#
# $Id: bleeding-drop.rules $
# Emerging Threats Botnet Command and Control drop rules. 
#
#These are generated from the EXCELLENT work done by the Shadowserver team!
#
#  http://www.shadowserver.org
#
#
# SID's are 2410000+ to avoid conflicts
#
# More information available at www.emergingthreats.net
#
# Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
#  Copyright (c) 2003-2008, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
alert ip $HOME_NET any -> [12.120.5.241,12.31.165.82,121.119.172.49,124.217.230.246,124.246.24.204,124.38.150.118,125.243.42.200,128.121.20.113,128.241.236.105,128.39.2.28,130.239.18.172,130.240.22.201,134.96.247.17,140.186.181.106,140.211.166.3,140.211.166.64,141.213.238.252,142.167.171.221,142.179.159.58,145.89.150.59,146.83.111.35,147.127.160.120,149.9.1.16,150.254.6.206,151.189.0.165,154.35.200.44,155.230.18.48,158.38.8.251,161.53.178.240,168.187.115.136,190.24.250.202,190.24.83.222,190.4.20.155,190.40.15.226,190.43.101.200,190.54.27.163,190.76.81.207,192.116.231.44,193.109.122.67,193.109.122.77,193.138.229.11,193.138.229.18,193.163.220.3,193.200.193.4,193.202.83.129,193.23.141.242,193.23.143.103,193.23.143.14,193.28.153.27,193.37.152.230,193.68.150.140,193.68.50.110,193.71.199.6,193.86.233.135,194.1.163.1,194.109.129.220,194.109.129.222,194.109.20.90,194.109.206.107,194.109.64.131] any (msg:"ET DROP Known Bot C&C Server Traffic (group 1) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404000; rev:1165;)
alert ip $HOME_NET any -> [194.110.67.193,194.12.253.152,194.124.229.58,194.124.229.59,194.126.174.202,194.126.32.111,194.145.152.20,194.146.224.152,194.149.73.154,194.149.73.161,194.149.73.55,194.149.73.80,194.159.164.195,194.159.164.211,194.169.192.101,194.169.192.55,194.169.192.57,194.19.26.178,194.204.14.151,194.204.19.34,194.24.188.141,194.54.90.10,194.68.45.50,195.111.64.195,195.12.59.195,195.12.59.196,195.137.213.67,195.14.47.164,195.144.12.5,195.149.115.132,195.149.115.135,195.149.21.43,195.149.74.40,195.149.74.67,195.169.138.124,195.2.117.33,195.20.207.107,195.22.23.171,195.222.5.209,195.225.204.134,195.225.50.251,195.23.135.14,195.28.165.201,195.28.165.48,195.47.220.2,195.50.191.12,195.50.191.14,195.54.159.109,195.54.211.181,195.58.33.236,195.68.206.250,195.78.50.54,195.85.200.10,195.85.200.11,195.85.200.12,195.85.200.13,195.85.200.14,195.85.200.15,195.85.200.16,196.202.248.21] any (msg:"ET DROP Known Bot C&C Server Traffic (group 2) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404001; rev:1165;)
alert ip $HOME_NET any -> [196.22.192.31,196.22.193.166,196.34.88.5,198.3.160.3,199.236.64.9,200.105.208.186,200.110.81.46,200.111.58.106,200.125.210.163,200.185.51.78,200.187.176.44,200.207.159.225,200.27.248.67,200.28.222.214,200.29.0.66,200.31.43.33,200.47.82.13,200.68.3.106,200.76.29.43,200.83.0.116,200.88.241.226,200.95.144.26,201.218.128.67,201.244.238.46,201.64.90.230,202.102.202.75,202.103.190.179,202.134.0.13,202.134.0.199,202.143.173.163,202.164.182.18,202.174.155.235,202.177.26.195,202.181.31.243,202.21.178.45,202.218.124.133,202.71.100.248,202.71.100.249,202.71.111.249,202.71.111.250,202.71.111.251,202.71.111.252,202.80.113.24,202.91.34.9,203.107.217.51,203.116.63.82,203.116.63.89,203.120.94.7,203.120.94.9,203.171.78.52,203.186.79.248,203.211.139.204,203.26.195.2,203.27.221.42,203.81.56.66,203.97.23.182,204.11.244.21,204.122.31.13,204.16.200.180,204.8.218.108] any (msg:"ET DROP Known Bot C&C Server Traffic (group 3) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404002; rev:1165;)
alert ip $HOME_NET any -> [204.8.218.152,204.8.218.188,204.8.220.130,204.8.34.130,204.92.73.10,205.210.145.3,206.225.91.81,206.41.117.92,206.53.49.172,206.53.51.113,206.53.56.42,206.53.56.46,206.53.56.54,206.53.63.19,206.63.81.82,206.63.81.87,206.63.81.89,206.71.150.50,207.150.167.55,207.158.1.150,207.234.145.20,207.45.69.69,208.100.23.31,208.101.15.210,208.101.58.27,208.110.65.135,208.110.69.227,208.116.41.20,208.146.35.105,208.146.35.106,208.167.237.120,208.185.81.185,208.185.81.205,208.185.81.229,208.185.81.252,208.186.16.34,208.27.69.204,208.51.40.2,208.53.148.111,208.53.150.44,208.53.151.171,208.53.151.173,208.53.151.253,208.53.163.194,208.53.175.92,208.53.180.254,208.53.183.113,208.53.43.132,208.68.106.138,208.71.174.220,208.72.157.63,208.75.208.201,208.82.113.80,208.85.178.74,208.98.14.14,208.98.19.100,208.98.19.11,208.98.19.12,208.98.19.2,208.98.19.7] any (msg:"ET DROP Known Bot C&C Server Traffic (group 4) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404003; rev:1165;)
alert ip $HOME_NET any -> [208.98.21.200,208.98.22.117,208.98.3.16,208.98.30.69,208.98.32.130,208.98.32.177,208.98.34.138,208.98.4.70,208.98.42.103,208.98.42.113,208.98.42.73,208.98.42.78,208.98.42.87,208.98.42.99,208.98.47.25,208.98.47.44,208.98.47.47,208.98.47.50,208.98.51.51,208.98.54.207,208.98.8.66,208.99.193.130,208.99.193.134,208.99.194.68,209.11.242.36,209.11.244.124,209.11.244.18,209.11.244.82,209.133.11.161,209.133.11.165,209.133.11.185,209.133.11.197,209.133.11.209,209.133.11.212,209.133.8.83,209.133.9.109,209.133.9.43,209.133.9.50,209.133.9.56,209.133.9.61,209.177.146.34,209.200.7.211,209.249.249.126,209.250.225.144,209.250.225.207,209.250.225.55,209.250.225.62,209.250.239.6,209.33.98.58,209.61.182.250,209.67.60.191,209.8.255.52,209.9.226.187,210.135.96.98,210.150.125.131,210.196.194.166,210.221.154.111,210.226.64.74,211.139.120.72,211.233.36.76] any (msg:"ET DROP Known Bot C&C Server Traffic (group 5) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404004; rev:1165;)
alert ip $HOME_NET any -> [211.234.112.135,211.236.177.219,212.101.123.10,212.101.123.11,212.101.123.12,212.101.123.4,212.101.123.5,212.101.123.6,212.101.123.7,212.101.123.8,212.101.123.9,212.105.98.2,212.146.145.91,212.178.133.174,212.40.5.191,212.69.128.38,212.71.19.100,212.71.19.106,212.73.209.227,212.73.209.230,212.73.209.232,212.91.161.18,213.113.61.173,213.131.156.50,213.131.156.51,213.146.63.33,213.148.252.156,213.17.153.11,213.180.86.28,213.180.86.97,213.201.226.5,213.202.224.134,213.202.224.142,213.202.245.12,213.202.245.127,213.202.247.105,213.203.199.241,213.215.31.19,213.219.225.1,213.236.208.178,213.239.131.28,213.244.180.180,213.247.51.21,213.247.61.130,213.248.53.3,213.248.60.142,213.251.160.26,213.48.150.3,213.48.150.5,213.53.107.38,216.12.208.217,216.147.161.118,216.150.78.210,216.151.159.42,216.152.66.62,216.152.66.65,216.152.67.30,216.152.67.49,216.153.126.211,216.153.126.212] any (msg:"ET DROP Known Bot C&C Server Traffic (group 6) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404005; rev:1165;)
alert ip $HOME_NET any -> [216.153.126.213,216.179.62.162,216.193.223.223,216.218.163.69,216.25.44.16,216.253.186.108,216.254.62.132,216.40.238.229,216.8.177.28,216.82.127.91,216.86.156.233,216.86.156.24,216.86.159.232,217.11.227.38,217.11.52.135,217.147.230.5,217.160.131.200,217.168.95.245,217.17.33.10,217.172.56.122,217.172.56.190,217.172.56.21,217.172.56.246,217.173.42.21,217.195.197.15,217.195.197.16,217.196.95.77,217.20.112.128,217.218.118.50,217.26.49.12,217.29.87.254,217.30.178.1,217.67.229.109,217.67.230.218,217.69.168.68,217.70.189.250,217.75.128.65,217.8.243.11,218.208.50.164,218.44.249.117,219.223.252.53,220.110.150.90,220.119.42.3,220.128.233.154,221.222.223.244,221.6.6.232,222.100.140.5,222.119.86.100,222.122.132.211,222.122.43.42,222.122.43.50,222.122.43.52,24.138.155.65,24.176.33.83,24.181.253.194,24.213.95.126,24.214.5.44,38.100.91.113,38.106.96.203,38.114.116.5] any (msg:"ET DROP Known Bot C&C Server Traffic (group 7) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404006; rev:1165;)
alert ip $HOME_NET any -> [38.97.225.135,58.137.102.36,58.177.184.250,58.65.236.17,59.120.107.66,59.120.92.70,59.125.13.220,59.148.144.42,59.2.28.212,59.94.248.141,59.95.162.190,60.241.104.177,61.104.88.61,61.19.247.225,61.221.64.124,61.29.60.169,61.50.221.109,61.63.9.163,62.1.206.165,62.1.206.170,62.141.48.112,62.141.48.164,62.141.49.112,62.141.49.164,62.141.56.158,62.141.56.98,62.141.57.98,62.141.58.56,62.141.60.13,62.2.26.137,62.24.64.27,62.42.230.93,62.45.52.82,62.75.143.63,62.75.162.36,62.75.243.185,62.75.246.205,62.93.205.138,63.167.66.5,63.168.242.229,63.173.172.98,63.243.153.235,63.243.153.237,63.243.153.238,63.243.153.239,63.245.208.159,64.12.165.56,64.124.16.118,64.124.16.119,64.124.16.122,64.127.41.29,64.13.230.162,64.16.210.102,64.161.254.20,64.161.255.2,64.179.90.59,64.18.128.86,64.18.131.116,64.18.138.115,64.18.139.82] any (msg:"ET DROP Known Bot C&C Server Traffic (group 8) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404007; rev:1165;)
alert ip $HOME_NET any -> [64.18.140.158,64.18.145.206,64.18.145.215,64.18.151.101,64.18.151.106,64.18.151.107,64.18.151.71,64.18.151.73,64.18.151.86,64.18.151.94,64.191.136.108,64.237.34.150,64.251.15.82,64.32.14.10,64.32.14.20,64.32.14.48,64.32.16.249,64.32.28.21,64.32.28.26,64.32.28.6,64.32.29.110,64.32.31.239,64.32.31.65,64.32.31.90,64.34.166.236,64.34.183.88,64.34.193.234,64.34.203.207,64.62.190.245,64.62.190.36,64.62.194.62,64.72.117.181,64.74.125.21,64.85.160.108,64.85.160.30,64.85.162.207,64.85.165.252,64.86.133.165,64.86.25.248,64.89.27.36,65.110.62.93,65.111.168.18,65.23.153.98,65.23.154.122,65.23.154.67,65.23.156.37,65.23.157.4,65.36.178.197,65.40.27.109,66.111.35.104,66.111.36.61,66.111.37.204,66.150.219.5,66.160.135.21,66.165.177.88,66.186.59.50,66.186.63.189,66.187.148.247,66.195.252.5,66.198.80.67] any (msg:"ET DROP Known Bot C&C Server Traffic (group 9) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404008; rev:1165;)
alert ip $HOME_NET any -> [66.207.164.29,66.212.28.20,66.219.101.93,66.220.1.52,66.220.1.66,66.225.200.20,66.225.200.30,66.225.200.62,66.225.200.93,66.225.223.109,66.225.223.112,66.225.223.115,66.225.223.52,66.225.223.70,66.225.225.225,66.225.225.66,66.235.214.116,66.240.234.77,66.246.149.4,66.252.1.106,66.252.1.109,66.252.1.112,66.252.1.203,66.252.1.210,66.252.1.222,66.252.10.109,66.252.10.207,66.252.10.213,66.252.10.217,66.252.10.234,66.252.10.94,66.252.11.15,66.252.11.69,66.252.11.76,66.252.11.9,66.252.12.36,66.252.12.39,66.252.12.48,66.252.12.51,66.252.12.52,66.252.12.53,66.252.12.54,66.252.12.55,66.252.13.165,66.252.13.195,66.252.13.201,66.252.13.209,66.252.13.215,66.252.13.227,66.252.13.228,66.252.13.237,66.252.13.242,66.252.13.250,66.252.13.67,66.252.19.104,66.252.19.11,66.252.19.114,66.252.19.123,66.252.19.19,66.252.19.45] any (msg:"ET DROP Known Bot C&C Server Traffic (group 10) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404009; rev:1165;)
alert ip $HOME_NET any -> [66.252.19.74,66.252.19.86,66.252.2.137,66.252.2.138,66.252.2.142,66.252.2.154,66.252.2.167,66.252.2.172,66.252.2.185,66.252.21.99,66.252.23.181,66.252.24.107,66.252.24.167,66.252.24.178,66.252.24.36,66.252.24.45,66.252.24.47,66.252.24.6,66.252.25.250,66.252.27.201,66.252.28.102,66.252.28.108,66.252.28.115,66.252.28.141,66.252.28.177,66.252.28.191,66.252.28.237,66.252.29.33,66.252.30.122,66.252.30.123,66.252.30.168,66.252.31.210,66.252.31.212,66.252.31.254,66.252.7.148,66.252.7.70,66.252.8.131,66.45.234.200,66.54.153.162,66.7.192.11,66.79.185.103,66.90.99.148,66.96.240.201,67.106.205.73,67.159.0.243,67.159.0.251,67.159.0.254,67.159.17.231,67.159.24.190,67.159.26.180,67.172.136.31,67.18.176.176,67.18.176.40,67.18.208.91,67.18.208.96,67.19.130.66,67.19.147.202,67.19.184.20,67.19.238.44,67.19.246.130] any (msg:"ET DROP Known Bot C&C Server Traffic (group 11) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404010; rev:1165;)
alert ip $HOME_NET any -> [67.19.93.226,67.198.203.98,67.210.225.202,67.220.66.105,67.220.66.70,67.225.131.201,67.228.103.248,67.228.42.241,67.228.99.245,67.43.226.242,67.43.226.243,67.43.226.244,67.43.226.245,67.43.226.246,67.43.229.29,67.43.229.46,67.43.232.34,67.43.232.35,67.43.232.36,67.43.232.37,67.43.232.38,67.43.233.64,67.43.235.214,67.43.236.106,67.43.236.66,67.43.236.67,67.43.236.68,67.43.236.69,67.43.237.230,67.80.40.117,68.146.230.165,68.186.222.72,68.236.196.211,68.43.158.36,68.44.4.190,68.75.207.189,68.84.56.61,69.107.7.194,69.14.32.48,69.142.26.223,69.143.67.2,69.145.2.88,69.16.172.2,69.16.172.40,69.18.206.194,69.20.226.82,69.20.231.81,69.213.57.174,69.28.194.5,69.30.209.16,69.30.232.148,69.31.70.104,69.36.111.69,69.39.224.10,69.39.224.11,69.39.224.12,69.39.224.13,69.39.226.10,69.39.226.140,69.39.226.141] any (msg:"ET DROP Known Bot C&C Server Traffic (group 12) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404011; rev:1165;)
alert ip $HOME_NET any -> [69.39.226.38,69.39.226.69,69.39.226.86,69.39.226.90,69.39.228.33,69.39.228.37,69.39.228.39,69.39.228.43,69.39.228.45,69.39.228.49,69.39.228.58,69.39.228.59,69.42.209.227,69.42.209.228,69.42.209.229,69.42.209.230,69.42.209.231,69.42.209.232,69.42.209.233,69.42.213.39,69.42.213.82,69.42.214.111,69.42.215.116,69.42.215.23,69.42.215.35,69.42.215.45,69.42.215.46,69.42.215.50,69.42.215.66,69.42.215.7,69.42.215.81,69.42.215.90,69.42.215.96,69.42.216.125,69.42.216.126,69.42.216.90,69.42.219.194,69.42.219.44,69.42.219.49,69.42.221.115,69.42.69.186,69.42.74.177,69.50.185.184,69.50.185.186,69.50.185.238,69.50.208.3,69.50.209.31,69.60.110.195,69.61.67.10,69.63.215.163,69.64.35.127,69.64.35.239,69.64.39.194,69.64.39.201,69.64.39.202,69.64.40.83,69.64.47.44,69.64.48.105,69.64.48.65,69.64.51.176] any (msg:"ET DROP Known Bot C&C Server Traffic (group 13) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404012; rev:1165;)
alert ip $HOME_NET any -> [69.64.51.225,69.64.59.238,69.93.229.206,70.101.149.111,70.168.231.17,70.84.4.42,70.85.129.195,70.85.129.223,70.85.174.226,70.85.174.227,70.85.220.98,70.85.31.213,70.87.44.114,71.114.216.227,71.216.87.193,71.6.216.18,71.6.216.26,71.6.216.33,71.6.216.75,71.84.212.71,71.87.221.229,71.98.250.72,72.10.163.194,72.10.163.252,72.10.172.210,72.10.172.211,72.10.172.212,72.10.172.213,72.10.172.214,72.10.172.218,72.11.142.40,72.131.59.27,72.174.8.243,72.20.1.162,72.20.10.52,72.20.14.161,72.20.14.162,72.20.14.208,72.20.15.189,72.20.15.196,72.20.15.208,72.20.15.222,72.20.15.224,72.20.15.229,72.20.15.237,72.20.15.35,72.20.17.136,72.20.17.147,72.20.17.156,72.20.17.167,72.20.17.178,72.20.17.186,72.20.17.21,72.20.18.26,72.20.18.30,72.20.21.122,72.20.21.33,72.20.21.43,72.20.21.45,72.20.21.55] any (msg:"ET DROP Known Bot C&C Server Traffic (group 14) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404013; rev:1165;)
alert ip $HOME_NET any -> [72.20.21.57,72.20.21.59,72.20.21.61,72.20.23.74,72.20.24.145,72.20.24.28,72.20.24.4,72.20.24.42,72.20.24.9,72.20.27.119,72.20.28.133,72.20.28.227,72.20.28.245,72.20.29.251,72.20.33.50,72.20.34.165,72.20.35.120,72.20.35.70,72.20.39.107,72.20.39.241,72.20.40.36,72.20.40.52,72.20.41.119,72.20.42.245,72.20.45.81,72.20.46.108,72.20.46.133,72.20.46.85,72.20.46.9,72.20.48.100,72.20.48.95,72.20.5.242,72.20.52.67,72.20.52.75,72.20.57.120,72.20.6.198,72.214.7.195,72.240.126.32,72.32.146.136,72.36.252.163,72.52.204.229,72.8.131.236,72.8.134.178,72.8.156.15,72.8.156.16,72.8.156.90,72.9.151.194,72.9.154.113,74.0.229.221,74.200.209.34,74.208.66.154,74.222.130.163,74.41.18.106,74.52.31.26,74.52.7.109,74.53.70.115,74.7.18.109,74.86.54.247,75.12.103.70,75.125.196.222] any (msg:"ET DROP Known Bot C&C Server Traffic (group 15) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404014; rev:1165;)
alert ip $HOME_NET any -> [75.125.46.153,75.127.96.88,75.127.97.117,75.40.105.97,76.114.148.132,76.191.102.169,76.66.70.215,76.76.11.208,76.76.4.185,76.76.4.187,76.76.9.134,77.239.185.205,77.249.50.216,77.74.195.195,77.78.193.50,78.29.0.253,78.31.71.67,79.143.36.130,8.12.40.109,8.17.85.123,8.7.233.233,8.9.17.72,80.126.201.245,80.154.33.35,80.154.38.121,80.179.155.4,80.190.246.123,80.190.247.69,80.241.173.191,80.244.229.38,80.244.90.117,80.244.90.85,80.53.30.234,80.64.134.125,80.68.89.201,80.86.87.37,81.149.127.127,81.169.130.195,81.169.131.152,81.169.134.201,81.169.141.6,81.169.168.122,81.180.164.254,81.19.251.139,81.211.7.122,81.243.250.166,81.29.65.57,81.31.33.35,81.9.51.98,81.91.151.85,81.95.6.61,82.127.59.89,82.138.29.11,82.146.44.39,82.146.51.29,82.146.52.163,82.146.54.186,82.146.54.22,82.146.55.175,82.165.154.249] any (msg:"ET DROP Known Bot C&C Server Traffic (group 16) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404015; rev:1165;)
alert ip $HOME_NET any -> [82.165.228.122,82.192.74.38,82.192.74.39,82.192.74.42,82.196.213.250,82.2.201.58,82.211.5.111,82.36.118.151,82.5.207.254,82.79.77.132,82.80.245.185,82.80.245.67,82.94.222.186,82.95.250.75,83.133.127.138,83.136.81.183,83.137.41.33,83.140.162.126,83.140.172.210,83.140.172.211,83.140.172.212,83.142.82.250,83.142.83.89,83.170.81.10,83.170.81.4,83.170.81.9,83.170.82.172,83.176.253.194,83.2.83.1,83.217.192.243,83.227.140.135,83.228.101.106,83.239.161.45,83.243.46.2,83.246.72.49,83.249.107.228,84.11.26.30,84.16.231.52,84.16.240.155,84.19.172.222,84.19.172.226,84.19.172.229,84.19.172.235,84.19.178.116,84.19.179.116,84.19.180.62,84.200.225.101,84.200.225.80,84.200.32.204,84.200.32.206,84.200.32.209,84.200.32.23,84.200.7.128,84.238.163.129,84.244.19.184,84.244.19.191,84.244.9.126,84.245.99.6,84.33.33.33,84.36.34.210] any (msg:"ET DROP Known Bot C&C Server Traffic (group 17) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404016; rev:1165;)
alert ip $HOME_NET any -> [84.40.155.160,85.10.203.211,85.114.129.197,85.114.132.94,85.114.137.60,85.119.158.77,85.12.25.160,85.12.25.161,85.12.32.144,85.12.32.145,85.131.189.225,85.14.216.215,85.14.218.3,85.14.218.4,85.14.221.189,85.17.52.66,85.17.6.30,85.18.250.2,85.187.125.75,85.194.148.35,85.204.80.3,85.21.79.12,85.21.82.50,85.214.16.112,85.214.27.94,85.214.36.108,85.214.44.218,85.214.67.80,85.214.70.108,85.214.95.170,85.236.110.226,85.25.131.169,85.25.151.183,85.25.153.29,85.25.252.111,85.25.6.58,85.30.130.83,85.40.160.61,86.111.95.226,86.58.165.10,87.106.138.9,87.106.144.212,87.106.185.145,87.118.100.179,87.118.101.179,87.118.102.81,87.118.103.81,87.118.104.193,87.118.105.193,87.118.106.99,87.118.107.99,87.118.108.117,87.118.110.57,87.118.111.57,87.118.114.252,87.118.99.85,87.229.24.237,87.230.18.48,87.236.196.115,87.237.211.36] any (msg:"ET DROP Known Bot C&C Server Traffic (group 18) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404017; rev:1165;)
alert ip $HOME_NET any -> [87.98.187.123,88.151.100.251,88.191.48.35,88.255.89.150,88.80.6.119,89.106.91.71,89.108.84.211,89.122.212.48,89.147.103.2,89.149.194.183,89.149.194.220,89.149.198.74,89.149.198.94,89.149.200.242,89.149.202.177,89.149.206.101,89.149.210.95,89.149.221.195,89.149.224.126,89.149.227.152,89.149.227.168,89.149.234.22,89.149.237.242,89.149.240.181,89.16.176.16,89.163.145.15,89.163.182.23,89.163.193.16,89.202.247.162,89.208.34.166,89.248.161.51,89.250.0.4,89.255.60.225,89.40.71.243,89.46.32.179,89.46.39.234,91.121.122.41,91.126.53.51,91.191.161.119,91.191.166.94,91.192.36.142,92.114.4.2] any (msg:"ET DROP Known Bot C&C Server Traffic (group 19) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404018; rev:1165;)