alert tcp ![$SMTP_SERVERS,$DNS_SERVERS] any -> [109.70.26.36,109.73.106.6,119.59.121.67,123.252.193.141,123.30.129.249,130.185.159.16,134.93.159.115,149.154.153.61,173.255.217.235,174.127.66.192,174.129.242.247,174.140.171.189,176.28.0.135,176.28.0.239,176.31.158.107,176.9.35.122,176.9.35.124,176.9.43.136,176.9.68.3,178.162.134.114,178.162.181.39,178.162.184.153,178.17.162.210,178.238.36.6,178.32.95.87,178.63.226.201,178.73.212.15,178.79.172.145,184.154.72.100,188.120.230.171,188.190.126.173] any (msg: "MALWARE internal machine attempting to contact SpyEye cmd and cntrl 1";reference:url,SpyEyetracker.abuse.ch; threshold: type limit, track by_src, seconds 60, count 1; tag: host,30,seconds,src; classtype:misc-attack; sid:1250600; rev:1;)
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> [109.70.26.36,109.73.106.6,119.59.121.67,123.252.193.141,123.30.129.249,130.185.159.16,134.93.159.115,149.154.153.61,173.255.217.235,174.127.66.192,174.129.242.247,174.140.171.189,176.28.0.135,176.28.0.239,176.31.158.107,176.9.35.122,176.9.35.124,176.9.43.136,176.9.68.3,178.162.134.114,178.162.181.39,178.162.184.153,178.17.162.210,178.238.36.6,178.32.95.87,178.63.226.201,178.73.212.15,178.79.172.145,184.154.72.100,188.120.230.171,188.190.126.173] any (msg: "MALWARE internal machine attempting to contact SpyEye cmd and cntrl 1";reference:url,SpyEyetracker.abuse.ch; threshold: type limit, track by_src, seconds 60, count 1; tag: host,30,seconds,src; classtype:misc-attack; sid:1250601; rev:1;)
alert tcp ![$SMTP_SERVERS,$DNS_SERVERS] any -> [188.240.35.2,188.241.116.97,188.244.3.168,188.40.207.188,188.72.225.253,190.123.47.60,192.162.76.78,193.105.240.195,193.106.173.118,193.106.173.134,193.106.173.198,193.106.175.106,193.106.175.171,193.107.172.11,193.107.19.253,193.107.19.52,193.27.246.139,194.219.29.139,194.219.29.152,194.28.132.125,194.28.132.98,194.44.157.130,195.14.112.126,195.14.113.194,195.14.113.22,195.14.113.23,195.226.218.216,195.242.161.40,195.242.161.89,199.119.227.20,199.59.241.235] any (msg: "MALWARE internal machine attempting to contact SpyEye cmd and cntrl 2";reference:url,SpyEyetracker.abuse.ch; threshold: type limit, track by_src, seconds 60, count 1; tag: host,30,seconds,src; classtype:misc-attack; sid:1250602; rev:1;)
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> [188.240.35.2,188.241.116.97,188.244.3.168,188.40.207.188,188.72.225.253,190.123.47.60,192.162.76.78,193.105.240.195,193.106.173.118,193.106.173.134,193.106.173.198,193.106.175.106,193.106.175.171,193.107.172.11,193.107.19.253,193.107.19.52,193.27.246.139,194.219.29.139,194.219.29.152,194.28.132.125,194.28.132.98,194.44.157.130,195.14.112.126,195.14.113.194,195.14.113.22,195.14.113.23,195.226.218.216,195.242.161.40,195.242.161.89,199.119.227.20,199.59.241.235] any (msg: "MALWARE internal machine attempting to contact SpyEye cmd and cntrl 2";reference:url,SpyEyetracker.abuse.ch; threshold: type limit, track by_src, seconds 60, count 1; tag: host,30,seconds,src; classtype:misc-attack; sid:1250603; rev:1;)
alert tcp ![$SMTP_SERVERS,$DNS_SERVERS] any -> [200.56.243.137,200.63.45.3,202.165.179.18,203.170.193.96,204.12.25.7,208.91.197.101,208.91.197.108,208.91.197.54,209.59.213.57,210.211.108.213,210.211.110.222,212.36.9.52,212.36.9.56,212.36.9.59,212.36.9.60,212.95.58.190,216.194.70.11,217.107.34.84,217.116.198.29,217.12.215.170,217.23.152.116,218.61.10.188,31.11.43.105,31.178.2.132,31.31.203.123,4.26.0.117,44.55.44.44,46.105.173.84,46.16.233.108,46.163.116.57,46.163.116.61] any (msg: "MALWARE internal machine attempting to contact SpyEye cmd and cntrl 3";reference:url,SpyEyetracker.abuse.ch; threshold: type limit, track by_src, seconds 60, count 1; tag: host,30,seconds,src; classtype:misc-attack; sid:1250604; rev:1;)
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> [200.56.243.137,200.63.45.3,202.165.179.18,203.170.193.96,204.12.25.7,208.91.197.101,208.91.197.108,208.91.197.54,209.59.213.57,210.211.108.213,210.211.110.222,212.36.9.52,212.36.9.56,212.36.9.59,212.36.9.60,212.95.58.190,216.194.70.11,217.107.34.84,217.116.198.29,217.12.215.170,217.23.152.116,218.61.10.188,31.11.43.105,31.178.2.132,31.31.203.123,4.26.0.117,44.55.44.44,46.105.173.84,46.16.233.108,46.163.116.57,46.163.116.61] any (msg: "MALWARE internal machine attempting to contact SpyEye cmd and cntrl 3";reference:url,SpyEyetracker.abuse.ch; threshold: type limit, track by_src, seconds 60, count 1; tag: host,30,seconds,src; classtype:misc-attack; sid:1250605; rev:1;)
alert tcp ![$SMTP_SERVERS,$DNS_SERVERS] any -> [46.166.129.247,46.166.129.253,46.166.131.143,46.166.143.56,46.166.144.192,46.166.148.133,46.17.100.230,46.17.96.177,46.28.65.151,46.28.65.40,46.4.124.12,46.4.232.221,46.4.71.20,60.199.114.84,62.109.25.136,62.128.158.18,62.76.178.56,64.150.160.156,64.29.151.221,64.31.25.63,65.98.64.83,65.98.64.85,66.147.244.234,66.199.227.60,66.199.227.66,66.199.227.70,66.228.49.83,66.98.136.44,74.117.235.213,77.109.111.66,77.232.82.24] any (msg: "MALWARE internal machine attempting to contact SpyEye cmd and cntrl 4";reference:url,SpyEyetracker.abuse.ch; threshold: type limit, track by_src, seconds 60, count 1; tag: host,30,seconds,src; classtype:misc-attack; sid:1250606; rev:1;)
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> [46.166.129.247,46.166.129.253,46.166.131.143,46.166.143.56,46.166.144.192,46.166.148.133,46.17.100.230,46.17.96.177,46.28.65.151,46.28.65.40,46.4.124.12,46.4.232.221,46.4.71.20,60.199.114.84,62.109.25.136,62.128.158.18,62.76.178.56,64.150.160.156,64.29.151.221,64.31.25.63,65.98.64.83,65.98.64.85,66.147.244.234,66.199.227.60,66.199.227.66,66.199.227.70,66.228.49.83,66.98.136.44,74.117.235.213,77.109.111.66,77.232.82.24] any (msg: "MALWARE internal machine attempting to contact SpyEye cmd and cntrl 4";reference:url,SpyEyetracker.abuse.ch; threshold: type limit, track by_src, seconds 60, count 1; tag: host,30,seconds,src; classtype:misc-attack; sid:1250607; rev:1;)
alert tcp ![$SMTP_SERVERS,$DNS_SERVERS] any -> [77.79.10.100,77.79.11.36,77.79.4.204,77.79.4.206,77.91.231.193,78.24.222.149,78.47.172.189,79.132.67.141,8.9.232.73,80.67.3.110,80.67.3.116,80.92.66.130,82.146.44.30,82.146.62.239,82.179.217.4,82.98.86.174,85.17.109.31,85.17.19.81,85.17.190.79,85.17.222.166,85.17.224.166,85.17.93.46,87.251.154.165,88.120.236.112,88.198.16.80,88.216.91.106,89.108.67.172,89.208.141.139,89.208.149.205,89.208.149.212,89.208.34.119] any (msg: "MALWARE internal machine attempting to contact SpyEye cmd and cntrl 5";reference:url,SpyEyetracker.abuse.ch; threshold: type limit, track by_src, seconds 60, count 1; tag: host,30,seconds,src; classtype:misc-attack; sid:1250608; rev:1;)
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> [77.79.10.100,77.79.11.36,77.79.4.204,77.79.4.206,77.91.231.193,78.24.222.149,78.47.172.189,79.132.67.141,8.9.232.73,80.67.3.110,80.67.3.116,80.92.66.130,82.146.44.30,82.146.62.239,82.179.217.4,82.98.86.174,85.17.109.31,85.17.19.81,85.17.190.79,85.17.222.166,85.17.224.166,85.17.93.46,87.251.154.165,88.120.236.112,88.198.16.80,88.216.91.106,89.108.67.172,89.208.141.139,89.208.149.205,89.208.149.212,89.208.34.119] any (msg: "MALWARE internal machine attempting to contact SpyEye cmd and cntrl 5";reference:url,SpyEyetracker.abuse.ch; threshold: type limit, track by_src, seconds 60, count 1; tag: host,30,seconds,src; classtype:misc-attack; sid:1250609; rev:1;)
alert tcp ![$SMTP_SERVERS,$DNS_SERVERS] any -> [89.248.162.170,89.253.247.168,91.213.217.36,91.217.82.143,91.217.82.177,91.217.83.252,91.219.29.14,91.220.163.12,91.220.62.112,91.220.62.190,91.223.89.201,91.231.126.32,92.241.164.223,92.241.164.226,92.241.164.67,92.241.165.165,92.241.165.228,92.241.165.229,92.241.174.38,92.241.190.128,92.241.190.252,92.241.191.80,92.241.191.91,92.38.209.180,92.38.209.50,92.38.232.91,93.170.52.20,93.170.52.30,94.199.49.55,94.199.51.35,94.199.51.54] any (msg: "MALWARE internal machine attempting to contact SpyEye cmd and cntrl 6";reference:url,SpyEyetracker.abuse.ch; threshold: type limit, track by_src, seconds 60, count 1; tag: host,30,seconds,src; classtype:misc-attack; sid:1250610; rev:1;)
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> [89.248.162.170,89.253.247.168,91.213.217.36,91.217.82.143,91.217.82.177,91.217.83.252,91.219.29.14,91.220.163.12,91.220.62.112,91.220.62.190,91.223.89.201,91.231.126.32,92.241.164.223,92.241.164.226,92.241.164.67,92.241.165.165,92.241.165.228,92.241.165.229,92.241.174.38,92.241.190.128,92.241.190.252,92.241.191.80,92.241.191.91,92.38.209.180,92.38.209.50,92.38.232.91,93.170.52.20,93.170.52.30,94.199.49.55,94.199.51.35,94.199.51.54] any (msg: "MALWARE internal machine attempting to contact SpyEye cmd and cntrl 6";reference:url,SpyEyetracker.abuse.ch; threshold: type limit, track by_src, seconds 60, count 1; tag: host,30,seconds,src; classtype:misc-attack; sid:1250611; rev:1;)
alert tcp ![$SMTP_SERVERS,$DNS_SERVERS] any -> [94.63.149.51,95.163.88.209,95.168.178.88,95.211.133.81] any (msg: "MALWARE internal machine attempting to contact SpyEye cmd and cntrl 7";reference:url,SpyEyetracker.abuse.ch; threshold: type limit, track by_src, seconds 60, count 1; tag: host,30,seconds,src; classtype:misc-attack; sid:1250612; rev:1;)
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> [94.63.149.51,95.163.88.209,95.168.178.88,95.211.133.81] any (msg: "MALWARE internal machine attempting to contact SpyEye cmd and cntrl 7";reference:url,SpyEyetracker.abuse.ch; threshold: type limit, track by_src, seconds 60, count 1; tag: host,30,seconds,src; classtype:misc-attack; sid:1250613; rev:1;)