alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"E2[rb] NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:22466; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [135:139,445,1025] (msg:"E2[rb] SHELLCODE x86 0x90 unicode NOOP"; content:"|90 90 90 90 90 90 90 90 90 90|"; classtype:shellcode-detect; sid:299913; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "E2[rb] BotHunter EXPLOIT LSA exploit"; content:"|3131313131313131313131313131313131313131313131|";  classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:292000032; rev:99; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "E2[rb] BLEEDING-EDGE EXPLOIT LSA exploit"; flow: to_server,established; content:"|3131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:22000032; rev:6; )
alert tcp  $HOME_NET 1028:1040 -> $EXTERNAL_NET any (msg: "E3[rb] BotHunter HTTP-based .exe Upload on backdoor port"; content:"GET"; content: "HTTP"; content: ".exe"; depth: 300; classtype: misc-activity; sid:3000003; rev:99; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 1030:1040 (msg: "E3[rb] BotHunter HTTP-based .exe Upload on backdoor port"; content:"Content-Type\: application/x-exe"; depth: 300; classtype: misc-activity; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; sid:3000000; rev:99; )
alert tcp $EXTERNAL_NET !20 -> $HOME_NET any (msg:"E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host";  content: "MZ"; content: "This program cannot be run in DOS mode"; flow: established; sid:2001683; rev:3;)
alert tcp $EXTERNAL_NET !20 -> $HOME_NET any (msg:"E3[rb] BotHunter Malware Windows executable (PE) sent from remote host";  content: "MZ"; content: "PE|00 00|"; within:250; flow: established; sid:5001684; rev:99;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 65520 (msg:"E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel"; flow:established,to_server; content:"JOIN &virtu"; classtype:trojan-activity; reference:url,www.bitcrank.net; sid:2003603; rev:2;)