# # Emerging Threats Botnet Command and Control drop rules. # # These are generated from the EXCELLENT work done by the Shadowserver team and # the CZ Honeynet project. # # http://www.shadowserver.org # http://www.honeynet.cz # # # SID's are 2410000+ to avoid conflicts # # More information available at www.emergingthreats.net # # Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2010, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # alert tcp $HOME_NET any <> [109.169.18.86,109.169.40.192,109.196.130.50,109.73.162.124,109.74.195.116,109.74.196.127,109.74.200.40,109.74.204.11,109.74.205.10,114.112.176.185] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 1) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405000; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [109.169.18.86,109.169.40.192,109.196.130.50,109.73.162.124,109.74.195.116,109.74.196.127,109.74.200.40,109.74.204.11,109.74.205.10,114.112.176.185] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 1) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405001; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [114.113.158.85,114.141.10.71,114.141.10.99,114.207.246.180,115.113.208.246,115.146.126.26,115.165.178.40,117.121.245.26,118.101.190.59,118.129.166.50] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 2) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405002; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [114.113.158.85,114.141.10.71,114.141.10.99,114.207.246.180,115.113.208.246,115.146.126.26,115.165.178.40,117.121.245.26,118.101.190.59,118.129.166.50] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 2) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405003; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [118.217.217.48,119.202.198.117,122.155.6.191,122.168.123.81,124.30.135.161,124.40.3.92,125.160.17.71,125.160.17.72,125.5.112.185,128.121.20.113] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 3) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405004; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [118.217.217.48,119.202.198.117,122.155.6.191,122.168.123.81,124.30.135.161,124.40.3.92,125.160.17.71,125.160.17.72,125.5.112.185,128.121.20.113] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 3) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405005; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [128.194.112.48,128.39.2.28,128.39.65.230,129.132.80.41,130.104.58.241,130.237.188.216,130.239.18.157,130.240.22.202,137.194.15.141,137.229.242.129] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 4) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405006; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [128.194.112.48,128.39.2.28,128.39.65.230,129.132.80.41,130.104.58.241,130.237.188.216,130.239.18.157,130.240.22.202,137.194.15.141,137.229.242.129] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 4) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405007; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [139.175.160.252,139.4.88.86,139.91.102.101,140.112.234.254,140.130.142.8,140.211.166.64,143.248.247.248,145.89.150.59,147.102.159.9,147.127.160.120] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 5) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405008; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [139.175.160.252,139.4.88.86,139.91.102.101,140.112.234.254,140.130.142.8,140.211.166.64,143.248.247.248,145.89.150.59,147.102.159.9,147.127.160.120] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 5) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405009; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [147.32.105.247,147.32.127.200,147.52.181.9,151.189.0.165,157.159.40.167,157.181.161.60,157.22.132.17,158.36.131.20,158.38.8.251,160.228.152.2] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 6) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405010; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [147.32.105.247,147.32.127.200,147.52.181.9,151.189.0.165,157.159.40.167,157.181.161.60,157.22.132.17,158.36.131.20,158.38.8.251,160.228.152.2] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 6) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405011; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [163.17.167.1,163.19.14.2,163.5.42.66,166.84.136.27,168.144.18.200,173.192.235.106,173.203.28.161,173.208.151.249,173.208.151.65,173.208.151.69] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 7) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405012; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [163.17.167.1,163.19.14.2,163.5.42.66,166.84.136.27,168.144.18.200,173.192.235.106,173.203.28.161,173.208.151.249,173.208.151.65,173.208.151.69] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 7) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405013; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [173.208.165.91,173.208.34.240,173.208.34.253,173.208.34.74,173.208.34.9,173.208.68.20,173.208.68.21,173.224.208.74,173.224.218.250,173.224.219.51] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 8) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405014; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [173.208.165.91,173.208.34.240,173.208.34.253,173.208.34.74,173.208.34.9,173.208.68.20,173.208.68.21,173.224.208.74,173.224.218.250,173.224.219.51] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 8) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405015; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [173.230.152.54,173.230.155.175,173.236.62.20,173.236.97.41,173.244.200.219,173.244.200.229,173.244.73.73,173.244.73.74,173.244.73.78,173.45.244.47] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 9) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405016; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [173.230.152.54,173.230.155.175,173.236.62.20,173.236.97.41,173.244.200.219,173.244.200.229,173.244.73.73,173.244.73.74,173.244.73.78,173.45.244.47] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 9) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405017; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [174.121.157.28,174.129.231.136,174.133.173.90,174.133.57.54,174.133.98.194,174.143.119.91,174.143.153.165,174.143.170.208,174.143.208.107,174.143.215.13] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 10) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405018; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [174.121.157.28,174.129.231.136,174.133.173.90,174.133.57.54,174.133.98.194,174.143.119.91,174.143.153.165,174.143.170.208,174.143.208.107,174.143.215.13] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 10) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405019; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [174.34.175.180,174.34.187.36,175.107.158.176,175.41.137.226,178.162.176.108,178.32.92.242,178.33.137.15,178.63.130.197,178.63.148.30,178.63.148.50] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 11) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405020; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [174.34.175.180,174.34.187.36,175.107.158.176,175.41.137.226,178.162.176.108,178.32.92.242,178.33.137.15,178.63.130.197,178.63.148.30,178.63.148.50] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 11) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405021; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [178.63.252.111,178.63.79.105,178.63.79.74,178.79.134.133,178.86.2.16,180.210.205.129,184.105.208.121,184.105.208.20,184.106.202.49,184.106.204.243] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 12) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405022; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [178.63.252.111,178.63.79.105,178.63.79.74,178.79.134.133,178.86.2.16,180.210.205.129,184.105.208.121,184.105.208.20,184.106.202.49,184.106.204.243] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 12) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405023; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [184.82.33.34,187.112.240.22,188.138.55.64,188.165.164.16,188.165.164.199,188.165.164.29,188.165.164.50,188.165.47.211,188.165.74.80,188.165.75.174] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 13) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405024; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [184.82.33.34,187.112.240.22,188.138.55.64,188.165.164.16,188.165.164.199,188.165.164.29,188.165.164.50,188.165.47.211,188.165.74.80,188.165.75.174] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 13) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405025; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [188.40.133.182,188.40.187.177,188.40.40.138,188.72.203.236,188.72.203.237,188.72.205.52,188.72.211.203,188.72.230.254,188.72.241.189,189.115.24.170] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 14) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405026; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [188.40.133.182,188.40.187.177,188.40.40.138,188.72.203.236,188.72.203.237,188.72.205.52,188.72.211.203,188.72.230.254,188.72.241.189,189.115.24.170] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 14) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405027; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [189.19.241.193,189.74.8.98,189.75.179.204,190.120.227.36,190.120.228.216,190.120.230.108,190.120.230.28,190.120.238.63,190.121.80.37,190.246.79.15] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 15) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405028; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [189.19.241.193,189.74.8.98,189.75.179.204,190.120.227.36,190.120.228.216,190.120.230.108,190.120.230.28,190.120.238.63,190.121.80.37,190.246.79.15] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 15) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405029; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [190.247.244.24,190.255.46.171,192.219.30.200,192.75.207.148,193.104.35.224,193.136.14.185,193.136.216.101,193.138.229.18,193.188.71.66,193.19.210.1] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 16) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405030; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [190.247.244.24,190.255.46.171,192.219.30.200,192.75.207.148,193.104.35.224,193.136.14.185,193.136.216.101,193.138.229.18,193.188.71.66,193.19.210.1] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 16) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405031; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [193.27.229.245,193.33.186.129,193.33.186.133,193.34.69.109,193.41.200.151,193.68.150.140,193.71.194.17,193.71.199.6,193.85.232.219,193.88.14.99] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 17) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405032; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [193.27.229.245,193.33.186.129,193.33.186.133,193.34.69.109,193.41.200.151,193.68.150.140,193.71.194.17,193.71.199.6,193.85.232.219,193.88.14.99] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 17) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405033; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [194.109.129.222,194.109.206.106,194.109.206.107,194.109.64.131,194.117.246.5,194.124.229.58,194.124.229.59,194.126.217.2,194.135.22.24,194.146.132.68] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 18) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405034; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [194.109.129.222,194.109.206.106,194.109.206.107,194.109.64.131,194.117.246.5,194.124.229.58,194.124.229.59,194.126.217.2,194.135.22.24,194.146.132.68] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 18) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405035; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [194.149.73.154,194.149.73.161,194.149.73.55,194.149.73.80,194.151.83.115,194.199.165.9,194.204.14.151,194.225.75.26,194.30.220.85,194.71.109.236] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 19) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405036; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [194.149.73.154,194.149.73.161,194.149.73.55,194.149.73.80,194.151.83.115,194.199.165.9,194.204.14.151,194.225.75.26,194.30.220.85,194.71.109.236] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 19) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405037; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [195.110.9.187,195.13.58.57,195.14.157.58,195.140.202.142,195.169.138.124,195.178.184.75,195.19.104.14,195.19.225.237,195.2.117.33,195.209.228.154] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 20) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405038; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [195.110.9.187,195.13.58.57,195.14.157.58,195.140.202.142,195.169.138.124,195.178.184.75,195.19.104.14,195.19.225.237,195.2.117.33,195.209.228.154] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 20) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405039; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [195.210.181.100,195.22.37.163,195.222.70.238,195.225.204.134,195.225.204.21,195.225.204.227,195.23.131.68,195.251.123.232,195.28.165.168,195.28.165.201] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 21) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405040; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [195.210.181.100,195.22.37.163,195.222.70.238,195.225.204.134,195.225.204.21,195.225.204.227,195.23.131.68,195.251.123.232,195.28.165.168,195.28.165.201] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 21) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405041; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [195.28.191.146,195.43.138.206,195.50.191.12,195.50.191.14,195.54.159.109,195.54.16.65,195.68.206.250,195.70.51.164,195.8.250.180,195.8.251.35] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 22) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405042; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [195.28.191.146,195.43.138.206,195.50.191.12,195.50.191.14,195.54.159.109,195.54.16.65,195.68.206.250,195.70.51.164,195.8.250.180,195.8.251.35] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 22) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405043; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [195.85.200.10,195.85.200.11,195.85.200.12,195.85.200.13,195.85.200.14,195.85.200.15,195.85.200.16,195.88.32.64,195.93.153.31,195.93.153.39] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 23) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405044; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [195.85.200.10,195.85.200.11,195.85.200.12,195.85.200.13,195.85.200.14,195.85.200.15,195.85.200.16,195.88.32.64,195.93.153.31,195.93.153.39] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 23) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405045; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [195.93.153.46,196.2.17.10,196.21.193.11,196.34.88.5,198.104.53.32,198.252.144.2,198.252.195.2,198.3.160.3,198.63.42.93,198.87.3.75] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 24) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405046; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [195.93.153.46,196.2.17.10,196.21.193.11,196.34.88.5,198.104.53.32,198.252.144.2,198.252.195.2,198.3.160.3,198.63.42.93,198.87.3.75] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 24) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405047; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [200.175.44.161,200.203.192.50,200.204.245.212,200.23.149.144,200.241.5.131,200.29.0.66,200.35.146.60,200.35.147.227,200.35.150.156,200.37.16.187] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 25) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405048; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [200.175.44.161,200.203.192.50,200.204.245.212,200.23.149.144,200.241.5.131,200.29.0.66,200.35.146.60,200.35.147.227,200.35.150.156,200.37.16.187] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 25) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405049; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [200.42.96.36,200.45.0.67,200.59.145.199,200.59.187.18,200.62.55.202,200.69.47.60,200.83.0.116,200.85.60.190,200.88.181.73,200.88.215.162] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 26) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405050; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [200.42.96.36,200.45.0.67,200.59.145.199,200.59.187.18,200.62.55.202,200.69.47.60,200.83.0.116,200.85.60.190,200.88.181.73,200.88.215.162] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 26) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405051; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [200.93.204.60,201.116.64.5,201.210.30.132,201.218.128.67,201.30.215.209,202.155.238.108,202.170.81.163,202.181.97.176,202.207.192.110,202.216.136.130] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 27) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405052; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [200.93.204.60,201.116.64.5,201.210.30.132,201.218.128.67,201.30.215.209,202.155.238.108,202.170.81.163,202.181.97.176,202.207.192.110,202.216.136.130] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 27) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405053; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [202.222.18.88,202.64.139.214,202.73.11.63,202.91.34.9,202.91.37.40,203.113.137.164,203.116.63.82,203.116.63.89,203.136.50.155,203.141.153.236] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 28) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405054; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [202.222.18.88,202.64.139.214,202.73.11.63,202.91.34.9,202.91.37.40,203.113.137.164,203.116.63.82,203.116.63.89,203.136.50.155,203.141.153.236] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 28) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405055; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [203.141.249.71,203.150.2.225,203.170.145.6,203.200.166.38,203.209.167.182,203.209.167.221,203.80.238.185,203.94.228.49,204.11.33.122,204.124.181.86] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 29) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405056; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [203.141.249.71,203.150.2.225,203.170.145.6,203.200.166.38,203.209.167.182,203.209.167.221,203.80.238.185,203.94.228.49,204.11.33.122,204.124.181.86] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 29) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405057; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [204.14.120.74,204.15.224.134,204.152.221.218,204.16.200.180,204.188.214.138,204.188.221.227,204.188.221.228,204.188.223.69,204.188.240.4,204.188.240.50] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 30) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405058; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [204.14.120.74,204.15.224.134,204.152.221.218,204.16.200.180,204.188.214.138,204.188.221.227,204.188.221.228,204.188.223.69,204.188.240.4,204.188.240.50] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 30) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405059; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [204.45.96.226,204.45.97.46,204.45.97.5,204.74.215.250,204.8.34.130,204.93.174.148,205.134.185.250,205.186.156.104,205.234.138.152,205.234.222.37] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 31) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405060; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [204.45.96.226,204.45.97.46,204.45.97.5,204.74.215.250,204.8.34.130,204.93.174.148,205.134.185.250,205.186.156.104,205.234.138.152,205.234.222.37] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 31) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405061; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [205.234.231.194,206.12.19.242,206.124.14.169,206.125.175.82,206.126.142.60,206.217.203.217,206.251.38.20,206.253.175.240,206.40.205.124,206.41.116.100] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 32) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405062; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [205.234.231.194,206.12.19.242,206.124.14.169,206.125.175.82,206.126.142.60,206.217.203.217,206.251.38.20,206.253.175.240,206.40.205.124,206.41.116.100] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 32) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405063; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [206.41.117.170,206.41.117.191,206.41.117.23,206.41.117.231,206.41.117.232,206.41.117.233,206.41.117.24,206.41.117.68,206.41.117.9,206.53.60.129] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 33) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405064; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [206.41.117.170,206.41.117.191,206.41.117.23,206.41.117.231,206.41.117.232,206.41.117.233,206.41.117.24,206.41.117.68,206.41.117.9,206.53.60.129] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 33) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405065; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [206.53.60.50,206.53.60.70,207.114.175.51,207.126.115.205,207.126.115.219,207.126.167.147,207.145.6.5,207.166.122.72,207.166.122.75,207.182.240.68] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 34) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405066; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [206.53.60.50,206.53.60.70,207.114.175.51,207.126.115.205,207.126.115.219,207.126.167.147,207.145.6.5,207.166.122.72,207.166.122.75,207.182.240.68] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 34) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405067; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [207.192.69.151,207.192.72.43,207.192.72.99,207.192.75.90,207.210.208.16,207.44.152.199,207.44.195.61,207.44.212.40,208.100.11.120,208.100.14.116] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 35) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405068; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [207.192.69.151,207.192.72.43,207.192.72.99,207.192.75.90,207.210.208.16,207.44.152.199,207.44.195.61,207.44.212.40,208.100.11.120,208.100.14.116] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 35) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405069; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [208.100.20.83,208.100.20.90,208.100.23.100,208.111.158.10,208.111.34.13,208.111.35.75,208.111.39.43,208.115.221.42,208.115.233.133,208.115.36.180] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 36) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405070; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [208.100.20.83,208.100.20.90,208.100.23.100,208.111.158.10,208.111.34.13,208.111.35.75,208.111.39.43,208.115.221.42,208.115.233.133,208.115.36.180] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 36) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405071; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [208.146.35.105,208.146.35.106,208.167.236.6,208.167.237.120,208.185.80.72,208.185.80.73,208.185.80.74,208.185.80.85,208.185.80.87,208.185.81.205] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 37) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405072; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [208.146.35.105,208.146.35.106,208.167.236.6,208.167.237.120,208.185.80.72,208.185.80.73,208.185.80.74,208.185.80.85,208.185.80.87,208.185.81.205] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 37) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405073; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [208.185.81.216,208.185.81.223,208.185.81.243,208.185.92.26,208.185.92.31,208.27.69.193,208.49.56.226,208.51.40.10,208.51.40.12,208.51.40.13] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 38) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405074; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [208.185.81.216,208.185.81.223,208.185.81.243,208.185.92.26,208.185.92.31,208.27.69.193,208.49.56.226,208.51.40.10,208.51.40.12,208.51.40.13] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 38) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405075; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [208.51.40.14,208.51.40.2,208.53.131.12,208.53.152.179,208.53.163.194,208.53.181.156,208.53.181.82,208.53.181.86,208.53.183.106,208.64.121.38] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 39) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405076; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [208.51.40.14,208.51.40.2,208.53.131.12,208.53.152.179,208.53.163.194,208.53.181.156,208.53.181.82,208.53.181.86,208.53.183.106,208.64.121.38] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 39) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405077; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [208.67.249.244,208.68.18.177,208.68.18.181,208.68.18.198,208.68.94.168,208.68.94.62,208.71.174.161,208.75.182.230,208.78.100.117,208.78.170.147] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 40) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405078; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [208.67.249.244,208.68.18.177,208.68.18.181,208.68.18.198,208.68.94.168,208.68.94.62,208.71.174.161,208.75.182.230,208.78.100.117,208.78.170.147] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 40) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405079; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [208.82.117.118,208.83.21.12,208.83.221.58,208.83.223.69,208.98.11.131,208.98.11.132,208.98.11.133,208.98.11.134,208.98.11.135,208.98.11.136] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 41) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405080; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [208.82.117.118,208.83.21.12,208.83.221.58,208.83.223.69,208.98.11.131,208.98.11.132,208.98.11.133,208.98.11.134,208.98.11.135,208.98.11.136] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 41) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405081; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [208.98.11.137,208.98.11.138,208.98.11.139,208.98.11.140,208.98.11.141,208.98.11.144,208.98.11.146,208.98.11.148,208.98.11.150,208.98.11.152] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 42) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405082; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [208.98.11.137,208.98.11.138,208.98.11.139,208.98.11.140,208.98.11.141,208.98.11.144,208.98.11.146,208.98.11.148,208.98.11.150,208.98.11.152] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 42) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405083; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [208.98.11.188,208.98.13.247,208.98.17.200,208.98.17.219,208.98.22.99,208.98.26.134,208.98.26.140,208.98.31.223,208.98.32.140,208.98.34.138] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 43) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405084; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [208.98.11.188,208.98.13.247,208.98.17.200,208.98.17.219,208.98.22.99,208.98.26.134,208.98.26.140,208.98.31.223,208.98.32.140,208.98.34.138] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 43) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405085; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [208.98.34.139,208.98.34.153,208.98.36.231,208.98.36.235,208.98.36.237,208.98.36.239,208.98.42.106,208.98.42.67,208.98.42.80,208.98.51.10] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 44) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405086; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [208.98.34.139,208.98.34.153,208.98.36.231,208.98.36.235,208.98.36.237,208.98.36.239,208.98.42.106,208.98.42.67,208.98.42.80,208.98.51.10] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 44) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405087; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [208.98.51.24,208.98.51.26,208.98.51.27,208.98.61.28,208.98.61.34,208.98.61.38,208.98.61.60,208.98.62.222,208.98.62.228,208.98.9.100] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 45) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405088; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [208.98.51.24,208.98.51.26,208.98.51.27,208.98.61.28,208.98.61.34,208.98.61.38,208.98.61.60,208.98.62.222,208.98.62.228,208.98.9.100] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 45) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405089; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [208.98.9.178,208.99.193.134,208.99.193.38,208.99.89.207,208.99.89.231,209.11.244.82,209.133.11.157,209.133.11.179,209.133.11.202,209.133.11.209] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 46) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405090; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [208.98.9.178,208.99.193.134,208.99.193.38,208.99.89.207,208.99.89.231,209.11.244.82,209.133.11.157,209.133.11.179,209.133.11.202,209.133.11.209] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 46) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405091; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [209.133.11.212,209.133.8.83,209.133.8.84,209.133.8.97,209.133.9.43,209.133.9.56,209.133.9.76,209.144.21.66,209.20.75.209,209.222.22.22] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 47) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405092; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [209.133.11.212,209.133.8.83,209.133.8.84,209.133.8.97,209.133.9.43,209.133.9.56,209.133.9.76,209.144.21.66,209.20.75.209,209.222.22.22] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 47) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405093; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [209.236.112.217,209.249.249.126,209.250.240.90,209.251.184.237,209.40.201.26,209.40.203.246,209.59.222.88,209.9.228.99,209.92.50.61,210.107.239.150] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 48) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405094; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [209.236.112.217,209.249.249.126,209.250.240.90,209.251.184.237,209.40.201.26,209.40.203.246,209.59.222.88,209.9.228.99,209.92.50.61,210.107.239.150] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 48) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405095; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [210.127.253.90,210.143.98.203,210.162.89.245,210.166.210.73,210.166.223.51,210.170.62.106,210.51.174.243,211.108.60.156,211.90.87.21,212.1.226.74] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 49) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405096; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [210.127.253.90,210.143.98.203,210.162.89.245,210.166.210.73,210.166.223.51,210.170.62.106,210.51.174.243,211.108.60.156,211.90.87.21,212.1.226.74] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 49) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405097; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [212.101.125.10,212.101.125.11,212.101.125.12,212.101.125.4,212.101.125.5,212.101.125.6,212.101.125.7,212.101.125.8,212.101.125.9,212.110.128.80] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 50) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405098; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [212.101.125.10,212.101.125.11,212.101.125.12,212.101.125.4,212.101.125.5,212.101.125.6,212.101.125.7,212.101.125.8,212.101.125.9,212.110.128.80] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 50) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405099; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [212.117.183.200,212.13.194.77,212.150.184.228,212.174.140.62,212.182.63.110,212.227.105.24,212.227.159.191,212.24.104.227,212.25.51.125,212.27.60.46] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 51) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405100; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [212.117.183.200,212.13.194.77,212.150.184.228,212.174.140.62,212.182.63.110,212.227.105.24,212.227.159.191,212.24.104.227,212.25.51.125,212.27.60.46] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 51) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405101; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [212.40.37.118,212.40.5.191,212.48.121.72,212.59.199.130,212.59.199.131,212.62.248.142,212.71.19.100,212.71.19.106,212.73.124.12,212.73.209.227] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 52) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405102; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [212.40.37.118,212.40.5.191,212.48.121.72,212.59.199.130,212.59.199.131,212.62.248.142,212.71.19.100,212.71.19.106,212.73.124.12,212.73.209.227] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 52) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405103; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [212.79.239.14,212.79.239.60,212.83.85.118,212.89.6.7,212.91.161.18,212.95.45.107,212.95.46.147,212.95.57.97,212.98.164.46,213.108.48.3] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 53) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405104; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [212.79.239.14,212.79.239.60,212.83.85.118,212.89.6.7,212.91.161.18,212.95.45.107,212.95.46.147,212.95.57.97,212.98.164.46,213.108.48.3] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 53) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405105; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [213.11.137.67,213.131.156.50,213.131.156.51,213.144.174.126,213.145.209.132,213.149.231.9,213.155.31.24,213.17.153.11,213.171.57.168,213.179.58.83] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 54) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405106; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [213.11.137.67,213.131.156.50,213.131.156.51,213.144.174.126,213.145.209.132,213.149.231.9,213.155.31.24,213.17.153.11,213.171.57.168,213.179.58.83] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 54) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405107; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [213.202.224.142,213.202.245.12,213.215.31.19,213.228.128.112,213.239.131.28,213.248.60.142,213.248.61.183,213.249.68.98,213.251.176.140,213.53.107.38] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 55) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405108; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [213.202.224.142,213.202.245.12,213.215.31.19,213.228.128.112,213.239.131.28,213.248.60.142,213.248.61.183,213.249.68.98,213.251.176.140,213.53.107.38] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 55) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405109; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [213.73.255.147,216.139.241.100,216.152.78.163,216.152.78.164,216.152.78.165,216.152.78.166,216.152.78.167,216.16.120.99,216.167.221.54,216.18.189.186] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 56) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405110; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [213.73.255.147,216.139.241.100,216.152.78.163,216.152.78.164,216.152.78.165,216.152.78.166,216.152.78.167,216.16.120.99,216.167.221.54,216.18.189.186] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 56) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405111; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [216.18.189.206,216.18.227.250,216.18.228.38,216.193.223.223,216.218.132.58,216.218.163.69,216.218.228.70,216.240.158.98,216.244.157.116,216.245.214.147] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 57) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405112; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [216.18.189.206,216.18.227.250,216.18.228.38,216.193.223.223,216.218.132.58,216.218.163.69,216.218.228.70,216.240.158.98,216.244.157.116,216.245.214.147] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 57) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405113; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [216.245.215.106,216.25.44.10,216.25.44.118,216.25.44.119,216.25.44.121,216.25.44.122,216.25.44.16,216.25.44.2,216.25.44.5,216.78.204.24] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 58) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405114; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [216.245.215.106,216.25.44.10,216.25.44.118,216.25.44.119,216.25.44.121,216.25.44.122,216.25.44.16,216.25.44.2,216.25.44.5,216.78.204.24] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 58) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405115; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [216.8.177.23,216.8.177.28,216.81.111.229,216.86.158.102,216.86.158.122,216.86.158.123,216.87.78.181,217.11.227.38,217.11.52.135,217.115.200.20] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 59) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405116; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [216.8.177.23,216.8.177.28,216.81.111.229,216.86.158.102,216.86.158.122,216.86.158.123,216.87.78.181,217.11.227.38,217.11.52.135,217.115.200.20] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 59) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405117; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [217.117.187.98,217.12.63.26,217.146.74.25,217.146.84.157,217.146.88.155,217.147.93.66,217.17.33.10,217.172.170.241,217.174.199.222,217.18.70.70] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 60) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405118; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [217.117.187.98,217.12.63.26,217.146.74.25,217.146.84.157,217.146.88.155,217.147.93.66,217.17.33.10,217.172.170.241,217.174.199.222,217.18.70.70] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 60) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405119; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [217.195.122.2,217.20.112.128,217.208.43.245,217.219.137.162,217.23.13.116,217.23.13.193,217.23.13.194,217.23.13.244,217.23.13.245,217.29.87.254] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 61) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405120; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [217.195.122.2,217.20.112.128,217.208.43.245,217.219.137.162,217.23.13.116,217.23.13.193,217.23.13.194,217.23.13.244,217.23.13.245,217.29.87.254] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 61) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405121; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [217.69.165.160,217.69.168.68,217.70.33.28,217.75.128.2,218.106.165.193,218.201.143.249,218.247.178.6,218.249.109.217,218.44.249.117,218.87.16.141] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 62) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405122; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [217.69.165.160,217.69.168.68,217.70.33.28,217.75.128.2,218.106.165.193,218.201.143.249,218.247.178.6,218.249.109.217,218.44.249.117,218.87.16.141] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 62) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405123; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [218.94.142.102,219.143.59.66,219.90.118.136,219.90.201.229,220.229.232.69,221.135.115.186,221.135.126.238,221.186.119.130,24.108.94.92,24.118.230.188] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 63) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405124; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [218.94.142.102,219.143.59.66,219.90.118.136,219.90.201.229,220.229.232.69,221.135.115.186,221.135.126.238,221.186.119.130,24.108.94.92,24.118.230.188] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 63) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405125; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [24.161.60.193,24.166.48.221,24.240.168.165,38.108.111.211,4.53.50.37,58.239.134.43,59.160.236.147,60.190.222.139,60.190.54.105,60.198.191.238] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 64) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405126; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [24.161.60.193,24.166.48.221,24.240.168.165,38.108.111.211,4.53.50.37,58.239.134.43,59.160.236.147,60.190.222.139,60.190.54.105,60.198.191.238] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 64) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405127; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [60.199.200.163,61.121.247.163,61.158.205.224,61.195.154.6,61.64.11.29,61.7.161.227,62.109.15.169,62.133.211.174,62.140.227.246,62.141.43.18] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 65) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405128; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [60.199.200.163,61.121.247.163,61.158.205.224,61.195.154.6,61.64.11.29,61.7.161.227,62.109.15.169,62.133.211.174,62.140.227.246,62.141.43.18] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 65) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405129; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [62.141.48.112,62.141.49.112,62.141.91.77,62.181.89.111,62.181.89.18,62.193.249.122,62.211.73.232,62.212.67.68,62.216.3.195,62.218.28.34] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 66) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405130; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [62.141.48.112,62.141.49.112,62.141.91.77,62.181.89.111,62.181.89.18,62.193.249.122,62.211.73.232,62.212.67.68,62.216.3.195,62.218.28.34] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 66) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405131; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [62.244.55.234,62.3.99.91,62.75.143.63,62.75.146.184,62.75.202.25,62.75.243.185,62.75.249.240,62.90.168.100,62.90.168.16,63.245.208.159] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 67) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405132; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [62.244.55.234,62.3.99.91,62.75.143.63,62.75.146.184,62.75.202.25,62.75.243.185,62.75.249.240,62.90.168.100,62.90.168.16,63.245.208.159] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 67) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405133; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [63.245.216.214,64.113.1.99,64.12.165.56,64.120.141.10,64.120.21.21,64.120.21.24,64.120.21.25,64.120.47.66,64.122.31.116,64.125.185.222] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 68) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405134; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [63.245.216.214,64.113.1.99,64.12.165.56,64.120.141.10,64.120.21.21,64.120.21.24,64.120.21.25,64.120.47.66,64.122.31.116,64.125.185.222] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 68) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405135; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [64.127.102.249,64.15.77.71,64.150.180.13,64.16.210.102,64.16.210.42,64.18.132.176,64.18.132.182,64.18.134.201,64.18.139.82,64.186.131.59] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 69) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405136; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [64.127.102.249,64.15.77.71,64.150.180.13,64.16.210.102,64.16.210.42,64.18.132.176,64.18.132.182,64.18.134.201,64.18.139.82,64.186.131.59] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 69) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405137; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [64.201.189.131,64.202.102.11,64.235.252.145,64.244.154.174,64.246.20.126,64.247.19.79,64.251.28.85,64.32.1.124,64.32.1.16,64.32.1.33] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 70) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405138; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [64.201.189.131,64.202.102.11,64.235.252.145,64.244.154.174,64.246.20.126,64.247.19.79,64.251.28.85,64.32.1.124,64.32.1.16,64.32.1.33] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 70) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405139; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [64.32.12.118,64.32.12.197,64.32.14.176,64.32.14.20,64.32.19.10,64.32.19.27,64.32.19.46,64.32.19.58,64.32.20.108,64.32.20.127] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 71) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405140; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [64.32.12.118,64.32.12.197,64.32.14.176,64.32.14.20,64.32.19.10,64.32.19.27,64.32.19.46,64.32.19.58,64.32.20.108,64.32.20.127] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 71) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405141; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [64.32.20.166,64.32.24.217,64.32.27.135,64.32.27.148,64.34.164.81,64.62.190.245,64.62.190.36,64.62.190.73,64.62.231.212,64.72.127.4] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 72) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405142; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [64.32.20.166,64.32.24.217,64.32.27.135,64.32.27.148,64.34.164.81,64.62.190.245,64.62.190.36,64.62.190.73,64.62.231.212,64.72.127.4] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 72) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405143; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [64.85.160.108,64.85.160.30,64.85.162.200,64.85.162.202,64.85.162.206,64.85.163.113,64.85.163.127,64.85.163.52,64.85.164.73,65.110.41.130] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 73) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405144; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [64.85.160.108,64.85.160.30,64.85.162.200,64.85.162.202,64.85.162.206,64.85.163.113,64.85.163.127,64.85.163.52,64.85.164.73,65.110.41.130] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 73) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405145; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [65.110.58.110,65.110.62.181,65.110.62.200,65.110.62.93,65.111.177.51,65.19.178.15,65.209.20.22,65.23.129.114,65.23.153.98,65.23.156.37] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 74) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405146; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [65.110.58.110,65.110.62.181,65.110.62.200,65.110.62.93,65.111.177.51,65.19.178.15,65.209.20.22,65.23.129.114,65.23.153.98,65.23.156.37] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 74) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405147; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [65.23.157.127,65.23.158.132,65.96.38.92,65.98.11.2,66.101.48.254,66.11.238.19,66.111.35.104,66.111.36.61,66.154.121.11,66.154.121.200] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 75) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405148; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [65.23.157.127,65.23.158.132,65.96.38.92,65.98.11.2,66.101.48.254,66.11.238.19,66.111.35.104,66.111.36.61,66.154.121.11,66.154.121.200] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 75) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405149; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [66.154.99.150,66.165.177.88,66.184.117.12,66.197.186.85,66.197.194.185,66.197.220.230,66.198.80.67,66.205.65.100,66.207.164.29,66.207.212.113] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 76) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405150; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [66.154.99.150,66.165.177.88,66.184.117.12,66.197.186.85,66.197.194.185,66.197.220.230,66.198.80.67,66.205.65.100,66.207.164.29,66.207.212.113] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 76) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405151; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [66.212.21.20,66.220.1.185,66.220.1.44,66.220.1.59,66.220.13.242,66.225.200.20,66.225.200.30,66.225.200.46,66.225.200.52,66.225.200.62] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 77) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405152; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [66.212.21.20,66.220.1.185,66.220.1.44,66.220.1.59,66.220.13.242,66.225.200.20,66.225.200.30,66.225.200.46,66.225.200.52,66.225.200.62] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 77) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405153; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [66.225.200.69,66.225.223.109,66.225.223.112,66.225.223.115,66.225.223.13,66.225.223.52,66.225.223.61,66.225.223.70,66.225.223.75,66.225.223.89] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 78) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405154; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [66.225.200.69,66.225.223.109,66.225.223.112,66.225.223.115,66.225.223.13,66.225.223.52,66.225.223.61,66.225.223.70,66.225.223.75,66.225.223.89] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 78) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405155; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [66.225.223.91,66.225.225.225,66.225.225.66,66.230.192.37,66.231.234.174,66.235.184.37,66.246.149.4,66.246.76.24,66.249.128.230,66.45.226.37] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 79) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405156; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [66.225.223.91,66.225.225.225,66.225.225.66,66.230.192.37,66.231.234.174,66.235.184.37,66.246.149.4,66.246.76.24,66.249.128.230,66.45.226.37] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 79) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405157; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [66.45.234.200,66.55.71.243,66.76.162.104,66.90.118.14,66.90.65.10,66.90.66.243,66.90.82.8,66.90.90.196,66.98.224.132,67.159.2.109] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 80) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405158; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [66.45.234.200,66.55.71.243,66.76.162.104,66.90.118.14,66.90.65.10,66.90.66.243,66.90.82.8,66.90.90.196,66.98.224.132,67.159.2.109] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 80) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405159; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [67.159.2.110,67.159.2.111,67.159.2.112,67.159.2.113,67.159.2.114,67.159.2.115,67.159.2.117,67.159.56.58,67.18.176.176,67.18.176.230] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 81) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405160; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [67.159.2.110,67.159.2.111,67.159.2.112,67.159.2.113,67.159.2.114,67.159.2.115,67.159.2.117,67.159.56.58,67.18.176.176,67.18.176.230] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 81) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405161; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [67.18.187.34,67.18.208.96,67.202.107.13,67.202.109.114,67.202.109.119,67.202.109.205,67.202.114.38,67.205.85.231,67.207.138.239,67.21.65.15] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 82) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405162; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [67.18.187.34,67.18.208.96,67.202.107.13,67.202.109.114,67.202.109.119,67.202.109.205,67.202.114.38,67.205.85.231,67.207.138.239,67.21.65.15] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 82) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405163; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [67.21.65.62,67.21.72.43,67.21.79.130,67.210.234.18,67.213.221.178,67.220.66.166,67.220.66.167,67.220.66.168,67.220.66.170,67.220.66.171] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 83) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405164; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [67.21.65.62,67.21.72.43,67.21.79.130,67.210.234.18,67.213.221.178,67.220.66.166,67.220.66.167,67.220.66.168,67.220.66.170,67.220.66.171] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 83) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405165; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [67.220.66.172,67.220.66.52,67.220.66.72,67.220.67.118,67.220.71.84,67.220.73.102,67.220.73.105,67.220.73.107,67.220.74.155,67.220.74.70] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 84) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405166; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [67.220.66.172,67.220.66.52,67.220.66.72,67.220.67.118,67.220.71.84,67.220.73.102,67.220.73.105,67.220.73.107,67.220.74.155,67.220.74.70] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 84) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405167; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [67.220.75.164,67.220.78.43,67.220.85.1,67.220.85.7,67.220.85.8,67.220.85.9,67.222.13.112,67.223.237.99,67.223.254.182,67.223.97.74] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 85) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405168; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [67.220.75.164,67.220.78.43,67.220.85.1,67.220.85.7,67.220.85.8,67.220.85.9,67.222.13.112,67.223.237.99,67.223.254.182,67.223.97.74] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 85) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405169; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [67.23.178.252,67.23.234.155,67.23.6.180,67.23.7.58,67.43.226.210,67.43.226.211,67.43.226.212,67.43.226.213,67.43.226.214,67.43.226.6] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 86) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405170; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [67.23.178.252,67.23.234.155,67.23.6.180,67.23.7.58,67.43.226.210,67.43.226.211,67.43.226.212,67.43.226.213,67.43.226.214,67.43.226.6] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 86) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405171; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [67.43.226.7,67.43.228.194,67.43.228.223,67.43.228.226,67.43.230.226,67.43.230.227,67.43.230.228,67.43.230.229,67.43.230.230,67.43.230.231] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 87) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405172; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [67.43.226.7,67.43.228.194,67.43.228.223,67.43.228.226,67.43.230.226,67.43.230.227,67.43.230.228,67.43.230.229,67.43.230.230,67.43.230.231] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 87) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405173; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [67.43.230.233,67.43.230.234,67.43.230.235,67.43.230.236,67.43.230.237,67.43.230.238,67.43.230.239,67.43.230.240,67.43.230.241,67.43.230.242] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 88) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405174; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [67.43.230.233,67.43.230.234,67.43.230.235,67.43.230.236,67.43.230.237,67.43.230.238,67.43.230.239,67.43.230.240,67.43.230.241,67.43.230.242] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 88) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405175; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [67.43.230.243,67.43.230.244,67.43.230.247,67.43.230.249,67.43.230.250,67.43.230.73,67.43.230.74,67.43.230.76,67.43.232.178,67.43.238.213] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 89) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405176; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [67.43.230.243,67.43.230.244,67.43.230.247,67.43.230.249,67.43.230.250,67.43.230.73,67.43.230.74,67.43.230.76,67.43.232.178,67.43.238.213] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 89) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405177; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [68.168.212.6,68.232.162.247,68.232.170.240,68.75.207.189,68.99.69.10,69.12.8.25,69.147.228.45,69.162.101.52,69.162.117.218,69.162.80.43] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 90) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405178; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [68.168.212.6,68.232.162.247,68.232.170.240,68.75.207.189,68.99.69.10,69.12.8.25,69.147.228.45,69.162.101.52,69.162.117.218,69.162.80.43] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 90) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405179; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [69.164.197.103,69.164.201.185,69.164.216.206,69.17.17.5,69.197.24.1,69.197.59.250,69.197.60.55,69.197.60.60,69.197.63.190,69.199.121.114] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 91) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405180; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [69.164.197.103,69.164.201.185,69.164.216.206,69.17.17.5,69.197.24.1,69.197.59.250,69.197.60.55,69.197.60.60,69.197.63.190,69.199.121.114] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 91) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405181; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [69.20.231.81,69.20.234.2,69.217.36.153,69.28.129.165,69.28.220.143,69.31.228.75,69.36.111.69,69.39.224.53,69.41.178.98,69.42.210.47] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 92) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405182; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [69.20.231.81,69.20.234.2,69.217.36.153,69.28.129.165,69.28.220.143,69.31.228.75,69.36.111.69,69.39.224.53,69.41.178.98,69.42.210.47] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 92) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405183; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [69.42.210.56,69.42.212.2,69.42.214.132,69.42.214.133,69.42.214.152,69.42.214.241,69.42.215.10,69.42.215.12,69.42.215.14,69.42.215.16] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 93) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405184; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [69.42.210.56,69.42.212.2,69.42.214.132,69.42.214.133,69.42.214.152,69.42.214.241,69.42.215.10,69.42.215.12,69.42.215.14,69.42.215.16] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 93) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405185; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [69.42.215.178,69.42.215.179,69.42.215.180,69.42.215.20,69.42.215.22,69.42.215.24,69.42.215.4,69.42.215.6,69.42.215.8,69.42.217.82] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 94) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405186; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [69.42.215.178,69.42.215.179,69.42.215.180,69.42.215.20,69.42.215.22,69.42.215.24,69.42.215.4,69.42.215.6,69.42.215.8,69.42.217.82] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 94) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405187; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [69.42.218.168,69.42.218.218,69.42.218.243,69.42.218.70,69.42.218.72,69.42.218.75,69.42.219.194,69.42.220.168,69.42.221.252,69.42.221.7] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 95) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405188; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [69.42.218.168,69.42.218.218,69.42.218.243,69.42.218.70,69.42.218.72,69.42.218.75,69.42.219.194,69.42.220.168,69.42.221.252,69.42.221.7] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 95) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405189; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [69.42.222.24,69.42.222.25,69.42.223.201,69.42.223.202,69.42.223.204,69.56.173.120,69.64.36.197,69.64.38.216,69.64.39.194,69.64.39.201] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 96) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405190; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [69.42.222.24,69.42.222.25,69.42.223.201,69.42.223.202,69.42.223.204,69.56.173.120,69.64.36.197,69.64.38.216,69.64.39.194,69.64.39.201] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 96) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405191; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [69.64.39.202,69.64.43.197,69.64.58.106,69.64.61.249,69.65.42.31,69.89.182.202,69.90.157.210,69.90.157.219,69.93.229.206,69.93.9.12] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 97) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405192; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [69.64.39.202,69.64.43.197,69.64.58.106,69.64.61.249,69.65.42.31,69.89.182.202,69.90.157.210,69.90.157.219,69.93.229.206,69.93.9.12] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 97) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405193; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [70.107.249.167,70.39.105.60,70.39.111.203,70.39.82.138,70.39.91.78,70.39.93.10,70.61.101.163,70.84.15.212,70.84.53.182,70.85.129.195] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 98) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405194; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [70.107.249.167,70.39.105.60,70.39.111.203,70.39.82.138,70.39.91.78,70.39.93.10,70.61.101.163,70.84.15.212,70.84.53.182,70.85.129.195] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 98) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405195; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [70.85.16.102,70.85.237.252,70.91.45.236,71.160.39.114,71.216.87.193,71.6.218.42,72.10.160.212,72.11.142.40,72.14.176.171,72.14.179.148] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 99) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405196; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [70.85.16.102,70.85.237.252,70.91.45.236,71.160.39.114,71.216.87.193,71.6.218.42,72.10.160.212,72.11.142.40,72.14.176.171,72.14.179.148] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 99) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405197; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.14.185.157,72.20.1.130,72.20.14.10,72.20.14.102,72.20.14.103,72.20.14.11,72.20.14.25,72.20.14.27,72.20.14.42,72.20.14.5] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 100) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405198; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.14.185.157,72.20.1.130,72.20.14.10,72.20.14.102,72.20.14.103,72.20.14.11,72.20.14.25,72.20.14.27,72.20.14.42,72.20.14.5] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 100) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405199; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.20.14.70,72.20.15.35,72.20.16.90,72.20.17.139,72.20.17.149,72.20.17.167,72.20.17.168,72.20.17.178,72.20.21.115,72.20.21.123] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 101) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405200; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.20.14.70,72.20.15.35,72.20.16.90,72.20.17.139,72.20.17.149,72.20.17.167,72.20.17.168,72.20.17.178,72.20.21.115,72.20.21.123] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 101) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405201; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.20.21.124,72.20.21.126,72.20.21.13,72.20.21.36,72.20.21.37,72.20.21.43,72.20.21.45,72.20.23.102,72.20.23.107,72.20.23.108] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 102) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405202; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.20.21.124,72.20.21.126,72.20.21.13,72.20.21.36,72.20.21.37,72.20.21.43,72.20.21.45,72.20.23.102,72.20.23.107,72.20.23.108] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 102) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405203; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.20.23.74,72.20.23.77,72.20.23.90,72.20.23.96,72.20.24.158,72.20.24.161,72.20.24.162,72.20.24.163,72.20.24.164,72.20.25.153] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 103) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405204; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.20.23.74,72.20.23.77,72.20.23.90,72.20.23.96,72.20.24.158,72.20.24.161,72.20.24.162,72.20.24.163,72.20.24.164,72.20.25.153] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 103) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405205; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.20.25.181,72.20.26.148,72.20.27.113,72.20.27.120,72.20.28.193,72.20.28.194,72.20.28.195,72.20.28.196,72.20.28.197,72.20.28.199] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 104) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405206; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.20.25.181,72.20.26.148,72.20.27.113,72.20.27.120,72.20.28.193,72.20.28.194,72.20.28.195,72.20.28.196,72.20.28.197,72.20.28.199] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 104) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405207; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.20.28.200,72.20.28.204,72.20.28.206,72.20.28.210,72.20.28.211,72.20.28.218,72.20.28.220,72.20.28.234,72.20.28.237,72.20.28.245] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 105) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405208; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.20.28.200,72.20.28.204,72.20.28.206,72.20.28.210,72.20.28.211,72.20.28.218,72.20.28.220,72.20.28.234,72.20.28.237,72.20.28.245] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 105) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405209; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.20.28.247,72.20.28.249,72.20.28.252,72.20.28.254,72.20.33.109,72.20.33.201,72.20.33.202,72.20.33.77,72.20.35.120,72.20.35.135] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 106) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405210; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.20.28.247,72.20.28.249,72.20.28.252,72.20.28.254,72.20.33.109,72.20.33.201,72.20.33.202,72.20.33.77,72.20.35.120,72.20.35.135] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 106) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405211; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.20.35.183,72.20.35.20,72.20.35.21,72.20.35.23,72.20.35.24,72.20.35.25,72.20.35.31,72.20.35.38,72.20.35.54,72.20.35.55] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 107) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405212; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.20.35.183,72.20.35.20,72.20.35.21,72.20.35.23,72.20.35.24,72.20.35.25,72.20.35.31,72.20.35.38,72.20.35.54,72.20.35.55] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 107) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405213; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.20.35.70,72.20.37.113,72.20.37.114,72.20.37.115,72.20.37.116,72.20.37.117,72.20.37.118,72.20.37.151,72.20.37.154,72.20.37.156] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 108) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405214; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.20.35.70,72.20.37.113,72.20.37.114,72.20.37.115,72.20.37.116,72.20.37.117,72.20.37.118,72.20.37.151,72.20.37.154,72.20.37.156] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 108) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405215; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.20.37.157,72.20.37.158,72.20.37.159,72.20.37.161,72.20.37.169,72.20.37.171,72.20.37.173,72.20.37.189,72.20.37.33,72.20.37.39] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 109) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405216; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.20.37.157,72.20.37.158,72.20.37.159,72.20.37.161,72.20.37.169,72.20.37.171,72.20.37.173,72.20.37.189,72.20.37.33,72.20.37.39] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 109) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405217; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.20.37.47,72.20.38.118,72.20.38.17,72.20.38.18,72.20.38.19,72.20.38.20,72.20.38.200,72.20.38.21,72.20.38.22,72.20.38.76] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 110) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405218; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.20.37.47,72.20.38.118,72.20.38.17,72.20.38.18,72.20.38.19,72.20.38.20,72.20.38.200,72.20.38.21,72.20.38.22,72.20.38.76] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 110) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405219; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.20.40.249,72.20.40.35,72.20.40.52,72.20.42.98,72.20.45.81,72.20.45.82,72.20.45.83,72.20.45.84,72.20.45.85,72.20.45.86] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 111) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405220; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.20.40.249,72.20.40.35,72.20.40.52,72.20.42.98,72.20.45.81,72.20.45.82,72.20.45.83,72.20.45.84,72.20.45.85,72.20.45.86] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 111) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405221; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.20.46.9,72.20.48.100,72.20.48.111,72.20.48.40,72.20.48.50,72.20.48.60,72.20.48.95,72.20.50.250,72.20.50.65,72.20.50.70] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 112) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405222; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.20.46.9,72.20.48.100,72.20.48.111,72.20.48.40,72.20.48.50,72.20.48.60,72.20.48.95,72.20.50.250,72.20.50.65,72.20.50.70] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 112) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405223; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.20.51.115,72.20.51.178,72.20.51.91,72.20.51.99,72.20.52.189,72.20.52.190,72.20.52.79,72.20.53.139,72.20.54.120,72.20.54.121] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 113) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405224; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.20.51.115,72.20.51.178,72.20.51.91,72.20.51.99,72.20.52.189,72.20.52.190,72.20.52.79,72.20.53.139,72.20.54.120,72.20.54.121] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 113) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405225; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.20.54.123,72.20.54.124,72.20.54.67,72.20.54.69,72.20.54.90,72.20.56.24,72.20.56.48,72.20.56.59,72.20.57.109,72.20.57.120] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 114) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405226; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.20.54.123,72.20.54.124,72.20.54.67,72.20.54.69,72.20.54.90,72.20.56.24,72.20.56.48,72.20.56.59,72.20.57.109,72.20.57.120] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 114) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405227; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.20.58.136,72.20.58.143,72.20.58.175,72.20.58.177,72.20.6.170,72.22.83.165,72.233.7.230,72.250.175.12,72.32.146.136,72.47.213.143] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 115) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405228; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.20.58.136,72.20.58.143,72.20.58.175,72.20.58.177,72.20.6.170,72.22.83.165,72.233.7.230,72.250.175.12,72.32.146.136,72.47.213.143] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 115) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405229; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.47.218.197,72.47.218.27,72.47.237.76,72.52.102.218,72.73.235.83,72.77.145.27,72.8.130.60,72.8.131.37,72.8.134.218,72.8.140.109] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 116) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405230; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.47.218.197,72.47.218.27,72.47.237.76,72.52.102.218,72.73.235.83,72.77.145.27,72.8.130.60,72.8.131.37,72.8.134.218,72.8.140.109] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 116) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405231; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [72.8.140.113,72.8.140.114,72.8.140.116,72.8.140.126,72.8.140.131,74.117.115.102,74.117.173.200,74.117.174.119,74.117.174.3,74.117.174.4] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 117) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405232; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [72.8.140.113,72.8.140.114,72.8.140.116,72.8.140.126,72.8.140.131,74.117.115.102,74.117.173.200,74.117.174.119,74.117.174.3,74.117.174.4] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 117) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405233; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [74.117.174.5,74.117.174.79,74.117.174.82,74.117.174.90,74.117.63.238,74.122.159.122,74.138.104.142,74.204.160.210,74.207.245.90,74.208.101.128] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 118) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405234; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [74.117.174.5,74.117.174.79,74.117.174.82,74.117.174.90,74.117.63.238,74.122.159.122,74.138.104.142,74.204.160.210,74.207.245.90,74.208.101.128] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 118) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405235; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [74.208.103.34,74.208.166.145,74.208.166.160,74.208.17.205,74.208.228.244,74.208.43.209,74.41.18.106,74.50.52.59,74.63.208.146,74.63.239.114] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 119) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405236; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [74.208.103.34,74.208.166.145,74.208.166.160,74.208.17.205,74.208.228.244,74.208.43.209,74.41.18.106,74.50.52.59,74.63.208.146,74.63.239.114] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 119) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405237; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [74.63.78.3,74.82.57.173,74.86.250.59,74.86.250.60,74.86.250.61,74.86.250.62,74.86.250.63,75.102.26.70,75.118.123.95,75.148.241.253] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 120) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405238; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [74.63.78.3,74.82.57.173,74.86.250.59,74.86.250.60,74.86.250.61,74.86.250.62,74.86.250.63,75.102.26.70,75.118.123.95,75.148.241.253] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 120) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405239; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [75.150.126.241,75.150.46.25,76.121.61.193,76.183.220.25,76.73.103.140,76.73.103.59,76.73.15.38,76.73.17.206,76.73.56.22,76.76.11.208] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 121) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405240; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [75.150.126.241,75.150.46.25,76.121.61.193,76.183.220.25,76.73.103.140,76.73.103.59,76.73.15.38,76.73.17.206,76.73.56.22,76.76.11.208] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 121) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405241; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [77.235.49.17,77.244.242.98,77.244.252.171,77.59.219.91,77.79.12.224,77.91.225.143,77.91.226.45,77.91.227.234,78.108.106.222,78.129.223.131] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 122) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405242; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [77.235.49.17,77.244.242.98,77.244.252.171,77.59.219.91,77.79.12.224,77.91.225.143,77.91.226.45,77.91.227.234,78.108.106.222,78.129.223.131] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 122) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405243; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [78.129.228.10,78.129.228.16,78.129.228.23,78.129.228.24,78.129.228.30,78.129.228.32,78.129.228.35,78.129.228.39,78.129.228.45,78.129.228.52] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 123) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405244; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [78.129.228.10,78.129.228.16,78.129.228.23,78.129.228.24,78.129.228.30,78.129.228.32,78.129.228.35,78.129.228.39,78.129.228.45,78.129.228.52] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 123) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405245; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [78.129.228.56,78.129.228.58,78.129.228.6,78.129.228.64,78.129.228.65,78.129.228.7,78.129.239.80,78.157.104.207,78.24.188.201,78.24.217.169] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 124) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405246; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [78.129.228.56,78.129.228.58,78.129.228.6,78.129.228.64,78.129.228.65,78.129.228.7,78.129.239.80,78.157.104.207,78.24.188.201,78.24.217.169] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 124) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405247; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [78.46.21.247,78.46.40.163,78.46.74.78,78.47.47.177,79.113.167.139,79.120.77.7,79.121.235.77,79.134.0.34,79.143.254.153,79.165.173.146] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 125) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405248; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [78.46.21.247,78.46.40.163,78.46.74.78,78.47.47.177,79.113.167.139,79.120.77.7,79.121.235.77,79.134.0.34,79.143.254.153,79.165.173.146] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 125) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405249; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [8.225.195.155,8.7.233.36,8.7.233.42,8.7.233.43,8.7.233.44,8.7.233.45,8.8.247.40,80.101.63.84,80.126.201.245,80.13.162.101] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 126) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405250; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [8.225.195.155,8.7.233.36,8.7.233.42,8.7.233.43,8.7.233.44,8.7.233.45,8.8.247.40,80.101.63.84,80.126.201.245,80.13.162.101] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 126) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405251; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [80.154.61.188,80.162.11.155,80.179.146.140,80.184.117.130,80.190.246.162,80.237.201.63,80.242.32.71,80.247.72.130,80.248.218.122,80.48.115.6] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 127) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405252; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [80.154.61.188,80.162.11.155,80.179.146.140,80.184.117.130,80.190.246.162,80.237.201.63,80.242.32.71,80.247.72.130,80.248.218.122,80.48.115.6] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 127) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405253; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [80.64.140.13,80.68.89.201,80.69.66.120,80.69.82.126,80.71.245.245,80.86.81.184,80.92.100.145,81.169.136.37,81.169.168.122,81.169.182.216] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 128) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405254; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [80.64.140.13,80.68.89.201,80.69.66.120,80.69.82.126,80.71.245.245,80.86.81.184,80.92.100.145,81.169.136.37,81.169.168.122,81.169.182.216] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 128) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405255; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [81.169.183.179,81.18.129.4,81.18.164.79,81.252.38.10,81.26.211.130,81.29.65.57,81.31.33.35,81.88.217.254,81.9.48.14,82.136.2.130] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 129) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405256; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [81.169.183.179,81.18.129.4,81.18.164.79,81.252.38.10,81.26.211.130,81.29.65.57,81.31.33.35,81.88.217.254,81.9.48.14,82.136.2.130] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 129) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405257; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [82.138.241.140,82.138.241.146,82.138.241.150,82.146.48.13,82.146.49.176,82.146.49.202,82.146.51.114,82.146.51.147,82.146.52.136,82.146.52.196] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 130) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405258; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [82.138.241.140,82.138.241.146,82.138.241.150,82.146.48.13,82.146.49.176,82.146.49.202,82.146.51.114,82.146.51.147,82.146.52.136,82.146.52.196] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 130) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405259; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [82.146.52.217,82.146.52.76,82.146.52.89,82.146.52.98,82.146.53.63,82.146.59.188,82.165.47.16,82.192.79.114,82.23.22.245,82.230.41.47] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 131) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405260; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [82.146.52.217,82.146.52.76,82.146.52.89,82.146.52.98,82.146.53.63,82.146.59.188,82.165.47.16,82.192.79.114,82.23.22.245,82.230.41.47] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 131) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405261; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [82.76.255.62,82.78.186.30,82.80.231.202,82.94.222.186,82.96.75.46,83.103.99.9,83.133.119.206,83.133.120.199,83.136.48.15,83.137.112.20] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 132) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405262; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [82.76.255.62,82.78.186.30,82.80.231.202,82.94.222.186,82.96.75.46,83.103.99.9,83.133.119.206,83.133.120.199,83.136.48.15,83.137.112.20] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 132) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405263; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [83.137.41.33,83.140.162.126,83.140.172.210,83.140.172.211,83.140.172.212,83.142.48.72,83.142.85.10,83.149.112.71,83.149.234.76,83.16.34.202] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 133) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405264; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [83.137.41.33,83.140.162.126,83.140.172.210,83.140.172.211,83.140.172.212,83.142.48.72,83.142.85.10,83.149.112.71,83.149.234.76,83.16.34.202] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 133) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405265; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [83.170.81.10,83.170.81.4,83.170.81.7,83.170.84.107,83.170.84.12,83.170.84.9,83.176.245.159,83.217.192.243,83.222.226.135,83.243.45.84] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 134) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405266; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [83.170.81.10,83.170.81.4,83.170.81.7,83.170.84.107,83.170.84.12,83.170.84.9,83.176.245.159,83.217.192.243,83.222.226.135,83.243.45.84] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 134) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405267; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [83.243.46.2,83.243.47.58,83.248.154.79,83.68.16.6,84.11.26.30,84.16.231.52,84.19.172.60,84.19.182.112,84.19.183.112,84.200.208.182] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 135) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405268; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [83.243.46.2,83.243.47.58,83.248.154.79,83.68.16.6,84.11.26.30,84.16.231.52,84.19.172.60,84.19.182.112,84.19.183.112,84.200.208.182] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 135) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405269; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [84.200.225.70,84.200.225.80,84.200.225.85,84.200.242.4,84.201.7.15,84.232.6.70,85.114.137.137,85.114.140.126,85.114.141.33,85.159.70.238] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 136) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405270; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [84.200.225.70,84.200.225.80,84.200.225.85,84.200.242.4,84.201.7.15,84.232.6.70,85.114.137.137,85.114.140.126,85.114.141.33,85.159.70.238] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 136) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405271; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [85.17.137.135,85.17.138.155,85.17.139.182,85.17.145.214,85.17.207.164,85.17.7.34,85.17.93.147,85.17.93.22,85.195.108.223,85.195.37.98] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 137) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405272; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [85.17.137.135,85.17.138.155,85.17.139.182,85.17.145.214,85.17.207.164,85.17.7.34,85.17.93.147,85.17.93.22,85.195.108.223,85.195.37.98] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 137) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405273; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [85.196.7.112,85.196.81.19,85.196.81.211,85.196.81.9,85.214.102.20,85.214.117.33,85.214.128.155,85.214.140.176,85.214.140.54,85.214.21.229] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 138) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405274; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [85.196.7.112,85.196.81.19,85.196.81.211,85.196.81.9,85.214.102.20,85.214.117.33,85.214.128.155,85.214.140.176,85.214.140.54,85.214.21.229] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 138) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405275; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [85.214.27.94,85.214.36.108,85.214.75.239,85.214.75.67,85.214.97.16,85.236.110.226,85.236.110.228,85.24.148.106,85.24.148.125,85.25.10.63] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 139) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405276; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [85.214.27.94,85.214.36.108,85.214.75.239,85.214.75.67,85.214.97.16,85.236.110.226,85.236.110.228,85.24.148.106,85.24.148.125,85.25.10.63] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 139) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405277; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [85.25.131.169,85.25.224.38,85.25.236.217,85.82.217.198,86.104.11.104,86.110.67.72,86.125.217.5,86.125.217.7,86.57.151.11,86.57.151.5] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 140) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405278; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [85.25.131.169,85.25.224.38,85.25.236.217,85.82.217.198,86.104.11.104,86.110.67.72,86.125.217.5,86.125.217.7,86.57.151.11,86.57.151.5] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 140) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405279; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [87.106.138.9,87.106.139.138,87.106.140.75,87.106.176.37,87.106.207.54,87.106.61.8,87.106.89.66,87.118.124.140,87.118.126.87,87.118.87.98] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 141) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405280; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [87.106.138.9,87.106.139.138,87.106.140.75,87.106.176.37,87.106.207.54,87.106.61.8,87.106.89.66,87.118.124.140,87.118.126.87,87.118.87.98] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 141) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405281; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [87.118.89.3,87.118.97.207,87.124.86.31,87.227.96.214,87.228.16.218,87.252.253.100,87.98.145.241,87.98.164.139,87.98.244.220,87.98.249.30] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 142) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405282; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [87.118.89.3,87.118.97.207,87.124.86.31,87.227.96.214,87.228.16.218,87.252.253.100,87.98.145.241,87.98.164.139,87.98.244.220,87.98.249.30] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 142) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405283; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [87.98.250.95,87.98.254.150,87.98.254.192,87.98.254.64,88.147.128.15,88.191.254.11,88.191.66.7,88.198.93.235,88.255.104.162,88.255.104.172] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 143) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405284; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [87.98.250.95,87.98.254.150,87.98.254.192,87.98.254.64,88.147.128.15,88.191.254.11,88.191.66.7,88.198.93.235,88.255.104.162,88.255.104.172] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 143) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405285; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [88.80.5.41,88.87.21.40,89.144.96.87,89.149.201.156,89.149.226.157,89.163.163.46,89.163.179.130,89.17.201.203,89.185.236.71,89.202.247.162] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 144) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405286; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [88.80.5.41,88.87.21.40,89.144.96.87,89.149.201.156,89.149.226.157,89.163.163.46,89.163.179.130,89.17.201.203,89.185.236.71,89.202.247.162] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 144) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405287; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [89.203.155.3,89.229.79.176,89.238.159.70,89.238.64.181,89.248.164.49,89.248.166.44,89.29.204.242,91.121.0.76,91.121.100.100,91.121.107.112] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 145) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405288; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [89.203.155.3,89.229.79.176,89.238.159.70,89.238.64.181,89.248.164.49,89.248.166.44,89.29.204.242,91.121.0.76,91.121.100.100,91.121.107.112] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 145) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405289; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [91.121.115.74,91.121.143.15,91.121.158.18,91.121.158.80,91.121.166.117,91.121.17.210,91.121.208.180,91.121.209.20,91.121.24.121,91.121.249.36] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 146) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405290; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [91.121.115.74,91.121.143.15,91.121.158.18,91.121.158.80,91.121.166.117,91.121.17.210,91.121.208.180,91.121.209.20,91.121.24.121,91.121.249.36] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 146) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405291; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [91.121.251.195,91.121.27.112,91.121.3.60,91.121.39.130,91.121.58.120,91.121.67.157,91.121.88.104,91.121.89.104,91.121.96.150,91.121.96.182] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 147) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405292; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [91.121.251.195,91.121.27.112,91.121.3.60,91.121.39.130,91.121.58.120,91.121.67.157,91.121.88.104,91.121.89.104,91.121.96.150,91.121.96.182] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 147) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405293; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [91.121.96.69,91.149.157.69,91.194.66.8,91.194.85.186,91.196.103.111,91.200.42.28,91.205.185.104,91.205.241.87,91.208.144.141,91.208.40.24] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 148) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405294; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [91.121.96.69,91.149.157.69,91.194.66.8,91.194.85.186,91.196.103.111,91.200.42.28,91.205.185.104,91.205.241.87,91.208.144.141,91.208.40.24] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 148) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405295; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [91.214.111.26,91.83.48.220,92.241.180.65,92.241.184.17,92.241.190.133,92.241.190.231,92.241.190.90,92.243.2.46,92.243.21.112,92.243.23.21] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 149) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405296; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [91.214.111.26,91.83.48.220,92.241.180.65,92.241.184.17,92.241.190.133,92.241.190.231,92.241.190.90,92.243.2.46,92.243.21.112,92.243.23.21] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 149) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405297; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [92.243.8.212,92.33.0.168,92.55.242.8,92.61.32.19,92.62.43.55,93.104.214.3,93.174.88.109,93.174.88.111,93.174.88.17,93.174.93.26] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 150) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405298; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [92.243.8.212,92.33.0.168,92.55.242.8,92.61.32.19,92.62.43.55,93.104.214.3,93.174.88.109,93.174.88.111,93.174.88.17,93.174.93.26] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 150) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405299; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [93.174.93.73,93.174.94.86,93.185.105.137,93.189.105.234,93.190.138.42,93.190.138.52,93.190.206.138,93.62.62.208,94.102.55.131,94.102.55.222] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 151) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405300; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [93.174.93.73,93.174.94.86,93.185.105.137,93.189.105.234,93.190.138.42,93.190.138.52,93.190.206.138,93.62.62.208,94.102.55.131,94.102.55.222] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 151) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405301; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [94.102.58.24,94.103.155.83,94.125.182.253,94.125.182.255,94.125.252.114,94.125.252.224,94.125.252.241,94.127.67.123,94.228.214.124,94.228.41.56] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 152) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405302; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [94.102.58.24,94.103.155.83,94.125.182.253,94.125.182.255,94.125.252.114,94.125.252.224,94.125.252.241,94.127.67.123,94.228.214.124,94.228.41.56] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 152) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405303; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [94.229.73.198,94.23.0.116,94.23.120.229,94.23.148.187,94.23.149.99,94.23.15.100,94.23.153.223,94.23.154.167,94.23.157.150,94.23.158.247] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 153) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405304; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [94.229.73.198,94.23.0.116,94.23.120.229,94.23.148.187,94.23.149.99,94.23.15.100,94.23.153.223,94.23.154.167,94.23.157.150,94.23.158.247] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 153) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405305; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [94.23.22.62,94.23.25.96,94.23.36.150,94.23.41.26,94.23.45.70,94.23.54.189,94.23.75.57,94.23.84.80,94.247.169.164,94.247.169.165] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 154) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405306; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [94.23.22.62,94.23.25.96,94.23.36.150,94.23.41.26,94.23.45.70,94.23.54.189,94.23.75.57,94.23.84.80,94.247.169.164,94.247.169.165] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 154) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405307; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [94.46.127.1,94.47.254.1,94.75.205.140,94.75.206.129,94.76.225.80,95.131.66.179,95.142.163.184,95.143.192.165,95.154.194.41,95.168.163.235] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 155) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405308; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [94.46.127.1,94.47.254.1,94.75.205.140,94.75.206.129,94.76.225.80,95.131.66.179,95.142.163.184,95.143.192.165,95.154.194.41,95.168.163.235] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 155) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405309; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [95.168.163.236,95.168.183.181,95.168.187.112,95.168.187.52,95.169.188.251,95.169.189.251,95.211.24.165,95.211.26.11,95.211.32.15,95.211.84.107] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 156) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405310; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [95.168.163.236,95.168.183.181,95.168.187.112,95.168.187.52,95.169.188.251,95.169.189.251,95.211.24.165,95.211.26.11,95.211.32.15,95.211.84.107] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 156) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405311; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [95.211.84.108,95.211.84.164,95.211.85.119,95.211.86.134,96.248.60.29,97.107.129.187,97.107.130.165,97.107.132.56,98.142.242.183,98.142.254.236] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 157) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405312; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [95.211.84.108,95.211.84.164,95.211.85.119,95.211.86.134,96.248.60.29,97.107.129.187,97.107.130.165,97.107.132.56,98.142.242.183,98.142.254.236] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 157) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405313; rev:2036; fwsam: dst, 30 days;) alert tcp $HOME_NET any <> [98.142.254.249,98.143.155.172,98.189.231.149,98.209.125.138,99.198.121.160,99.198.122.113,99.6.196.145] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 158) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405314; rev:2036; fwsam: dst, 30 days;) alert udp $HOME_NET any <> [98.142.254.249,98.143.155.172,98.189.231.149,98.209.125.138,99.198.121.160,99.198.122.113,99.6.196.145] any (msg:"ET DROP Known Bot C&C Traffic UDP (group 158) - BLOCKING SOURCE"; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405315; rev:2036; fwsam: dst, 30 days;)