Botnet

EvilFingers is bringing in one of the most diverse data sets to provide a portal for helping the community. nG is aimed at bringing in honeypot data from various places around the world. Botnet page is aimed at bringing in details on botnet infected hosts that could help our security community. So far we have aimed at bringing in Emerging Threats (ET) information to our site, since they have the most updated information on such IPs. Matt Jonkman has done a great job in putting things together and for being a helping hand for our community.

Botnet Rules 1

alert ip $HOME_NET any -> [12.106.223.17,121.119.172.49,121.78.53.94,124.137.163.132, 124.217.230.173,124.246.24.204,124.38.150.118,124.82.154.121, 125.160.17.71,125.160.17.72,128.121.20.113,128.39.2.28,130.237.188.200, 130.240.22.201,137.82.84.45,140.113.102.162,140.129.165.67, 140.186.123.133,140.186.123.134,140.186.123.146,140.186.181.106, 140.211.166.64,141.213.238.252,142.179.155.242,143.248.31.122, 145.89.150.59,146.83.111.35,147.127.160.120,147.32.127.200, 148.229.9.5,149.9.1.16,150.254.6.206,151.189.0.165,158.38.8.251, 163.22.73.2,163.25.104.18,168.143.39.116,168.187.115.136,189.162.86.162, 189.200.60.2,190.146.40.136,192.116.231.44,192.36.125.79,193.109.122.77, 193.138.229.10,193.138.229.11,193.138.229.18,193.163.220.3,193.185.49.186, 193.198.12.3,193.200.193.4,193.202.83.129,193.219.61.23,193.23.141.104, 193.23.141.114,193.23.141.90,193.230.174.38,193.251.84.224,193.27.229.245, 193.34.88.42] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 1) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404000; rev:1336;)

Botnet Rules 2

alert ip $HOME_NET any -> [193.68.150.140,193.71.199.6,194.1.163.1,194.109.129.220, 194.109.129.222,194.109.20.90,194.109.206.106,194.109.206.107, 194.109.64.131,194.117.194.78,194.12.253.152,194.126.174.116, 194.126.217.2,194.146.224.152,194.149.73.154,194.149.73.161, 194.149.73.55,194.149.73.80,194.159.164.195,194.159.164.211,194.19.26.178, 194.19.26.193,194.204.14.151,194.204.19.34,194.68.45.50,195.111.64.195, 195.12.59.195,195.12.59.196,195.14.47.164,195.140.202.142,195.144.12.5, 195.149.21.43,195.169.138.124,195.18.164.194,195.188.16.5,195.197.110.166, 195.2.117.33,195.222.5.209,195.225.204.134,195.28.165.201,195.28.165.48, 195.50.191.12,195.50.191.14,195.54.159.109,195.54.211.181,195.58.33.236, 195.68.206.250,195.70.51.164,195.85.200.10,195.85.200.11,195.85.200.12, 195.85.200.13,195.85.200.14,195.85.200.15,195.85.200.16,195.91.176.3, 196.2.17.10,196.202.248.21,196.34.88.5,198.252.144.2] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 2) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404001; rev:1336;)

Botnet Rules 3

alert ip $HOME_NET any -> [198.252.195.2,198.3.160.3,200.111.64.252, 200.129.242.243,200.137.160.189,200.27.248.67,200.28.222.214,200.29.0.66, 200.45.0.67,200.76.29.43,200.83.0.116,200.88.241.226,200.93.193.242, 201.218.128.67,202.134.0.13,202.134.0.199,202.143.128.163,202.148.13.74, 202.156.1.18,202.158.3.23,202.164.182.18,202.181.31.243,202.75.49.178, 202.82.202.142,202.91.34.9,202.91.37.40,203.116.63.82,203.116.63.89, 203.15.51.150,203.150.2.225,203.171.78.52,203.173.90.250,203.211.134.46, 203.26.195.2,203.27.221.42,203.81.56.66,203.94.175.139,203.97.23.182, 204.16.200.180,204.8.220.130,204.8.34.130,204.92.73.10,205.188.234.121, 205.210.145.3,206.111.186.16,206.225.91.81,206.41.117.196,206.41.117.92, 206.59.139.195,206.63.81.82,206.63.81.87,206.63.81.89,207.126.115.49, 207.162.194.151,207.192.72.99,207.192.75.185,207.210.208.16,207.218.240.189, 207.44.144.81,207.45.69.69] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 3) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404002; rev:1336;)

Botnet Rules 4

alert ip $HOME_NET any -> [208.101.15.210,208.101.58.27, 208.109.82.106,208.110.65.135,208.110.69.227,208.111.35.75, 208.112.126.229,208.116.45.218,208.116.45.221,208.146.35.105, 208.146.35.106,208.167.237.120,208.185.81.205,208.185.81.223, 208.185.81.243,208.185.81.252,208.186.16.34,208.27.69.193, 208.51.40.10,208.51.40.2,208.53.132.149,208.53.135.99,208.53.148.111, 208.53.148.250,208.53.148.9,208.53.163.194,208.53.175.92, 208.53.176.137,208.53.183.113,208.53.185.98,208.68.106.138, 208.72.157.63,208.75.208.201,208.75.89.242,208.76.248.162, 208.82.112.107,208.88.52.144,208.98.1.37,208.98.14.10,208.98.14.6, 208.98.19.12,208.98.19.18,208.98.19.2,208.98.19.3,208.98.19.4, 208.98.19.5,208.98.19.6,208.98.28.211,208.98.34.138,208.98.34.149, 208.98.42.113,208.98.42.117,208.98.42.78,208.98.42.81,208.98.42.87, 208.98.47.50,208.98.60.110,208.98.61.60,208.98.9.223,208.99.193.130] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 4) "; reference:url, www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404003; rev:1336;)

Botnet Rules 5

alert ip $HOME_NET any -> [208.99.193.134,209.11.244.124,209.11.244.82, 209.133.11.130,209.133.11.161,209.133.11.179,209.133.11.185,209.133.11.197, 209.133.11.209,209.133.11.212,209.133.11.214,209.133.11.220,209.133.11.223, 209.133.8.83,209.133.9.109,209.133.9.43,209.133.9.50,209.133.9.56, 209.133.9.61,209.205.196.12,209.205.196.2,209.205.196.3,209.234.102.231, 209.240.123.9,209.249.249.126,209.250.225.132,209.250.225.144, 209.250.225.207,209.250.225.55,209.250.227.194,209.250.227.195, 209.250.232.240,209.250.241.35,209.33.98.58,209.61.182.250,209.9.226.187, 210.1.199.247,210.107.142.203,210.135.96.98,210.150.125.131,210.188.194.141, 210.196.194.166,210.212.128.252,210.221.154.111,211.117.61.231, 211.139.120.72,211.162.78.93,211.233.36.76,211.236.177.219,212.101.123.10, 212.101.123.11,212.101.123.12,212.101.123.4,212.101.123.5,212.101.123.6, 212.101.123.7,212.101.123.8,212.101.123.9,212.105.98.2,212.146.145.91] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 5) "; reference:url, www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404004; rev:1336;)

Botnet Rules 6

alert ip $HOME_NET any -> [212.175.158.58,212.178.133.174,212.182.63.110, 212.239.40.237,212.241.214.212,212.241.216.224,212.241.221.113, 212.40.5.191,212.47.213.122,212.59.199.131,212.71.19.100,212.71.19.106, 212.73.209.227,212.91.161.18,212.95.38.107,212.95.38.240,212.95.40.73, 212.95.45.25,212.95.46.44,212.95.46.58,213.131.156.50,213.131.156.51, 213.146.63.33,213.155.2.184,213.155.2.187,213.158.233.60,213.17.153.11, 213.186.45.19,213.198.58.28,213.202.224.142,213.202.245.12,213.202.247.105, 213.206.99.94,213.215.31.19,213.219.249.66,213.234.193.74,213.236.208.178, 213.239.131.28,213.243.10.10,213.244.180.180,213.247.51.21,213.248.53.3, 213.248.60.142,213.251.165.194,213.48.150.3,213.48.150.5,213.53.107.38, 216.12.208.217,216.128.229.170,216.139.234.159,216.145.22.120,216.146.46.44, 216.147.161.118,216.151.169.147,216.152.66.62,216.152.67.30,216.193.223.223, 216.218.163.69,216.25.44.122,216.25.44.16] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 6) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404005; rev:1336;)

Botnet Rules 7

alert ip $HOME_NET any -> [216.25.44.5,216.253.186.108,216.40.254.4, 216.6.230.99,216.6.232.106,216.70.248.99,216.82.127.91,216.86.159.232, 216.87.78.181,217.11.227.38,217.112.87.121,217.17.33.10,217.172.181.56, 217.195.117.140,217.196.95.77,217.20.16.131,217.23.135.135,217.26.49.12, 217.29.87.254,217.67.230.218,217.75.128.65,217.79.190.131,217.8.243.11, 218.108.55.189,218.152.48.227,218.214.33.30,218.38.34.84,218.44.249.117, 219.166.12.212,219.252.177.101,219.96.194.10,220.119.42.3,222.119.86.100, 222.122.132.211,222.122.43.42,222.122.43.50,222.128.244.119,222.177.11.165, 222.214.216.227,24.236.142.97,24.240.168.165,24.96.210.16,38.100.91.113, 38.100.91.115,38.106.96.203,58.80.229.212,59.106.12.140,59.125.13.220, 59.2.28.212,61.104.88.61,61.235.150.74,61.239.249.238, 61.29.60.169,61.4.215.13,62.141.48.112,62.141.48.164,62.141.49.112, 62.141.49.164,62.141.56.158] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 7) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404006; rev:1336;)

Botnet Rules 8

alert ip $HOME_NET any -> [62.141.56.98,62.141.57.98,62.181.209.201, 62.212.66.205,62.212.67.65,62.24.64.27,62.42.230.93,62.45.52.82, 62.75.143.63,63.167.66.5,63.168.242.229,63.173.172.98,63.223.64.44, 63.224.207.105,63.243.153.235,63.243.153.238,63.243.153.239, 63.243.153.247,63.245.208.159,64.12.165.56,64.124.159.66,64.124.16.119, 64.124.180.128,64.125.185.222,64.127.41.30,64.127.41.31,64.13.230.162, 64.136.63.187,64.15.77.71,64.150.180.13,64.157.176.246,64.16.210.102, 64.161.255.2,64.179.90.59,64.18.129.240,64.18.129.247,64.18.131.116, 64.18.138.115,64.18.139.60,64.18.139.82,64.18.140.158,64.191.63.185, 64.237.34.150,64.32.12.108,64.32.12.116,64.32.12.118,64.32.12.203, 64.32.13.143,64.32.13.152,64.32.14.92,64.32.16.175,64.32.2.131, 64.32.20.230,64.32.21.85,64.32.31.2,64.32.31.75,64.34.161.121, 64.34.161.89,64.34.202.227,64.34.203.207] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 8) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404007; rev:1336;)

Botnet Rules 9

alert ip $HOME_NET any -> [64.62.190.245,64.62.190.36,64.62.190.73, 64.79.213.249,64.85.160.108,64.85.160.30,64.85.161.140,64.85.162.202, 64.85.162.66,64.85.164.253,64.85.164.73,64.85.165.252,64.86.133.136, 64.86.133.165,64.86.25.248,64.89.27.36,65.110.41.130,65.110.62.181, 65.110.62.93,65.111.168.18,65.111.172.48,65.19.176.253,65.217.52.208, 65.23.153.98,65.23.156.37,65.23.157.4,65.40.27.109,65.41.154.19, 66.111.35.104,66.111.36.61,66.111.37.204,66.139.78.150,66.154.9.216, 66.160.135.21,66.160.197.76,66.165.177.88,66.180.172.16,66.184.117.12, 66.194.119.254,66.197.252.40,66.198.80.67,66.207.164.29,66.212.28.20, 66.220.1.185,66.220.1.52,66.220.1.59,66.220.1.66,66.225.200.20, 66.225.200.30,66.225.200.52,66.225.200.62,66.225.223.109, 66.225.223.112,66.225.223.115,66.225.223.16,66.225.223.38, 66.225.223.52,66.225.223.70,66.225.223.91,66.225.225.225] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 9) "; reference:url, www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404008; rev:1336;)

Botnet Rules 10

alert ip $HOME_NET any -> [66.225.225.66,66.235.214.116,66.246.149.4, 66.249.128.230,66.249.8.104,66.249.8.95,66.252.1.110, 66.252.1.203,66.252.1.210,66.252.10.203,66.252.10.206,66.252.10.213, 66.252.10.222,66.252.10.230,66.252.10.234,66.252.11.220,66.252.11.248, 66.252.11.41,66.252.11.69,66.252.11.73,66.252.11.76,66.252.11.9, 66.252.12.39,66.252.12.48,66.252.12.51,66.252.12.53,66.252.12.54, 66.252.12.55,66.252.12.56,66.252.13.154,66.252.13.178,66.252.13.206, 66.252.13.209,66.252.13.215,66.252.13.219,66.252.13.221,66.252.13.224, 66.252.13.225,66.252.13.233,66.252.13.237,66.252.13.242,66.252.13.245, 66.252.19.10,66.252.19.104,66.252.19.11,66.252.19.114,66.252.19.19, 66.252.19.26,66.252.19.34,66.252.19.41,66.252.19.43,66.252.19.61, 66.252.19.74,66.252.19.80,66.252.19.86,66.252.2.136,66.252.2.137, 66.252.2.139,66.252.2.140,66.252.2.142] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 10) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype: trojan-activity; sid:2404009; rev:1336;)

Botnet Rules 11

alert ip $HOME_NET any -> [66.252.2.149,66.252.2.152,66.252.2.154, 66.252.2.167,66.252.2.185,66.252.24.10,66.252.24.167, 66.252.24.178,66.252.24.231,66.252.24.3,66.252.24.32,66.252.24.47, 66.252.24.6,66.252.24.8,66.252.25.126,66.252.26.124,66.252.26.126, 66.252.27.126,66.252.28.102,66.252.28.120,66.252.28.141,66.252.28.177, 66.252.28.182,66.252.28.185,66.252.28.205,66.252.28.215,66.252.28.237, 66.252.29.130,66.252.29.235,66.252.29.33,66.252.30.109,66.252.30.122, 66.252.30.123,66.252.30.168,66.252.30.205,66.252.30.225,66.252.30.242, 66.252.31.208,66.252.31.210,66.252.31.212,66.252.4.222,66.252.6.97, 66.252.7.132,66.252.7.142,66.252.7.148,66.28.104.6,66.45.234.200, 66.48.66.152,66.7.192.11,66.90.108.46,66.90.118.88,66.90.82.25, 66.90.97.227,67.159.17.231,67.159.24.11,67.159.24.12,67.159.24.190, 67.159.26.180,67.159.27.26,67.18.161.254] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 11) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype: trojan-activity; sid:2404010; rev:1336;)

Botnet Rules 12

alert ip $HOME_NET any -> [67.18.176.176,67.18.208.96,67.19.192.211, 67.19.192.212,67.19.192.213,67.19.238.44,67.19.246.130, 67.198.203.98,67.198.203.99,67.202.101.52,67.202.83.179,67.202.83.188, 67.210.234.18,67.220.137.128,67.220.137.47,67.220.137.53,67.220.66.166, 67.220.66.168,67.220.66.2,67.220.66.240,67.220.66.248,67.220.73.107, 67.220.74.70,67.228.162.213,67.228.162.69,67.228.42.241,67.228.99.245, 67.43.224.216,67.43.226.242,67.43.226.243,67.43.226.244,67.43.226.245, 67.43.226.246,67.43.226.7,67.43.227.105,67.43.230.46,67.43.232.178, 67.43.232.34,67.43.232.36,67.43.233.66,67.43.236.106,67.43.236.196, 67.43.236.66,67.43.236.67,67.43.236.68,67.43.236.69,67.43.236.99, 68.186.222.72,68.75.207.189,69.12.224.56,69.13.205.50,69.147.228.155, 69.147.233.143,69.16.172.2,69.162.77.67,69.162.77.75,69.162.77.76, 69.162.77.79,69.18.206.194,69.20.226.82] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 12) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype: trojan-activity; sid:2404011; rev:1336;)

Botnet Rules 13

alert ip $HOME_NET any -> [69.20.231.81,69.213.57.174,69.30.232.148, 69.36.111.69,69.39.226.10,69.39.226.131,69.39.226.132,69.39.226.133, 69.39.226.140,69.39.226.141,69.39.226.38,69.39.226.59,69.39.226.61, 69.39.226.69,69.42.209.227,69.42.209.228,69.42.209.229,69.42.209.230, 69.42.209.231,69.42.209.232,69.42.209.233,69.42.209.60,69.42.214.189, 69.42.214.4,69.42.215.152,69.42.215.180,69.42.215.184,69.42.215.20, 69.42.215.7,69.42.216.106,69.42.216.108,69.42.216.89,69.42.217.170, 69.42.219.194,69.42.219.48,69.42.219.50,69.42.221.115,69.42.221.253, 69.42.222.130,69.42.223.148,69.42.69.186,69.42.74.177,69.57.128.172, 69.60.110.195,69.60.123.193,69.60.124.82,69.61.67.10,69.64.32.40, 69.64.35.127,69.64.35.174,69.64.39.194,69.64.39.201,69.64.39.202, 69.64.47.42,69.64.49.80,69.64.50.61,69.64.53.247,69.64.53.248, 69.64.59.238,69.64.59.61] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 13) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404012; rev:1336;)

Botnet Rules 14

alert ip $HOME_NET any -> [69.64.76.38,69.64.92.215,69.65.58.205, 69.80.225.111,69.93.229.206,69.93.9.12,70.168.231.17,70.84.182.98, 70.85.129.195,70.85.129.223,70.85.132.98,70.85.220.98,70.85.222.107, 70.85.31.213,70.87.44.114,71.230.124.202,71.6.152.187,71.6.216.117, 71.6.216.17,71.6.216.18,71.6.216.33,71.6.216.62,71.6.216.75,71.6.231.75, 72.1.240.135,72.10.162.100,72.10.163.194,72.10.163.240,72.10.169.26, 72.10.172.210,72.10.172.211,72.10.172.212,72.10.172.213,72.10.172.214, 72.10.172.218,72.11.142.40,72.174.8.243,72.20.1.162,72.20.13.57, 72.20.13.60,72.20.13.89,72.20.14.193,72.20.14.195,72.20.14.216, 72.20.14.220,72.20.14.221,72.20.14.243,72.20.15.189,72.20.15.196, 72.20.15.208,72.20.15.211,72.20.15.222,72.20.15.229,72.20.15.237, 72.20.15.247,72.20.15.85,72.20.17.147,72.20.17.167,72.20.17.178, 72.20.17.186] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 14) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404013; rev:1336;)

Botnet Rules 15

alert ip $HOME_NET any -> [72.20.17.21,72.20.18.176,72.20.18.26, 72.20.18.30,72.20.18.34,72.20.19.239,72.20.21.109,72.20.21.115, 72.20.21.116,72.20.21.117,72.20.21.122,72.20.21.124,72.20.21.126, 72.20.21.33,72.20.21.36,72.20.21.37,72.20.21.43,72.20.21.45, 72.20.21.55,72.20.21.57,72.20.21.59,72.20.21.61,72.20.23.105, 72.20.23.74,72.20.23.92,72.20.23.96,72.20.24.12,72.20.24.145, 72.20.24.148,72.20.24.154,72.20.24.21,72.20.24.32,72.20.24.42, 72.20.24.44,72.20.24.9,72.20.25.140,72.20.25.28,72.20.27.105, 72.20.27.113,72.20.27.119,72.20.27.183,72.20.28.133,72.20.28.150, 72.20.28.234,72.20.29.251,72.20.34.209,72.20.35.120,72.20.35.191, 72.20.35.70,72.20.38.9,72.20.39.107,72.20.40.105,72.20.40.36, 72.20.40.45,72.20.40.52,72.20.41.212,72.20.42.107,72.20.42.245, 72.20.46.108,72.20.46.133] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 15) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype: trojan-activity; sid:2404014; rev:1336;)

Botnet Rules 16

alert ip $HOME_NET any -> [72.20.46.85,72.20.48.111,72.20.48.84, 72.20.48.95,72.20.5.242,72.20.50.94,72.20.51.201,72.20.52.75, 72.20.52.80,72.20.56.59,72.20.57.119,72.20.57.120,72.20.57.249, 72.20.57.254,72.214.7.195,72.232.227.178,72.32.146.136, 72.36.154.122,72.36.180.130,72.36.252.163,72.54.112.155, 72.55.133.248,72.8.134.132,72.8.134.137,72.8.134.139, 72.8.134.143,72.8.134.178,72.8.134.190,72.8.156.3,72.90.73.67, 74.200.209.34,74.208.66.154,74.210.138.53,74.41.18.106, 74.52.7.109,74.52.73.98,74.53.185.176,74.54.63.29,74.63.88.116, 74.63.90.108,74.7.18.109,74.86.54.247,75.101.150.24,75.125.196.222, 75.125.46.153,75.126.232.194,76.101.202.62,76.168.123.153, 76.183.180.110,76.192.229.129,76.76.11.208,76.76.19.35,76.76.19.73, 76.76.4.185,77.239.185.205,77.247.178.38,77.59.219.91,77.65.43.99, 77.67.101.101,77.74.195.195] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 16) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype: trojan-activity; sid:2404015; rev:1336;)

Botnet Rules 17

alert ip $HOME_NET any -> [77.75.110.17,77.92.67.81,78.129.140.57, 78.129.140.80,78.129.223.147,78.129.228.10,78.129.228.16,78.129.228.23, 78.129.228.32,78.129.228.39,78.159.108.41,78.46.34.2,8.19.34.195, 8.7.233.233,8.7.233.44,8.9.17.72,80.126.201.245,80.154.33.35, 80.179.155.4,80.184.19.178,80.190.246.162,80.241.173.191,80.244.229.38, 80.244.90.117,80.38.135.73,80.51.159.122,80.64.138.34,80.64.140.13, 80.68.89.201,80.86.82.22,80.86.94.81,80.86.94.82,80.86.94.83, 80.86.94.84,80.86.94.85,80.86.94.86,81.149.127.127,81.167.229.172, 81.169.134.201,81.169.141.6,81.169.142.172,81.169.168.122, 81.171.46.226,81.180.164.254,81.211.38.19,81.211.7.122,81.243.250.166, 81.255.150.102,81.26.211.130,81.29.65.57,81.31.33.35,81.88.53.122, 81.9.51.98,81.95.6.62,82.127.59.89,82.138.241.150,82.146.44.39, 82.146.51.147,82.146.51.167,82.146.51.59] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 17) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype: trojan-activity; sid:2404016; rev:1336;)

Botnet Rules 18

alert ip $HOME_NET any -> [82.146.52.135,82.146.52.179,82.165.139.95, 82.165.154.249,82.192.74.38,82.192.75.215,82.2.201.58,82.211.5.111, 82.94.222.186,83.136.81.183,83.137.41.33,83.137.97.250,83.140.162.126, 83.140.172.210,83.140.172.211,83.140.172.212,83.142.48.72,83.142.83.89, 83.142.85.10,83.170.81.103,83.170.81.4,83.170.89.250,83.170.89.253, 83.170.90.218,83.176.253.148,83.2.83.1,83.227.140.135,83.228.101.106, 83.243.46.2,83.246.72.49,83.64.192.132,84.108.9.96,84.11.26.30, 84.16.231.52,84.16.235.193,84.16.235.194,84.16.240.155,84.16.245.178, 84.19.172.222,84.19.172.226,84.19.172.235,84.19.178.116,84.19.179.116, 84.19.180.62,84.200.242.4,84.200.7.128,84.200.7.8,84.250.38.92, 85.113.244.134,85.114.129.197,85.119.154.157,85.131.154.44,85.14.216.215, 85.14.218.3,85.14.218.4,85.17.139.11,85.17.139.182,85.17.207.164, 85.17.52.66,85.17.89.10] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 18) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404017; rev:1336;)

Botnet Rules 19

alert ip $HOME_NET any -> [85.18.250.2,85.194.148.35,85.196.81.211, 85.196.81.25,85.196.86.29,85.197.99.230,85.21.79.12,85.21.82.55, 85.214.27.94,85.214.33.132,85.214.36.108,85.214.44.218,85.214.72.189, 85.214.74.139,85.236.110.226,85.24.148.113,85.25.252.111,85.25.6.58, 85.30.130.83,85.95.69.186,86.104.221.82,86.106.109.99,86.34.169.83, 86.58.165.10,87.106.138.9,87.106.185.145,87.106.243.152,87.106.61.8, 87.118.102.151,87.118.102.81,87.118.103.151,87.118.103.81, 87.118.104.193,87.118.105.193,87.118.106.99,87.118.107.99, 87.118.108.117,87.118.114.252,87.118.99.85,87.120.218.10, 87.230.18.48,87.98.250.122,88.147.128.15,88.181.254.5, 88.198.236.100,88.40.69.43,88.80.6.119,88.84.156.172,88.85.242.244, 89.106.171.39,89.108.84.211,89.108.88.150,89.149.194.212, 89.149.203.190,89.149.203.191,89.149.203.85,89.149.203.86, 89.149.206.101,89.149.206.48,89.149.210.91] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 19) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype: trojan-activity; sid:2404018; rev:1336;)

Botnet Rules 20

alert ip $HOME_NET any -> [89.149.210.96,89.149.250.227,89.163.145.15, 89.163.179.130,89.163.193.16,89.171.59.5,89.202.247.162,89.208.34.166, 89.238.135.210,89.238.135.218,89.238.135.223,89.248.161.51, 89.248.166.198,89.250.0.4,89.46.34.205,89.46.34.45,90.157.175.133, 91.102.77.75,91.121.147.64,91.121.17.225,91.121.176.144,91.121.180.102, 91.121.2.38,91.121.54.196,91.187.122.52,91.191.161.119,91.191.162.137, 91.192.36.142,92.114.4.2,92.241.164.61,93.174.0.27,93.190.137.240, 93.190.139.60,94.75.208.172,94.76.192.94,98.172.115.10,98.202.50.229, 99.161.130.220] any (msg:"ET DROP Known Bot C&C; Server Traffic (group 20) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404019; rev:1336;)