46.2,83.68.16.6,83.81.251.171,84.104.66.74,84.11.26.30,84.16.231.52,84.16.234.164,84.16.234.191,84.16.235.194,84.16.245.178,84.16.246.223,84.16.246.247,84.16.246.249,84.20.147.58,84.200.208.182,84.200.225.80,84.200.242.4,84.208.29.17,85.10.141.181,85.113.233.228,85.113.233.229,85.114.129.197,85.131.154.38,85.131.154.56,85.131.154.57,85.131.239.117,85.14.216.215,85.14.216.8,85.153.15.130,85.158.6.104,85.17.139.182,85.17.141.121,85.17.141.52,85.17.141.55,85.17.141.58,85.17.141.59,85.17.141.84,85.17.148.13,85.17.19.170,85.17.207.164,85.17.52.66,85.17.89.10,85.17.91.101,85.196.81.211,85.214.117.33,85.214.121.68,85.214.27.94,85.214.28.154,85.214.36.108,85.214.44.218,85.214.75.67,85.214.97.16,85.234.142.25,85.236.110.226,85.24.148.108,85.24.148.125,85.248.115.251,85.25.10.63,85.25.224.38] any (msg:"ET DROP Known Bot C&C Server Traffic (group 22) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404021; rev:1585;)
alert ip $HOME_NET any -> [85.25.252.111,85.25.3.62,85.30.130.83,85.88.6.197,85.93.9.51,86.104.193.6,86.104.223.179,86.65.39.15,87.106.138.9,87.106.185.145,87.106.243.152,87.106.61.8,87.118.108.117,87.118.123.141,87.118.126.87,87.118.87.98,87.124.86.31,87.126.64.184,87.212.196.80,87.227.96.214,87.235.136.227,87.236.194.126,87.236.194.69,87.98.146.21,87.98.148.102,87.98.178.99,87.98.184.231,87.98.186.203,87.98.243.247,87.98.252.113,87.98.254.30,88.191.21.181,88.191.33.7,88.191.62.238,88.255.120.114,88.80.202.105,88.80.5.41,89.106.244.9,89.108.84.211,89.110.149.23,89.149.200.242,89.149.203.122,89.149.203.123,89.149.203.124,89.149.203.190,89.149.203.191,89.149.203.85,89.149.203.86,89.149.205.230,89.149.210.91,89.149.210.95,89.149.210.96,89.149.250.227,89.185.236.71,89.203.155.3,89.208.34.166,89.221.18.86,89.238.135.223,89.238.64.181,89.238.67.45] any (msg:"ET DROP Known Bot C&C Server Traffic (group 23) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404022; rev:1585;)
alert ip $HOME_NET any -> [89.238.71.31,89.238.71.40,89.248.161.51,89.29.204.132,89.31.96.129,89.46.100.80,89.46.101.75,90.157.175.133,91.121.112.152,91.121.115.74,91.121.120.144,91.121.122.110,91.121.143.15,91.121.147.64,91.121.154.54,91.121.158.84,91.121.159.172,91.121.17.225,91.121.177.78,91.121.180.102,91.121.204.206,91.121.208.180,91.121.233.195,91.121.233.198,91.121.58.120,91.121.59.5,91.121.6.101,91.121.89.104,91.144.136.218,91.149.157.69,91.192.36.142,91.199.167.22,91.206.51.83,91.207.4.98,91.208.40.24,92.237.69.206,92.241.180.65,92.241.190.101,92.241.190.53,92.243.90.211,92.61.33.10,92.62.43.55,93.104.209.40,93.115.7.17,93.173.58.3,93.174.0.37,93.174.0.67,93.174.0.68,93.174.0.70,93.174.0.78,93.186.127.121,93.186.164.245,93.191.152.23,94.125.252.114,94.194.62.30,94.23.211.9,94.23.63.155,94.23.88.149,94.23.93.11,94.249.154.12] any (msg:"ET DROP Known Bot C&C Server Traffic (group 24) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404023; rev:1585;)
alert ip $HOME_NET any -> [94.75.205.140,94.75.216.194,94.75.216.31,94.76.227.17,94.76.244.162,95.154.216.64,96.11.96.125,96.240.52.98,96.28.44.48,96.36.141.132,96.56.198.170,96.56.248.244,97.107.130.165,97.107.132.56,98.143.158.23,98.143.158.24,99.243.231.102] any (msg:"ET DROP Known Bot C&C Server Traffic (group 25) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404024; rev:1585;)