#
# Emerging Threats Botnet Command and Control drop rules. 
#
# These are generated from the EXCELLENT work done by the Shadowserver team and
# the CZ Honeynet project.
#
#  http://www.shadowserver.org
#  http://www.honeynet.cz
#
#
# SID's are 2410000+ to avoid conflicts
#
# More information available at www.emergingthreats.net
#
# Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
#  Copyright (c) 2003-2010, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
alert tcp $HOME_NET any -> [109.74.196.127,109.74.205.10,109.74.205.6,110.44.26.158,112.216.12.244,115.165.178.40,119.110.82.239,12.31.165.81,12.31.165.82,122.183.243.46,122.183.243.48,122.200.71.158,122.49.134.136,124.158.128.129,124.217.247.180,124.217.249.241,124.40.3.92,125.160.17.71,125.160.17.72,128.121.20.113,128.194.112.48,128.237.157.136,128.39.2.28,129.125.101.62,130.237.188.200,130.237.188.216,130.239.18.157,130.240.22.201,139.175.160.252,140.211.166.64,141.213.238.252,145.89.150.59,145.97.193.206,147.32.127.200,148.244.136.106,149.9.1.16,150.101.96.75,151.189.0.165,158.36.131.20,158.38.8.251,163.178.205.7,163.19.14.2,173.212.192.167,173.212.192.55,173.224.209.15,174.120.182.86,174.129.199.66,174.129.231.136,174.129.41.143,174.132.242.67,174.133.173.90,174.133.57.54,174.133.63.91,174.137.55.10,174.138.58.102,174.139.16.131,174.139.16.132,174.139.16.134,174.143.153.165,174.143.170.208] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 1) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404000; rev:1814;)
alert udp $HOME_NET any -> [109.74.196.127,109.74.205.10,109.74.205.6,110.44.26.158,112.216.12.244,115.165.178.40,119.110.82.239,12.31.165.81,12.31.165.82,122.183.243.46,122.183.243.48,122.200.71.158,122.49.134.136,124.158.128.129,124.217.247.180,124.217.249.241,124.40.3.92,125.160.17.71,125.160.17.72,128.121.20.113,128.194.112.48,128.237.157.136,128.39.2.28,129.125.101.62,130.237.188.200,130.237.188.216,130.239.18.157,130.240.22.201,139.175.160.252,140.211.166.64,141.213.238.252,145.89.150.59,145.97.193.206,147.32.127.200,148.244.136.106,149.9.1.16,150.101.96.75,151.189.0.165,158.36.131.20,158.38.8.251,163.178.205.7,163.19.14.2,173.212.192.167,173.212.192.55,173.224.209.15,174.120.182.86,174.129.199.66,174.129.231.136,174.129.41.143,174.132.242.67,174.133.173.90,174.133.57.54,174.133.63.91,174.137.55.10,174.138.58.102,174.139.16.131,174.139.16.132,174.139.16.134,174.143.153.165,174.143.170.208] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 1) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404001; rev:1814;)
alert tcp $HOME_NET any -> [174.143.208.107,174.143.215.13,174.34.135.37,174.34.155.107,174.34.173.51,174.34.174.204,174.34.187.36,174.34.187.37,174.34.187.46,188.165.164.16,188.165.33.83,188.165.47.211,188.40.203.15,188.72.200.26,188.72.203.210,188.72.203.211,188.72.203.212,188.72.203.217,188.72.203.218,188.72.203.219,188.72.203.231,188.72.211.171,188.72.212.42,188.72.219.253,190.120.228.216,190.120.238.90,190.183.220.190,190.3.183.12,192.188.242.12,192.219.30.200,193.108.43.213,193.109.122.77,193.136.119.33,193.136.216.101,193.138.215.226,193.138.229.18,193.163.220.3,193.188.71.66,193.19.210.1,193.200.193.4,193.218.154.34,193.27.229.245,193.33.179.4,193.33.186.129,193.68.150.140,193.71.199.6,193.84.182.19,193.85.232.219,194.109.129.220,194.109.129.222,194.109.20.90,194.109.206.106,194.109.206.107,194.109.64.131,194.117.246.5,194.124.229.58,194.124.229.59,194.126.217.2,194.135.22.24,194.14.236.50] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 2) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404002; rev:1814;)
alert udp $HOME_NET any -> [174.143.208.107,174.143.215.13,174.34.135.37,174.34.155.107,174.34.173.51,174.34.174.204,174.34.187.36,174.34.187.37,174.34.187.46,188.165.164.16,188.165.33.83,188.165.47.211,188.40.203.15,188.72.200.26,188.72.203.210,188.72.203.211,188.72.203.212,188.72.203.217,188.72.203.218,188.72.203.219,188.72.203.231,188.72.211.171,188.72.212.42,188.72.219.253,190.120.228.216,190.120.238.90,190.183.220.190,190.3.183.12,192.188.242.12,192.219.30.200,193.108.43.213,193.109.122.77,193.136.119.33,193.136.216.101,193.138.215.226,193.138.229.18,193.163.220.3,193.188.71.66,193.19.210.1,193.200.193.4,193.218.154.34,193.27.229.245,193.33.179.4,193.33.186.129,193.68.150.140,193.71.199.6,193.84.182.19,193.85.232.219,194.109.129.220,194.109.129.222,194.109.20.90,194.109.206.106,194.109.206.107,194.109.64.131,194.117.246.5,194.124.229.58,194.124.229.59,194.126.217.2,194.135.22.24,194.14.236.50] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 2) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404003; rev:1814;)
alert tcp $HOME_NET any -> [194.146.132.68,194.149.73.154,194.149.73.161,194.149.73.55,194.149.73.80,194.151.83.115,194.204.14.151,194.247.192.44,194.68.45.50,194.8.194.65,194.9.28.201,195.13.58.57,195.137.213.67,195.140.202.142,195.144.12.5,195.149.74.67,195.151.175.132,195.169.138.124,195.178.184.75,195.188.16.5,195.19.225.237,195.2.117.33,195.20.204.114,195.208.153.94,195.225.204.21,195.225.204.22,195.225.204.227,195.23.131.68,195.244.8.129,195.244.8.130,195.244.8.131,195.244.8.132,195.244.8.133,195.244.8.134,195.244.8.135,195.244.8.136,195.244.8.137,195.244.8.138,195.244.8.139,195.244.8.140,195.244.8.141,195.244.8.142,195.244.8.143,195.244.8.144,195.244.8.145,195.244.8.146,195.244.8.147,195.244.8.148,195.244.8.149,195.244.8.150,195.244.8.151,195.244.8.152,195.244.8.153,195.244.8.154,195.244.8.155,195.244.8.156,195.244.8.158,195.244.8.160,195.244.8.161,195.244.8.162] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 3) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404004; rev:1814;)
alert udp $HOME_NET any -> [194.146.132.68,194.149.73.154,194.149.73.161,194.149.73.55,194.149.73.80,194.151.83.115,194.204.14.151,194.247.192.44,194.68.45.50,194.8.194.65,194.9.28.201,195.13.58.57,195.137.213.67,195.140.202.142,195.144.12.5,195.149.74.67,195.151.175.132,195.169.138.124,195.178.184.75,195.188.16.5,195.19.225.237,195.2.117.33,195.20.204.114,195.208.153.94,195.225.204.21,195.225.204.22,195.225.204.227,195.23.131.68,195.244.8.129,195.244.8.130,195.244.8.131,195.244.8.132,195.244.8.133,195.244.8.134,195.244.8.135,195.244.8.136,195.244.8.137,195.244.8.138,195.244.8.139,195.244.8.140,195.244.8.141,195.244.8.142,195.244.8.143,195.244.8.144,195.244.8.145,195.244.8.146,195.244.8.147,195.244.8.148,195.244.8.149,195.244.8.150,195.244.8.151,195.244.8.152,195.244.8.153,195.244.8.154,195.244.8.155,195.244.8.156,195.244.8.158,195.244.8.160,195.244.8.161,195.244.8.162] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 3) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404005; rev:1814;)
alert tcp $HOME_NET any -> [195.244.8.163,195.244.8.164,195.244.8.165,195.244.8.166,195.244.8.167,195.244.8.168,195.244.8.170,195.244.8.171,195.244.8.172,195.244.8.173,195.244.8.174,195.244.8.175,195.244.8.176,195.244.8.177,195.244.8.178,195.244.8.179,195.244.8.180,195.244.8.181,195.244.8.182,195.244.8.183,195.244.8.184,195.244.8.185,195.244.8.186,195.244.8.187,195.244.8.188,195.244.8.189,195.244.8.190,195.244.8.191,195.244.9.20,195.28.165.201,195.43.138.206,195.5.110.32,195.50.191.12,195.50.191.14,195.54.159.109,195.54.16.65,195.68.206.250,195.70.51.164,195.8.251.35,195.85.200.10,195.85.200.11,195.85.200.12,195.85.200.13,195.85.200.14,195.85.200.15,195.85.200.16,195.93.153.31,195.93.153.39,195.93.153.46,196.2.17.10,196.21.193.11,196.34.88.5,196.46.143.88,198.163.216.60,198.252.144.2,198.252.195.2,198.3.160.3,199.71.212.153,199.71.212.77,199.71.213.16] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 4) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404006; rev:1814;)
alert udp $HOME_NET any -> [195.244.8.163,195.244.8.164,195.244.8.165,195.244.8.166,195.244.8.167,195.244.8.168,195.244.8.170,195.244.8.171,195.244.8.172,195.244.8.173,195.244.8.174,195.244.8.175,195.244.8.176,195.244.8.177,195.244.8.178,195.244.8.179,195.244.8.180,195.244.8.181,195.244.8.182,195.244.8.183,195.244.8.184,195.244.8.185,195.244.8.186,195.244.8.187,195.244.8.188,195.244.8.189,195.244.8.190,195.244.8.191,195.244.9.20,195.28.165.201,195.43.138.206,195.5.110.32,195.50.191.12,195.50.191.14,195.54.159.109,195.54.16.65,195.68.206.250,195.70.51.164,195.8.251.35,195.85.200.10,195.85.200.11,195.85.200.12,195.85.200.13,195.85.200.14,195.85.200.15,195.85.200.16,195.93.153.31,195.93.153.39,195.93.153.46,196.2.17.10,196.21.193.11,196.34.88.5,196.46.143.88,198.163.216.60,198.252.144.2,198.252.195.2,198.3.160.3,199.71.212.153,199.71.212.77,199.71.213.16] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 4) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404007; rev:1814;)
alert tcp $HOME_NET any -> [200.108.199.16,200.174.131.226,200.175.44.161,200.198.144.35,200.209.9.155,200.23.149.144,200.29.0.66,200.30.73.220,200.35.147.227,200.35.150.156,200.38.236.3,200.42.96.36,200.45.0.67,200.62.17.197,200.73.6.154,200.83.0.116,201.116.64.5,201.218.128.67,201.238.195.158,202.156.1.18,202.158.3.23,202.169.224.12,202.216.136.130,202.222.18.88,202.229.187.118,202.65.113.227,202.67.15.173,202.91.34.9,202.91.37.40,203.113.137.164,203.116.63.82,203.116.63.89,203.142.1.80,203.146.127.52,203.148.85.2,203.150.2.225,203.171.240.78,203.211.134.46,203.228.244.187,203.23.209.180,203.26.195.2,203.26.195.6,203.27.221.42,203.70.60.179,203.86.84.215,203.94.175.139,203.94.228.49,203.97.23.182,204.12.217.186,204.152.222.95,204.16.200.180,204.188.201.150,204.45.13.154,204.8.223.157,204.8.223.188,204.8.34.130,205.134.185.250,205.188.234.121,205.209.143.21,205.210.145.2] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 5) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404008; rev:1814;)
alert udp $HOME_NET any -> [200.108.199.16,200.174.131.226,200.175.44.161,200.198.144.35,200.209.9.155,200.23.149.144,200.29.0.66,200.30.73.220,200.35.147.227,200.35.150.156,200.38.236.3,200.42.96.36,200.45.0.67,200.62.17.197,200.73.6.154,200.83.0.116,201.116.64.5,201.218.128.67,201.238.195.158,202.156.1.18,202.158.3.23,202.169.224.12,202.216.136.130,202.222.18.88,202.229.187.118,202.65.113.227,202.67.15.173,202.91.34.9,202.91.37.40,203.113.137.164,203.116.63.82,203.116.63.89,203.142.1.80,203.146.127.52,203.148.85.2,203.150.2.225,203.171.240.78,203.211.134.46,203.228.244.187,203.23.209.180,203.26.195.2,203.26.195.6,203.27.221.42,203.70.60.179,203.86.84.215,203.94.175.139,203.94.228.49,203.97.23.182,204.12.217.186,204.152.222.95,204.16.200.180,204.188.201.150,204.45.13.154,204.8.223.157,204.8.223.188,204.8.34.130,205.134.185.250,205.188.234.121,205.209.143.21,205.210.145.2] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 5) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404009; rev:1814;)
alert tcp $HOME_NET any -> [205.210.145.3,205.234.232.212,206.125.175.82,206.126.142.60,206.212.249.20,206.217.196.163,206.217.201.56,206.217.203.217,206.40.205.124,206.41.116.100,206.41.117.15,206.41.117.22,206.41.117.23,206.41.117.68,206.41.117.9,206.53.60.129,206.53.60.49,206.53.60.50,206.53.60.53,206.53.60.70,206.59.139.195,207.114.175.51,207.126.115.205,207.126.115.219,207.145.6.5,207.150.167.55,207.182.240.68,207.192.72.43,207.192.72.99,207.210.208.16,207.218.230.154,207.44.138.203,207.44.152.199,207.44.180.227,207.44.212.40,207.45.69.69,208.100.11.120,208.100.20.83,208.100.20.90,208.100.23.100,208.106.56.190,208.110.65.135,208.111.34.13,208.111.35.75,208.115.36.180,208.146.35.105,208.146.35.106,208.167.236.6,208.167.237.120,208.185.80.247,208.185.80.72,208.185.80.73,208.185.80.74,208.185.80.85,208.185.80.87,208.185.81.205,208.185.81.207,208.185.81.233,208.185.92.26,208.185.92.31] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 6) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404010; rev:1814;)
alert udp $HOME_NET any -> [205.210.145.3,205.234.232.212,206.125.175.82,206.126.142.60,206.212.249.20,206.217.196.163,206.217.201.56,206.217.203.217,206.40.205.124,206.41.116.100,206.41.117.15,206.41.117.22,206.41.117.23,206.41.117.68,206.41.117.9,206.53.60.129,206.53.60.49,206.53.60.50,206.53.60.53,206.53.60.70,206.59.139.195,207.114.175.51,207.126.115.205,207.126.115.219,207.145.6.5,207.150.167.55,207.182.240.68,207.192.72.43,207.192.72.99,207.210.208.16,207.218.230.154,207.44.138.203,207.44.152.199,207.44.180.227,207.44.212.40,207.45.69.69,208.100.11.120,208.100.20.83,208.100.20.90,208.100.23.100,208.106.56.190,208.110.65.135,208.111.34.13,208.111.35.75,208.115.36.180,208.146.35.105,208.146.35.106,208.167.236.6,208.167.237.120,208.185.80.247,208.185.80.72,208.185.80.73,208.185.80.74,208.185.80.85,208.185.80.87,208.185.81.205,208.185.81.207,208.185.81.233,208.185.92.26,208.185.92.31] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 6) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404011; rev:1814;)
alert tcp $HOME_NET any -> [208.27.69.193,208.49.56.226,208.51.40.10,208.51.40.12,208.51.40.13,208.51.40.14,208.51.40.2,208.53.148.111,208.53.148.8,208.53.163.194,208.53.169.245,208.53.169.246,208.53.172.67,208.53.175.92,208.53.181.86,208.53.183.106,208.67.249.244,208.68.18.181,208.68.94.113,208.68.94.12,208.68.94.62,208.72.157.63,208.77.191.41,208.78.96.118,208.78.96.166,208.78.98.214,208.83.221.58,208.98.1.24,208.98.11.131,208.98.11.132,208.98.11.133,208.98.11.135,208.98.11.136,208.98.11.137,208.98.11.138,208.98.11.139,208.98.11.140,208.98.11.141,208.98.11.144,208.98.11.148,208.98.11.150,208.98.11.152,208.98.22.108,208.98.22.243,208.98.22.253,208.98.22.97,208.98.26.133,208.98.26.134,208.98.26.140,208.98.28.203,208.98.28.208,208.98.28.209,208.98.3.12,208.98.3.15,208.98.30.250,208.98.31.223,208.98.34.138,208.98.34.153,208.98.36.235,208.98.36.239] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 7) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404012; rev:1814;)
alert udp $HOME_NET any -> [208.27.69.193,208.49.56.226,208.51.40.10,208.51.40.12,208.51.40.13,208.51.40.14,208.51.40.2,208.53.148.111,208.53.148.8,208.53.163.194,208.53.169.245,208.53.169.246,208.53.172.67,208.53.175.92,208.53.181.86,208.53.183.106,208.67.249.244,208.68.18.181,208.68.94.113,208.68.94.12,208.68.94.62,208.72.157.63,208.77.191.41,208.78.96.118,208.78.96.166,208.78.98.214,208.83.221.58,208.98.1.24,208.98.11.131,208.98.11.132,208.98.11.133,208.98.11.135,208.98.11.136,208.98.11.137,208.98.11.138,208.98.11.139,208.98.11.140,208.98.11.141,208.98.11.144,208.98.11.148,208.98.11.150,208.98.11.152,208.98.22.108,208.98.22.243,208.98.22.253,208.98.22.97,208.98.26.133,208.98.26.134,208.98.26.140,208.98.28.203,208.98.28.208,208.98.28.209,208.98.3.12,208.98.3.15,208.98.30.250,208.98.31.223,208.98.34.138,208.98.34.153,208.98.36.235,208.98.36.239] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 7) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404013; rev:1814;)
alert tcp $HOME_NET any -> [208.98.37.199,208.98.37.200,208.98.49.44,208.98.51.10,208.98.51.121,208.98.51.123,208.98.51.20,208.98.54.207,208.98.54.210,208.98.58.134,208.98.61.29,208.98.61.38,208.98.61.40,208.98.61.78,208.98.62.222,208.98.62.245,208.98.9.100,208.98.9.203,208.98.9.208,208.98.9.210,208.99.193.130,208.99.193.134,208.99.199.218,208.99.88.251,208.99.89.231,209.11.244.124,209.11.244.82,209.133.11.157,209.133.11.179,209.133.11.184,209.133.11.197,209.133.11.209,209.133.11.212,209.133.8.83,209.133.8.84,209.133.8.97,209.133.9.43,209.133.9.56,209.133.9.66,209.133.9.76,209.144.21.66,209.160.20.95,209.17.171.77,209.17.191.222,209.20.75.209,209.20.76.155,209.234.102.231,209.249.249.126,209.251.184.237,209.33.98.58,209.40.201.56,209.66.100.34,209.9.228.99,210.135.96.98,210.162.89.245,210.166.220.222,210.166.223.51,210.18.59.30,210.196.166.233,210.212.214.48] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 8) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404014; rev:1814;)
alert udp $HOME_NET any -> [208.98.37.199,208.98.37.200,208.98.49.44,208.98.51.10,208.98.51.121,208.98.51.123,208.98.51.20,208.98.54.207,208.98.54.210,208.98.58.134,208.98.61.29,208.98.61.38,208.98.61.40,208.98.61.78,208.98.62.222,208.98.62.245,208.98.9.100,208.98.9.203,208.98.9.208,208.98.9.210,208.99.193.130,208.99.193.134,208.99.199.218,208.99.88.251,208.99.89.231,209.11.244.124,209.11.244.82,209.133.11.157,209.133.11.179,209.133.11.184,209.133.11.197,209.133.11.209,209.133.11.212,209.133.8.83,209.133.8.84,209.133.8.97,209.133.9.43,209.133.9.56,209.133.9.66,209.133.9.76,209.144.21.66,209.160.20.95,209.17.171.77,209.17.191.222,209.20.75.209,209.20.76.155,209.234.102.231,209.249.249.126,209.251.184.237,209.33.98.58,209.40.201.56,209.66.100.34,209.9.228.99,210.135.96.98,210.162.89.245,210.166.220.222,210.166.223.51,210.18.59.30,210.196.166.233,210.212.214.48] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 8) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404015; rev:1814;)
alert tcp $HOME_NET any -> [211.215.19.248,212.101.125.10,212.101.125.11,212.101.125.12,212.101.125.4,212.101.125.5,212.101.125.6,212.101.125.7,212.101.125.8,212.101.125.9,212.110.128.80,212.117.163.190,212.117.164.63,212.117.179.188,212.13.194.124,212.150.184.227,212.150.184.228,212.174.140.58,212.175.122.118,212.175.158.58,212.181.140.107,212.182.63.110,212.227.105.24,212.24.104.227,212.27.60.46,212.29.7.194,212.34.134.31,212.34.146.231,212.40.5.191,212.43.199.36,212.48.121.72,212.54.2.171,212.59.199.130,212.59.199.131,212.62.248.142,212.71.19.100,212.71.19.106,212.73.209.227,212.79.239.14,212.79.239.54,212.79.239.60,212.89.6.7,212.9.74.97,212.91.161.18,212.95.38.67,212.95.46.147,212.98.160.166,213.131.156.50,213.131.156.51,213.145.209.132,213.149.231.9,213.161.196.11,213.17.153.11,213.171.57.168,213.173.80.8,213.186.45.45,213.202.224.142,213.202.245.12,213.202.247.102,213.202.247.105] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 9) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404016; rev:1814;)
alert udp $HOME_NET any -> [211.215.19.248,212.101.125.10,212.101.125.11,212.101.125.12,212.101.125.4,212.101.125.5,212.101.125.6,212.101.125.7,212.101.125.8,212.101.125.9,212.110.128.80,212.117.163.190,212.117.164.63,212.117.179.188,212.13.194.124,212.150.184.227,212.150.184.228,212.174.140.58,212.175.122.118,212.175.158.58,212.181.140.107,212.182.63.110,212.227.105.24,212.24.104.227,212.27.60.46,212.29.7.194,212.34.134.31,212.34.146.231,212.40.5.191,212.43.199.36,212.48.121.72,212.54.2.171,212.59.199.130,212.59.199.131,212.62.248.142,212.71.19.100,212.71.19.106,212.73.209.227,212.79.239.14,212.79.239.54,212.79.239.60,212.89.6.7,212.9.74.97,212.91.161.18,212.95.38.67,212.95.46.147,212.98.160.166,213.131.156.50,213.131.156.51,213.145.209.132,213.149.231.9,213.161.196.11,213.17.153.11,213.171.57.168,213.173.80.8,213.186.45.45,213.202.224.142,213.202.245.12,213.202.247.102,213.202.247.105] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 9) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404017; rev:1814;)
alert tcp $HOME_NET any -> [213.206.95.11,213.208.244.195,213.215.31.19,213.228.128.112,213.229.82.141,213.229.82.143,213.232.93.3,213.239.131.28,213.248.60.142,213.251.173.180,213.251.185.27,213.48.150.3,213.48.150.5,213.53.107.38,213.73.255.147,216.151.169.176,216.152.78.163,216.152.78.164,216.152.78.165,216.152.78.166,216.152.78.167,216.16.120.99,216.167.221.54,216.18.20.147,216.18.227.250,216.18.228.174,216.18.228.34,216.18.228.38,216.19.178.155,216.193.223.223,216.206.108.79,216.218.163.69,216.218.235.243,216.246.35.173,216.246.35.174,216.25.44.118,216.25.44.119,216.25.44.121,216.25.44.122,216.25.44.16,216.25.44.2,216.25.44.3,216.25.44.9,216.71.225.62,216.75.53.150,216.8.177.23,216.82.127.45,216.82.127.46,216.82.127.91,216.87.78.181,217.11.227.38,217.11.53.165,217.125.126.31,217.146.74.25,217.146.84.157,217.17.33.10,217.172.33.20,217.174.199.222,217.18.70.70,217.195.122.131] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 10) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404018; rev:1814;)
alert udp $HOME_NET any -> [213.206.95.11,213.208.244.195,213.215.31.19,213.228.128.112,213.229.82.141,213.229.82.143,213.232.93.3,213.239.131.28,213.248.60.142,213.251.173.180,213.251.185.27,213.48.150.3,213.48.150.5,213.53.107.38,213.73.255.147,216.151.169.176,216.152.78.163,216.152.78.164,216.152.78.165,216.152.78.166,216.152.78.167,216.16.120.99,216.167.221.54,216.18.20.147,216.18.227.250,216.18.228.174,216.18.228.34,216.18.228.38,216.19.178.155,216.193.223.223,216.206.108.79,216.218.163.69,216.218.235.243,216.246.35.173,216.246.35.174,216.25.44.118,216.25.44.119,216.25.44.121,216.25.44.122,216.25.44.16,216.25.44.2,216.25.44.3,216.25.44.9,216.71.225.62,216.75.53.150,216.8.177.23,216.82.127.45,216.82.127.46,216.82.127.91,216.87.78.181,217.11.227.38,217.11.53.165,217.125.126.31,217.146.74.25,217.146.84.157,217.17.33.10,217.172.33.20,217.174.199.222,217.18.70.70,217.195.122.131] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 10) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404019; rev:1814;)
alert tcp $HOME_NET any -> [217.195.203.78,217.219.230.85,217.23.14.177,217.23.3.91,217.23.4.160,217.29.87.254,217.41.54.219,217.65.2.158,217.67.230.218,217.69.165.160,217.70.190.18,217.75.128.2,217.75.128.65,218.201.201.6,218.36.192.8,218.44.249.117,218.61.22.10,218.93.201.51,219.166.12.212,219.240.37.186,219.90.118.136,220.125.208.12,220.194.57.11,220.198.235.212,221.6.6.232,24.166.48.221,24.172.204.242,24.240.168.165,38.229.70.20,38.99.109.26,58.23.111.92,58.68.93.166,59.106.12.140,59.162.218.169,60.199.200.163,61.121.247.163,61.7.241.69,62.109.15.169,62.133.211.174,62.141.48.112,62.141.49.112,62.181.209.201,62.181.89.111,62.181.89.18,62.193.242.95,62.193.248.158,62.211.73.230,62.211.73.232,62.24.64.27,62.75.143.63,62.75.202.25,62.75.243.185,63.168.242.229,63.245.208.159,63.245.212.23,64.113.1.99,64.12.165.56,64.120.14.52,64.120.25.171,64.120.55.184] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 11) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404020; rev:1814;)
alert udp $HOME_NET any -> [217.195.203.78,217.219.230.85,217.23.14.177,217.23.3.91,217.23.4.160,217.29.87.254,217.41.54.219,217.65.2.158,217.67.230.218,217.69.165.160,217.70.190.18,217.75.128.2,217.75.128.65,218.201.201.6,218.36.192.8,218.44.249.117,218.61.22.10,218.93.201.51,219.166.12.212,219.240.37.186,219.90.118.136,220.125.208.12,220.194.57.11,220.198.235.212,221.6.6.232,24.166.48.221,24.172.204.242,24.240.168.165,38.229.70.20,38.99.109.26,58.23.111.92,58.68.93.166,59.106.12.140,59.162.218.169,60.199.200.163,61.121.247.163,61.7.241.69,62.109.15.169,62.133.211.174,62.141.48.112,62.141.49.112,62.181.209.201,62.181.89.111,62.181.89.18,62.193.242.95,62.193.248.158,62.211.73.230,62.211.73.232,62.24.64.27,62.75.143.63,62.75.202.25,62.75.243.185,63.168.242.229,63.245.208.159,63.245.212.23,64.113.1.99,64.12.165.56,64.120.14.52,64.120.25.171,64.120.55.184] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 11) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404021; rev:1814;)
alert tcp $HOME_NET any -> [64.122.31.116,64.124.180.114,64.125.185.222,64.127.102.249,64.141.8.30,64.15.77.71,64.150.180.13,64.150.181.198,64.150.183.52,64.150.183.53,64.150.183.54,64.16.210.102,64.18.129.232,64.18.129.247,64.18.134.201,64.18.139.82,64.18.139.84,64.186.152.116,64.199.29.35,64.210.146.2,64.235.252.145,64.236.64.132,64.246.20.126,64.32.1.33,64.32.10.120,64.32.10.70,64.32.10.79,64.32.10.80,64.32.10.97,64.32.11.149,64.32.11.180,64.32.11.181,64.32.12.118,64.32.12.184,64.32.12.203,64.32.13.130,64.32.13.131,64.32.13.135,64.32.13.136,64.32.13.137,64.32.13.143,64.32.13.144,64.32.13.163,64.32.13.170,64.32.13.171,64.32.14.171,64.32.14.185,64.32.18.45,64.32.19.10,64.32.19.46,64.32.19.55,64.32.19.58,64.32.19.89,64.32.2.200,64.32.2.213,64.32.20.127,64.32.20.166,64.32.27.135,64.32.27.146,64.34.161.121] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 12) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404022; rev:1814;)
alert udp $HOME_NET any -> [64.122.31.116,64.124.180.114,64.125.185.222,64.127.102.249,64.141.8.30,64.15.77.71,64.150.180.13,64.150.181.198,64.150.183.52,64.150.183.53,64.150.183.54,64.16.210.102,64.18.129.232,64.18.129.247,64.18.134.201,64.18.139.82,64.18.139.84,64.186.152.116,64.199.29.35,64.210.146.2,64.235.252.145,64.236.64.132,64.246.20.126,64.32.1.33,64.32.10.120,64.32.10.70,64.32.10.79,64.32.10.80,64.32.10.97,64.32.11.149,64.32.11.180,64.32.11.181,64.32.12.118,64.32.12.184,64.32.12.203,64.32.13.130,64.32.13.131,64.32.13.135,64.32.13.136,64.32.13.137,64.32.13.143,64.32.13.144,64.32.13.163,64.32.13.170,64.32.13.171,64.32.14.171,64.32.14.185,64.32.18.45,64.32.19.10,64.32.19.46,64.32.19.55,64.32.19.58,64.32.19.89,64.32.2.200,64.32.2.213,64.32.20.127,64.32.20.166,64.32.27.135,64.32.27.146,64.34.161.121] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 12) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404023; rev:1814;)
alert tcp $HOME_NET any -> [64.34.174.189,64.62.134.30,64.62.190.245,64.62.190.36,64.62.190.73,64.79.194.120,64.79.196.195,64.85.160.108,64.85.160.30,64.85.162.200,64.85.162.206,64.85.163.113,64.85.163.126,64.85.163.127,64.85.164.73,64.85.165.21,64.85.172.197,65.110.41.130,65.110.62.93,65.111.172.48,65.19.178.15,65.23.153.98,65.23.155.179,65.23.155.47,65.23.156.37,65.23.157.127,65.38.34.254,66.101.48.254,66.11.238.23,66.111.35.104,66.111.36.61,66.135.50.217,66.154.121.11,66.154.121.200,66.154.99.150,66.16.33.220,66.160.135.21,66.165.177.88,66.184.117.12,66.197.186.85,66.197.194.185,66.197.220.230,66.198.80.67,66.205.65.100,66.207.128.132,66.207.164.29,66.207.212.113,66.220.1.185,66.220.1.44,66.220.1.59,66.225.200.19,66.225.200.20,66.225.200.30,66.225.200.46,66.225.200.52,66.225.200.62,66.225.200.66,66.225.200.69,66.225.223.105,66.225.223.109] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 13) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404024; rev:1814;)
alert udp $HOME_NET any -> [64.34.174.189,64.62.134.30,64.62.190.245,64.62.190.36,64.62.190.73,64.79.194.120,64.79.196.195,64.85.160.108,64.85.160.30,64.85.162.200,64.85.162.206,64.85.163.113,64.85.163.126,64.85.163.127,64.85.164.73,64.85.165.21,64.85.172.197,65.110.41.130,65.110.62.93,65.111.172.48,65.19.178.15,65.23.153.98,65.23.155.179,65.23.155.47,65.23.156.37,65.23.157.127,65.38.34.254,66.101.48.254,66.11.238.23,66.111.35.104,66.111.36.61,66.135.50.217,66.154.121.11,66.154.121.200,66.154.99.150,66.16.33.220,66.160.135.21,66.165.177.88,66.184.117.12,66.197.186.85,66.197.194.185,66.197.220.230,66.198.80.67,66.205.65.100,66.207.128.132,66.207.164.29,66.207.212.113,66.220.1.185,66.220.1.44,66.220.1.59,66.225.200.19,66.225.200.20,66.225.200.30,66.225.200.46,66.225.200.52,66.225.200.62,66.225.200.66,66.225.200.69,66.225.223.105,66.225.223.109] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 13) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404025; rev:1814;)
alert tcp $HOME_NET any -> [66.225.223.112,66.225.223.115,66.225.223.13,66.225.223.16,66.225.223.26,66.225.223.38,66.225.223.52,66.225.223.66,66.225.223.70,66.225.223.91,66.225.225.225,66.225.225.66,66.226.72.50,66.246.149.4,66.246.76.24,66.249.128.230,66.252.1.154,66.252.1.203,66.252.1.210,66.252.1.29,66.252.10.203,66.252.10.205,66.252.10.206,66.252.10.213,66.252.10.217,66.252.10.219,66.252.10.234,66.252.10.235,66.252.10.249,66.252.11.130,66.252.11.131,66.252.11.132,66.252.11.133,66.252.11.134,66.252.11.15,66.252.11.230,66.252.11.244,66.252.11.41,66.252.11.73,66.252.11.76,66.252.11.9,66.252.13.131,66.252.13.132,66.252.13.134,66.252.13.152,66.252.13.153,66.252.13.154,66.252.13.155,66.252.13.156,66.252.13.157,66.252.13.166,66.252.13.178,66.252.13.188,66.252.13.26,66.252.13.27,66.252.13.31,66.252.13.8,66.252.16.151,66.252.16.206,66.252.16.233] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 14) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404026; rev:1814;)
alert udp $HOME_NET any -> [66.225.223.112,66.225.223.115,66.225.223.13,66.225.223.16,66.225.223.26,66.225.223.38,66.225.223.52,66.225.223.66,66.225.223.70,66.225.223.91,66.225.225.225,66.225.225.66,66.226.72.50,66.246.149.4,66.246.76.24,66.249.128.230,66.252.1.154,66.252.1.203,66.252.1.210,66.252.1.29,66.252.10.203,66.252.10.205,66.252.10.206,66.252.10.213,66.252.10.217,66.252.10.219,66.252.10.234,66.252.10.235,66.252.10.249,66.252.11.130,66.252.11.131,66.252.11.132,66.252.11.133,66.252.11.134,66.252.11.15,66.252.11.230,66.252.11.244,66.252.11.41,66.252.11.73,66.252.11.76,66.252.11.9,66.252.13.131,66.252.13.132,66.252.13.134,66.252.13.152,66.252.13.153,66.252.13.154,66.252.13.155,66.252.13.156,66.252.13.157,66.252.13.166,66.252.13.178,66.252.13.188,66.252.13.26,66.252.13.27,66.252.13.31,66.252.13.8,66.252.16.151,66.252.16.206,66.252.16.233] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 14) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404027; rev:1814;)
alert tcp $HOME_NET any -> [66.252.16.252,66.252.19.10,66.252.19.34,66.252.19.41,66.252.21.77,66.252.21.78,66.252.24.167,66.252.24.53,66.252.28.108,66.252.28.115,66.252.28.117,66.252.28.119,66.252.28.120,66.252.28.128,66.252.28.135,66.252.28.140,66.252.28.141,66.252.28.157,66.252.28.169,66.252.28.177,66.252.28.182,66.252.28.185,66.252.28.188,66.252.28.191,66.252.28.200,66.252.28.201,66.252.28.205,66.252.28.215,66.252.28.237,66.252.28.239,66.252.28.253,66.252.29.238,66.252.29.33,66.252.30.110,66.252.30.122,66.252.30.123,66.252.30.168,66.252.30.205,66.252.30.242,66.252.31.210,66.252.31.212,66.252.6.109,66.252.6.92,66.252.7.137,66.252.7.148,66.252.7.149,66.252.7.71,66.252.8.11,66.252.8.12,66.252.8.13,66.252.8.15,66.252.8.17,66.252.8.19,66.252.8.2,66.252.8.21,66.252.8.22,66.252.8.23,66.252.8.24,66.252.8.28,66.252.8.29] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 15) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404028; rev:1814;)
alert udp $HOME_NET any -> [66.252.16.252,66.252.19.10,66.252.19.34,66.252.19.41,66.252.21.77,66.252.21.78,66.252.24.167,66.252.24.53,66.252.28.108,66.252.28.115,66.252.28.117,66.252.28.119,66.252.28.120,66.252.28.128,66.252.28.135,66.252.28.140,66.252.28.141,66.252.28.157,66.252.28.169,66.252.28.177,66.252.28.182,66.252.28.185,66.252.28.188,66.252.28.191,66.252.28.200,66.252.28.201,66.252.28.205,66.252.28.215,66.252.28.237,66.252.28.239,66.252.28.253,66.252.29.238,66.252.29.33,66.252.30.110,66.252.30.122,66.252.30.123,66.252.30.168,66.252.30.205,66.252.30.242,66.252.31.210,66.252.31.212,66.252.6.109,66.252.6.92,66.252.7.137,66.252.7.148,66.252.7.149,66.252.7.71,66.252.8.11,66.252.8.12,66.252.8.13,66.252.8.15,66.252.8.17,66.252.8.19,66.252.8.2,66.252.8.21,66.252.8.22,66.252.8.23,66.252.8.24,66.252.8.28,66.252.8.29] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 15) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404029; rev:1814;)
alert tcp $HOME_NET any -> [66.252.8.3,66.252.8.4,66.252.8.5,66.252.8.6,66.252.8.7,66.252.8.8,66.252.8.9,66.252.9.10,66.252.9.140,66.252.9.141,66.252.9.59,66.252.9.61,66.40.25.237,66.45.234.200,66.46.183.34,66.7.210.158,66.7.210.159,66.7.210.160,66.79.163.42,66.90.110.139,66.90.113.196,66.90.113.198,66.90.64.171,66.90.72.154,66.90.82.222,66.90.82.8,66.90.84.147,66.90.90.195,66.98.224.132,67.101.75.211,67.115.175.163,67.159.0.101,67.159.17.231,67.159.18.51,67.159.18.53,67.159.2.221,67.159.27.26,67.159.27.30,67.159.56.58,67.18.176.176,67.18.176.230,67.18.187.34,67.18.208.96,67.18.209.66,67.198.195.194,67.202.107.13,67.202.91.197,67.205.85.231,67.21.72.50,67.21.76.176,67.21.76.177,67.21.76.179,67.21.88.243,67.21.88.246,67.21.93.55,67.210.234.18,67.214.139.64,67.215.235.58,67.220.65.37,67.220.65.39] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 16) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404030; rev:1814;)
alert udp $HOME_NET any -> [66.252.8.3,66.252.8.4,66.252.8.5,66.252.8.6,66.252.8.7,66.252.8.8,66.252.8.9,66.252.9.10,66.252.9.140,66.252.9.141,66.252.9.59,66.252.9.61,66.40.25.237,66.45.234.200,66.46.183.34,66.7.210.158,66.7.210.159,66.7.210.160,66.79.163.42,66.90.110.139,66.90.113.196,66.90.113.198,66.90.64.171,66.90.72.154,66.90.82.222,66.90.82.8,66.90.84.147,66.90.90.195,66.98.224.132,67.101.75.211,67.115.175.163,67.159.0.101,67.159.17.231,67.159.18.51,67.159.18.53,67.159.2.221,67.159.27.26,67.159.27.30,67.159.56.58,67.18.176.176,67.18.176.230,67.18.187.34,67.18.208.96,67.18.209.66,67.198.195.194,67.202.107.13,67.202.91.197,67.205.85.231,67.21.72.50,67.21.76.176,67.21.76.177,67.21.76.179,67.21.88.243,67.21.88.246,67.21.93.55,67.210.234.18,67.214.139.64,67.215.235.58,67.220.65.37,67.220.65.39] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 16) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404031; rev:1814;)
alert tcp $HOME_NET any -> [67.220.65.51,67.220.66.72,67.220.67.118,67.220.67.70,67.220.71.84,67.220.71.90,67.220.72.104,67.220.72.136,67.220.72.144,67.220.73.105,67.220.73.107,67.220.74.124,67.220.74.155,67.220.75.136,67.220.75.157,67.220.78.43,67.220.82.22,67.223.237.99,67.223.254.182,67.223.97.74,67.228.120.186,67.228.73.151,67.23.6.180,67.23.7.58,67.43.226.2,67.43.226.20,67.43.226.242,67.43.226.243,67.43.226.244,67.43.226.245,67.43.226.246,67.43.226.25,67.43.226.42,67.43.226.7,67.43.232.178,67.43.232.34,67.43.233.66,67.43.236.66,67.43.236.67,67.43.236.68,67.43.236.69,67.43.236.98,67.43.236.99,67.43.238.222,67.79.111.165,68.168.209.242,68.232.162.247,68.232.170.240,68.75.207.189,68.81.102.163,68.99.69.10,69.10.61.226,69.12.8.25,69.147.228.155,69.147.233.144,69.147.233.170,69.147.233.188,69.16.172.2,69.162.101.37,69.162.115.137] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 17) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404032; rev:1814;)
alert udp $HOME_NET any -> [67.220.65.51,67.220.66.72,67.220.67.118,67.220.67.70,67.220.71.84,67.220.71.90,67.220.72.104,67.220.72.136,67.220.72.144,67.220.73.105,67.220.73.107,67.220.74.124,67.220.74.155,67.220.75.136,67.220.75.157,67.220.78.43,67.220.82.22,67.223.237.99,67.223.254.182,67.223.97.74,67.228.120.186,67.228.73.151,67.23.6.180,67.23.7.58,67.43.226.2,67.43.226.20,67.43.226.242,67.43.226.243,67.43.226.244,67.43.226.245,67.43.226.246,67.43.226.25,67.43.226.42,67.43.226.7,67.43.232.178,67.43.232.34,67.43.233.66,67.43.236.66,67.43.236.67,67.43.236.68,67.43.236.69,67.43.236.98,67.43.236.99,67.43.238.222,67.79.111.165,68.168.209.242,68.232.162.247,68.232.170.240,68.75.207.189,68.81.102.163,68.99.69.10,69.10.61.226,69.12.8.25,69.147.228.155,69.147.233.144,69.147.233.170,69.147.233.188,69.16.172.2,69.162.101.37,69.162.115.137] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 17) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404033; rev:1814;)
alert tcp $HOME_NET any -> [69.162.80.43,69.162.80.60,69.163.35.192,69.164.211.53,69.17.2.219,69.20.231.81,69.20.234.2,69.217.36.153,69.245.107.191,69.251.104.164,69.30.200.92,69.30.232.148,69.31.228.75,69.36.111.69,69.4.235.11,69.42.210.47,69.42.210.56,69.42.214.59,69.42.215.10,69.42.215.100,69.42.215.12,69.42.215.14,69.42.215.16,69.42.215.161,69.42.215.178,69.42.215.179,69.42.215.180,69.42.215.20,69.42.215.22,69.42.215.24,69.42.215.4,69.42.215.6,69.42.215.8,69.42.216.215,69.42.217.171,69.42.217.188,69.42.218.161,69.42.218.29,69.42.218.70,69.42.218.72,69.42.219.194,69.42.219.68,69.42.220.140,69.42.220.148,69.42.221.253,69.42.221.7,69.42.222.17,69.42.74.177,69.56.173.120,69.60.119.115,69.61.126.199,69.61.21.115,69.64.38.216,69.64.39.194,69.64.39.201,69.64.39.202,69.64.43.197,69.64.49.244,69.64.50.245,69.64.50.61] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 18) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404034; rev:1814;)
alert udp $HOME_NET any -> [69.162.80.43,69.162.80.60,69.163.35.192,69.164.211.53,69.17.2.219,69.20.231.81,69.20.234.2,69.217.36.153,69.245.107.191,69.251.104.164,69.30.200.92,69.30.232.148,69.31.228.75,69.36.111.69,69.4.235.11,69.42.210.47,69.42.210.56,69.42.214.59,69.42.215.10,69.42.215.100,69.42.215.12,69.42.215.14,69.42.215.16,69.42.215.161,69.42.215.178,69.42.215.179,69.42.215.180,69.42.215.20,69.42.215.22,69.42.215.24,69.42.215.4,69.42.215.6,69.42.215.8,69.42.216.215,69.42.217.171,69.42.217.188,69.42.218.161,69.42.218.29,69.42.218.70,69.42.218.72,69.42.219.194,69.42.219.68,69.42.220.140,69.42.220.148,69.42.221.253,69.42.221.7,69.42.222.17,69.42.74.177,69.56.173.120,69.60.119.115,69.61.126.199,69.61.21.115,69.64.38.216,69.64.39.194,69.64.39.201,69.64.39.202,69.64.43.197,69.64.49.244,69.64.50.245,69.64.50.61] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 18) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404035; rev:1814;)
alert tcp $HOME_NET any -> [69.64.58.106,69.64.61.249,69.64.63.229,69.7.104.155,69.90.157.198,69.90.157.210,69.93.229.206,69.93.9.12,70.185.174.226,70.61.101.163,70.84.15.212,70.84.53.182,70.85.129.195,70.85.129.223,70.85.220.98,70.85.237.252,70.87.15.26,71.113.168.178,71.140.59.157,71.160.39.114,71.229.88.228,71.249.197.148,71.6.218.42,72.10.169.26,72.10.172.210,72.10.172.211,72.10.172.212,72.10.172.213,72.10.172.214,72.11.142.40,72.14.176.123,72.14.177.106,72.14.179.148,72.14.185.157,72.14.188.215,72.20.1.106,72.20.13.58,72.20.13.60,72.20.14.197,72.20.14.205,72.20.14.212,72.20.14.220,72.20.14.221,72.20.14.249,72.20.14.254,72.20.14.27,72.20.15.196,72.20.15.208,72.20.15.215,72.20.15.229,72.20.15.234,72.20.15.246,72.20.15.247,72.20.15.252,72.20.17.133,72.20.17.139,72.20.17.147,72.20.17.149,72.20.17.152,72.20.17.167] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 19) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404036; rev:1814;)
alert udp $HOME_NET any -> [69.64.58.106,69.64.61.249,69.64.63.229,69.7.104.155,69.90.157.198,69.90.157.210,69.93.229.206,69.93.9.12,70.185.174.226,70.61.101.163,70.84.15.212,70.84.53.182,70.85.129.195,70.85.129.223,70.85.220.98,70.85.237.252,70.87.15.26,71.113.168.178,71.140.59.157,71.160.39.114,71.229.88.228,71.249.197.148,71.6.218.42,72.10.169.26,72.10.172.210,72.10.172.211,72.10.172.212,72.10.172.213,72.10.172.214,72.11.142.40,72.14.176.123,72.14.177.106,72.14.179.148,72.14.185.157,72.14.188.215,72.20.1.106,72.20.13.58,72.20.13.60,72.20.14.197,72.20.14.205,72.20.14.212,72.20.14.220,72.20.14.221,72.20.14.249,72.20.14.254,72.20.14.27,72.20.15.196,72.20.15.208,72.20.15.215,72.20.15.229,72.20.15.234,72.20.15.246,72.20.15.247,72.20.15.252,72.20.17.133,72.20.17.139,72.20.17.147,72.20.17.149,72.20.17.152,72.20.17.167] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 19) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404037; rev:1814;)
alert tcp $HOME_NET any -> [72.20.17.168,72.20.17.178,72.20.2.130,72.20.2.186,72.20.21.104,72.20.21.124,72.20.21.13,72.20.21.3,72.20.21.33,72.20.21.35,72.20.21.36,72.20.21.37,72.20.21.45,72.20.23.102,72.20.23.104,72.20.23.107,72.20.23.74,72.20.23.77,72.20.23.90,72.20.23.92,72.20.24.146,72.20.24.151,72.20.24.161,72.20.24.162,72.20.24.163,72.20.24.164,72.20.24.169,72.20.24.170,72.20.24.171,72.20.24.172,72.20.24.173,72.20.25.140,72.20.25.153,72.20.25.181,72.20.26.183,72.20.26.184,72.20.27.113,72.20.27.120,72.20.27.69,72.20.3.62,72.20.32.5,72.20.33.91,72.20.35.120,72.20.35.135,72.20.35.180,72.20.35.183,72.20.35.70,72.20.36.55,72.20.36.57,72.20.36.9,72.20.37.151,72.20.37.189,72.20.37.234,72.20.37.32,72.20.38.126,72.20.38.70,72.20.38.9,72.20.40.249,72.20.40.35,72.20.40.52] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 20) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404038; rev:1814;)
alert udp $HOME_NET any -> [72.20.17.168,72.20.17.178,72.20.2.130,72.20.2.186,72.20.21.104,72.20.21.124,72.20.21.13,72.20.21.3,72.20.21.33,72.20.21.35,72.20.21.36,72.20.21.37,72.20.21.45,72.20.23.102,72.20.23.104,72.20.23.107,72.20.23.74,72.20.23.77,72.20.23.90,72.20.23.92,72.20.24.146,72.20.24.151,72.20.24.161,72.20.24.162,72.20.24.163,72.20.24.164,72.20.24.169,72.20.24.170,72.20.24.171,72.20.24.172,72.20.24.173,72.20.25.140,72.20.25.153,72.20.25.181,72.20.26.183,72.20.26.184,72.20.27.113,72.20.27.120,72.20.27.69,72.20.3.62,72.20.32.5,72.20.33.91,72.20.35.120,72.20.35.135,72.20.35.180,72.20.35.183,72.20.35.70,72.20.36.55,72.20.36.57,72.20.36.9,72.20.37.151,72.20.37.189,72.20.37.234,72.20.37.32,72.20.38.126,72.20.38.70,72.20.38.9,72.20.40.249,72.20.40.35,72.20.40.52] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 20) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404039; rev:1814;)
alert tcp $HOME_NET any -> [72.20.41.222,72.20.42.116,72.20.42.81,72.20.42.89,72.20.45.81,72.20.45.82,72.20.45.83,72.20.45.84,72.20.45.85,72.20.45.86,72.20.46.104,72.20.46.111,72.20.46.115,72.20.46.85,72.20.46.9,72.20.48.111,72.20.48.40,72.20.48.50,72.20.48.60,72.20.48.95,72.20.50.70,72.20.51.115,72.20.51.13,72.20.52.169,72.20.52.170,72.20.52.171,72.20.52.172,72.20.52.173,72.20.52.174,72.20.52.49,72.20.52.52,72.20.54.120,72.20.54.121,72.20.54.123,72.20.54.124,72.20.54.67,72.20.54.69,72.20.54.74,72.20.54.90,72.20.54.97,72.20.56.24,72.20.56.48,72.20.56.59,72.20.57.119,72.20.57.120,72.20.58.100,72.20.58.123,72.233.8.18,72.250.175.12,72.32.146.136,72.47.218.197,72.51.18.254,72.64.146.15,72.8.130.236,72.8.134.254,72.8.135.124,72.8.135.125,72.8.156.55,72.8.167.100,72.8.167.11] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 21) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404040; rev:1814;)
alert udp $HOME_NET any -> [72.20.41.222,72.20.42.116,72.20.42.81,72.20.42.89,72.20.45.81,72.20.45.82,72.20.45.83,72.20.45.84,72.20.45.85,72.20.45.86,72.20.46.104,72.20.46.111,72.20.46.115,72.20.46.85,72.20.46.9,72.20.48.111,72.20.48.40,72.20.48.50,72.20.48.60,72.20.48.95,72.20.50.70,72.20.51.115,72.20.51.13,72.20.52.169,72.20.52.170,72.20.52.171,72.20.52.172,72.20.52.173,72.20.52.174,72.20.52.49,72.20.52.52,72.20.54.120,72.20.54.121,72.20.54.123,72.20.54.124,72.20.54.67,72.20.54.69,72.20.54.74,72.20.54.90,72.20.54.97,72.20.56.24,72.20.56.48,72.20.56.59,72.20.57.119,72.20.57.120,72.20.58.100,72.20.58.123,72.233.8.18,72.250.175.12,72.32.146.136,72.47.218.197,72.51.18.254,72.64.146.15,72.8.130.236,72.8.134.254,72.8.135.124,72.8.135.125,72.8.156.55,72.8.167.100,72.8.167.11] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 21) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404041; rev:1814;)
alert tcp $HOME_NET any -> [72.8.167.147,72.8.167.148,72.8.167.150,72.8.167.151,72.8.167.153,72.8.167.160,72.8.167.161,72.8.167.20,72.8.167.244,72.8.167.30,72.8.167.73,72.8.167.99,72.9.150.144,72.9.150.155,72.9.150.161,72.90.73.67,74.117.172.230,74.117.173.200,74.117.174.101,74.117.174.110,74.117.174.119,74.117.174.3,74.117.174.49,74.117.174.5,74.117.174.54,74.117.174.69,74.117.174.77,74.117.174.79,74.117.174.85,74.117.174.90,74.117.174.95,74.117.56.223,74.117.57.90,74.117.59.75,74.117.60.125,74.117.60.205,74.117.61.104,74.117.62.133,74.117.63.67,74.199.29.172,74.207.243.163,74.207.245.186,74.207.246.126,74.208.101.128,74.208.103.34,74.208.149.196,74.208.166.160,74.208.174.239,74.213.179.140,74.41.18.106,74.63.11.207,74.63.208.146,74.63.222.51,74.63.78.37,74.63.87.194,74.81.168.169,75.102.26.70,75.118.123.95,75.125.94.67,75.125.94.68] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 22) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404042; rev:1814;)
alert udp $HOME_NET any -> [72.8.167.147,72.8.167.148,72.8.167.150,72.8.167.151,72.8.167.153,72.8.167.160,72.8.167.161,72.8.167.20,72.8.167.244,72.8.167.30,72.8.167.73,72.8.167.99,72.9.150.144,72.9.150.155,72.9.150.161,72.90.73.67,74.117.172.230,74.117.173.200,74.117.174.101,74.117.174.110,74.117.174.119,74.117.174.3,74.117.174.49,74.117.174.5,74.117.174.54,74.117.174.69,74.117.174.77,74.117.174.79,74.117.174.85,74.117.174.90,74.117.174.95,74.117.56.223,74.117.57.90,74.117.59.75,74.117.60.125,74.117.60.205,74.117.61.104,74.117.62.133,74.117.63.67,74.199.29.172,74.207.243.163,74.207.245.186,74.207.246.126,74.208.101.128,74.208.103.34,74.208.149.196,74.208.166.160,74.208.174.239,74.213.179.140,74.41.18.106,74.63.11.207,74.63.208.146,74.63.222.51,74.63.78.37,74.63.87.194,74.81.168.169,75.102.26.70,75.118.123.95,75.125.94.67,75.125.94.68] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 22) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404043; rev:1814;)
alert tcp $HOME_NET any -> [75.125.94.69,75.150.126.241,75.150.46.25,75.73.242.77,76.10.144.86,76.185.136.131,76.73.17.206,76.73.3.140,76.73.53.101,76.73.53.110,76.73.53.213,76.73.56.15,76.73.56.20,76.74.241.241,76.74.250.94,76.76.11.208,77.244.242.98,77.244.247.197,77.43.29.107,77.59.219.91,77.66.33.10,77.68.42.111,77.74.50.13,77.75.110.17,77.77.64.67,77.78.112.1,77.91.226.45,77.92.85.162,78.111.98.18,78.129.228.10,78.129.228.23,78.129.228.24,78.129.228.30,78.129.228.32,78.129.228.39,78.129.228.4,78.129.228.40,78.129.228.44,78.129.228.51,78.129.228.52,78.129.228.53,78.129.228.54,78.129.228.58,78.129.228.6,78.129.228.65,78.129.228.7,78.157.104.207,78.159.100.188,78.159.100.189,78.159.108.41,78.24.188.201,78.32.173.145,78.39.40.98,78.40.125.4,79.125.11.206,79.125.12.23,79.125.53.160,79.132.211.24,79.134.0.34,79.143.254.153] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 23) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404044; rev:1814;)
alert udp $HOME_NET any -> [75.125.94.69,75.150.126.241,75.150.46.25,75.73.242.77,76.10.144.86,76.185.136.131,76.73.17.206,76.73.3.140,76.73.53.101,76.73.53.110,76.73.53.213,76.73.56.15,76.73.56.20,76.74.241.241,76.74.250.94,76.76.11.208,77.244.242.98,77.244.247.197,77.43.29.107,77.59.219.91,77.66.33.10,77.68.42.111,77.74.50.13,77.75.110.17,77.77.64.67,77.78.112.1,77.91.226.45,77.92.85.162,78.111.98.18,78.129.228.10,78.129.228.23,78.129.228.24,78.129.228.30,78.129.228.32,78.129.228.39,78.129.228.4,78.129.228.40,78.129.228.44,78.129.228.51,78.129.228.52,78.129.228.53,78.129.228.54,78.129.228.58,78.129.228.6,78.129.228.65,78.129.228.7,78.157.104.207,78.159.100.188,78.159.100.189,78.159.108.41,78.24.188.201,78.32.173.145,78.39.40.98,78.40.125.4,79.125.11.206,79.125.12.23,79.125.53.160,79.132.211.24,79.134.0.34,79.143.254.153] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 23) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404045; rev:1814;)
alert tcp $HOME_NET any -> [79.40.157.226,79.99.0.110,8.7.233.233,8.7.233.36,8.7.233.42,8.7.233.43,8.7.233.44,8.7.233.45,80.126.201.245,80.13.162.101,80.144.227.197,80.154.33.35,80.154.61.188,80.179.146.140,80.184.117.172,80.190.246.162,80.242.33.83,80.244.90.117,80.244.90.85,80.57.155.69,80.64.138.34,80.64.140.13,80.68.89.201,80.88.108.18,81.16.232.76,81.167.229.172,81.169.134.201,81.169.136.37,81.169.168.122,81.169.170.117,81.169.188.116,81.233.197.111,81.26.211.130,81.29.65.57,81.31.32.12,81.31.33.35,81.9.51.98,81.94.201.34,81.94.201.70,81.94.206.18,82.136.2.130,82.138.241.140,82.138.241.146,82.138.241.150,82.146.49.134,82.146.49.139,82.146.49.148,82.146.49.217,82.146.51.130,82.146.51.132,82.146.51.202,82.146.52.158,82.146.52.167,82.146.52.182,82.146.52.208,82.146.52.75,82.146.52.89,82.146.53.110,82.146.53.168,82.146.59.188] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 24) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404046; rev:1814;)
alert udp $HOME_NET any -> [79.40.157.226,79.99.0.110,8.7.233.233,8.7.233.36,8.7.233.42,8.7.233.43,8.7.233.44,8.7.233.45,80.126.201.245,80.13.162.101,80.144.227.197,80.154.33.35,80.154.61.188,80.179.146.140,80.184.117.172,80.190.246.162,80.242.33.83,80.244.90.117,80.244.90.85,80.57.155.69,80.64.138.34,80.64.140.13,80.68.89.201,80.88.108.18,81.16.232.76,81.167.229.172,81.169.134.201,81.169.136.37,81.169.168.122,81.169.170.117,81.169.188.116,81.233.197.111,81.26.211.130,81.29.65.57,81.31.32.12,81.31.33.35,81.9.51.98,81.94.201.34,81.94.201.70,81.94.206.18,82.136.2.130,82.138.241.140,82.138.241.146,82.138.241.150,82.146.49.134,82.146.49.139,82.146.49.148,82.146.49.217,82.146.51.130,82.146.51.132,82.146.51.202,82.146.52.158,82.146.52.167,82.146.52.182,82.146.52.208,82.146.52.75,82.146.52.89,82.146.53.110,82.146.53.168,82.146.59.188] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 24) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404047; rev:1814;)
alert tcp $HOME_NET any -> [82.160.17.221,82.165.139.95,82.165.154.249,82.182.115.167,82.197.159.213,82.199.97.194,82.23.226.214,82.75.58.91,82.94.222.186,82.96.75.46,83.133.119.206,83.136.68.32,83.137.112.20,83.137.41.33,83.140.162.126,83.140.172.210,83.140.172.211,83.140.172.212,83.142.230.12,83.142.48.72,83.142.85.10,83.149.112.40,83.149.112.7,83.149.112.71,83.149.234.76,83.167.180.110,83.170.81.10,83.170.81.4,83.170.84.101,83.170.84.11,83.170.84.118,83.170.84.12,83.170.84.13,83.170.84.9,83.2.139.1,83.222.124.222,83.243.46.2,83.246.94.87,83.68.16.6,83.69.48.218,83.69.96.16,84.11.26.30,84.124.147.148,84.16.231.52,84.16.246.226,84.16.246.247,84.16.246.249,84.200.208.182,84.200.225.80,84.200.242.4,84.208.29.17,84.234.138.106,84.235.98.106,84.243.214.56,84.53.216.86,85.113.233.228,85.114.140.126,85.12.6.152,85.14.200.37,85.159.233.66] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 25) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404048; rev:1814;)
alert udp $HOME_NET any -> [82.160.17.221,82.165.139.95,82.165.154.249,82.182.115.167,82.197.159.213,82.199.97.194,82.23.226.214,82.75.58.91,82.94.222.186,82.96.75.46,83.133.119.206,83.136.68.32,83.137.112.20,83.137.41.33,83.140.162.126,83.140.172.210,83.140.172.211,83.140.172.212,83.142.230.12,83.142.48.72,83.142.85.10,83.149.112.40,83.149.112.7,83.149.112.71,83.149.234.76,83.167.180.110,83.170.81.10,83.170.81.4,83.170.84.101,83.170.84.11,83.170.84.118,83.170.84.12,83.170.84.13,83.170.84.9,83.2.139.1,83.222.124.222,83.243.46.2,83.246.94.87,83.68.16.6,83.69.48.218,83.69.96.16,84.11.26.30,84.124.147.148,84.16.231.52,84.16.246.226,84.16.246.247,84.16.246.249,84.200.208.182,84.200.225.80,84.200.242.4,84.208.29.17,84.234.138.106,84.235.98.106,84.243.214.56,84.53.216.86,85.113.233.228,85.114.140.126,85.12.6.152,85.14.200.37,85.159.233.66] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 25) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404049; rev:1814;)
alert tcp $HOME_NET any -> [85.17.138.155,85.17.139.182,85.17.139.34,85.17.148.13,85.17.207.164,85.196.81.19,85.196.81.211,85.196.81.9,85.214.117.33,85.214.140.176,85.214.25.101,85.214.27.94,85.214.36.108,85.214.45.113,85.214.75.67,85.214.97.16,85.236.110.226,85.236.110.228,85.24.148.106,85.24.148.108,85.24.148.125,85.248.115.251,85.25.10.63,85.25.129.200,85.25.17.177,85.25.224.38,85.25.3.62,85.31.187.144,85.88.6.197,85.92.87.233,85.94.77.39,86.104.220.60,86.104.221.2,86.104.223.179,86.106.16.27,86.110.67.72,86.57.151.5,86.65.39.15,87.106.138.9,87.106.61.8,87.117.217.81,87.118.102.89,87.118.103.89,87.118.120.11,87.118.126.87,87.118.87.98,87.118.89.49,87.124.86.31,87.227.96.214,87.252.253.254,87.98.141.234,87.98.163.86,87.98.164.139,87.98.173.190,87.98.244.220,87.98.249.186,87.98.249.30,87.98.250.230,87.98.250.95,88.151.101.105] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 26) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404050; rev:1814;)
alert udp $HOME_NET any -> [85.17.138.155,85.17.139.182,85.17.139.34,85.17.148.13,85.17.207.164,85.196.81.19,85.196.81.211,85.196.81.9,85.214.117.33,85.214.140.176,85.214.25.101,85.214.27.94,85.214.36.108,85.214.45.113,85.214.75.67,85.214.97.16,85.236.110.226,85.236.110.228,85.24.148.106,85.24.148.108,85.24.148.125,85.248.115.251,85.25.10.63,85.25.129.200,85.25.17.177,85.25.224.38,85.25.3.62,85.31.187.144,85.88.6.197,85.92.87.233,85.94.77.39,86.104.220.60,86.104.221.2,86.104.223.179,86.106.16.27,86.110.67.72,86.57.151.5,86.65.39.15,87.106.138.9,87.106.61.8,87.117.217.81,87.118.102.89,87.118.103.89,87.118.120.11,87.118.126.87,87.118.87.98,87.118.89.49,87.124.86.31,87.227.96.214,87.252.253.254,87.98.141.234,87.98.163.86,87.98.164.139,87.98.173.190,87.98.244.220,87.98.249.186,87.98.249.30,87.98.250.230,87.98.250.95,88.151.101.105] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 26) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404051; rev:1814;)
alert tcp $HOME_NET any -> [88.191.60.22,88.191.66.7,88.80.5.41,88.86.123.89,89.149.195.247,89.149.198.180,89.149.198.183,89.149.201.156,89.149.202.177,89.149.210.91,89.149.250.227,89.163.179.130,89.17.201.203,89.185.236.71,89.202.247.162,89.238.135.184,89.238.135.218,89.238.135.221,89.238.135.223,89.238.159.70,89.238.64.181,89.238.71.31,89.238.71.40,89.46.101.75,91.121.0.76,91.121.0.93,91.121.103.122,91.121.107.112,91.121.112.219,91.121.115.74,91.121.122.110,91.121.143.15,91.121.150.119,91.121.158.18,91.121.158.80,91.121.158.84,91.121.17.210,91.121.17.225,91.121.208.180,91.121.245.206,91.121.251.195,91.121.27.112,91.121.58.120,91.121.59.5,91.121.75.82,91.121.89.104,91.121.96.182,91.121.96.69,91.144.136.218,91.149.157.69,91.191.163.21,91.192.36.142,91.194.85.186,91.195.250.56,91.201.53.147,91.205.185.104,91.208.144.141,91.208.40.24,91.211.117.76,92.114.4.2] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 27) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404052; rev:1814;)
alert udp $HOME_NET any -> [88.191.60.22,88.191.66.7,88.80.5.41,88.86.123.89,89.149.195.247,89.149.198.180,89.149.198.183,89.149.201.156,89.149.202.177,89.149.210.91,89.149.250.227,89.163.179.130,89.17.201.203,89.185.236.71,89.202.247.162,89.238.135.184,89.238.135.218,89.238.135.221,89.238.135.223,89.238.159.70,89.238.64.181,89.238.71.31,89.238.71.40,89.46.101.75,91.121.0.76,91.121.0.93,91.121.103.122,91.121.107.112,91.121.112.219,91.121.115.74,91.121.122.110,91.121.143.15,91.121.150.119,91.121.158.18,91.121.158.80,91.121.158.84,91.121.17.210,91.121.17.225,91.121.208.180,91.121.245.206,91.121.251.195,91.121.27.112,91.121.58.120,91.121.59.5,91.121.75.82,91.121.89.104,91.121.96.182,91.121.96.69,91.144.136.218,91.149.157.69,91.191.163.21,91.192.36.142,91.194.85.186,91.195.250.56,91.201.53.147,91.205.185.104,91.208.144.141,91.208.40.24,91.211.117.76,92.114.4.2] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 27) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404053; rev:1814;)
alert tcp $HOME_NET any -> [92.240.234.164,92.241.164.114,92.241.180.65,92.243.15.120,92.243.16.163,92.243.21.241,92.243.23.71,92.33.0.168,92.62.43.55,93.103.96.74,93.104.214.3,93.114.48.200,93.114.49.190,93.174.88.65,93.185.77.230,93.186.171.161,93.186.192.147,93.190.138.42,93.190.138.52,93.190.140.129,94.102.211.174,94.102.51.238,94.102.55.150,94.125.182.255,94.125.252.113,94.125.252.114,94.125.252.224,94.125.252.241,94.127.17.19,94.171.144.4,94.228.41.56,94.229.73.198,94.23.100.66,94.23.111.18,94.23.120.229,94.23.148.187,94.23.154.132,94.23.154.167,94.23.22.62,94.23.225.225,94.23.239.95,94.23.39.102,94.23.41.83,94.23.60.6,94.23.8.74,94.23.84.108,94.247.241.6,94.32.66.150,94.46.127.1,94.47.254.1,94.62.8.37,94.75.205.140,94.75.206.129,94.75.216.194,95.130.11.78,95.154.216.63,95.154.216.64,95.168.167.63,95.168.170.178,95.168.171.116] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 28) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404054; rev:1814;)
alert udp $HOME_NET any -> [92.240.234.164,92.241.164.114,92.241.180.65,92.243.15.120,92.243.16.163,92.243.21.241,92.243.23.71,92.33.0.168,92.62.43.55,93.103.96.74,93.104.214.3,93.114.48.200,93.114.49.190,93.174.88.65,93.185.77.230,93.186.171.161,93.186.192.147,93.190.138.42,93.190.138.52,93.190.140.129,94.102.211.174,94.102.51.238,94.102.55.150,94.125.182.255,94.125.252.113,94.125.252.114,94.125.252.224,94.125.252.241,94.127.17.19,94.171.144.4,94.228.41.56,94.229.73.198,94.23.100.66,94.23.111.18,94.23.120.229,94.23.148.187,94.23.154.132,94.23.154.167,94.23.22.62,94.23.225.225,94.23.239.95,94.23.39.102,94.23.41.83,94.23.60.6,94.23.8.74,94.23.84.108,94.247.241.6,94.32.66.150,94.46.127.1,94.47.254.1,94.62.8.37,94.75.205.140,94.75.206.129,94.75.216.194,95.130.11.78,95.154.216.63,95.154.216.64,95.168.167.63,95.168.170.178,95.168.171.116] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 28) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404055; rev:1814;)
alert tcp $HOME_NET any -> [95.168.187.128,95.168.187.206,95.168.187.46,95.168.187.52,95.211.10.232,95.211.24.165,95.211.26.11,95.211.32.4,95.211.84.107,95.211.84.108,95.86.129.10,96.56.198.170,96.9.182.21,97.102.164.200,97.107.130.165,97.107.132.56,97.107.137.102,97.107.141.216,98.142.214.143,98.142.242.183,98.142.254.236,98.142.254.239,98.143.158.23,98.189.231.149,98.23.191.122,99.36.74.241] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 29) "; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404056; rev:1814;)
alert udp $HOME_NET any -> [95.168.187.128,95.168.187.206,95.168.187.46,95.168.187.52,95.211.10.232,95.211.24.165,95.211.26.11,95.211.32.4,95.211.84.107,95.211.84.108,95.86.129.10,96.56.198.170,96.9.182.21,97.102.164.200,97.107.130.165,97.107.132.56,97.107.137.102,97.107.141.216,98.142.214.143,98.142.242.183,98.142.254.236,98.142.254.239,98.143.158.23,98.189.231.149,98.23.191.122,99.36.74.241] any (msg:"ET DROP Known Bot C&C Server Traffic UDP (group 29) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404057; rev:1814;)