################################################################ # abuse.ch SSL IPBL for Suricata / Snort (Aggressive) # # Last updated: 2018-09-21 04:00:01 (UTC) # # # # Terms Of Use: https://sslbl.abuse.ch/blacklist/ # # For questions please contact sslbl [at] abuse.ch # ################################################################ alert tcp $HOME_NET any -> [162.213.24.51] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200000; rev:1;) alert tcp $HOME_NET any -> [91.217.85.16] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200001; rev:1;) alert tcp $HOME_NET any -> [5.39.222.254] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200002; rev:1;) alert tcp $HOME_NET any -> [162.243.131.29] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200003; rev:1;) alert tcp $HOME_NET any -> [95.181.178.177] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200004; rev:1;) alert tcp $HOME_NET any -> [5.39.222.132] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200005; rev:1;) alert tcp $HOME_NET any -> [89.209.77.82] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200006; rev:1;) alert tcp $HOME_NET any -> [62.76.190.11] 8085 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200007; rev:1;) alert tcp $HOME_NET any -> [78.110.173.136] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200008; rev:1;) alert tcp $HOME_NET any -> [37.123.102.15] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200009; rev:1;) alert tcp $HOME_NET any -> [194.47.151.100] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200010; rev:1;) alert tcp $HOME_NET any -> [37.123.99.15] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200011; rev:1;) alert tcp $HOME_NET any -> [192.210.16.230] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200012; rev:1;) alert tcp $HOME_NET any -> [54.198.19.105] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200013; rev:1;) alert tcp $HOME_NET any -> [188.241.116.45] 44913 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200014; rev:1;) alert tcp $HOME_NET any -> [185.14.28.188] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200015; rev:1;) alert tcp $HOME_NET any -> [198.61.231.19] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200016; rev:1;) alert tcp $HOME_NET any -> [108.163.168.203] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200017; rev:1;) alert tcp $HOME_NET any -> [189.127.48.11] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200018; rev:1;) alert tcp $HOME_NET any -> [178.20.229.39] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200019; rev:1;) alert tcp $HOME_NET any -> [109.120.161.59] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200020; rev:1;) alert tcp $HOME_NET any -> [109.120.161.56] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200021; rev:1;) alert tcp $HOME_NET any -> [186.234.246.10] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200022; rev:1;) alert tcp $HOME_NET any -> [85.25.153.9] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200023; rev:1;) alert tcp $HOME_NET any -> [31.220.7.117] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200024; rev:1;) alert tcp $HOME_NET any -> [188.241.112.184] 41513 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200025; rev:1;) alert tcp $HOME_NET any -> [78.47.215.59] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200026; rev:1;) alert tcp $HOME_NET any -> [5.39.222.190] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200027; rev:1;) alert tcp $HOME_NET any -> [162.243.150.28] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200028; rev:1;) alert tcp $HOME_NET any -> [91.210.189.118] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200029; rev:1;) alert tcp $HOME_NET any -> [216.58.117.114] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200030; rev:1;) alert tcp $HOME_NET any -> [199.167.42.183] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200031; rev:1;) alert tcp $HOME_NET any -> [95.215.46.150] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200032; rev:1;) alert tcp $HOME_NET any -> [217.174.100.237] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200033; rev:1;) alert tcp $HOME_NET any -> [87.224.225.224] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200034; rev:1;) alert tcp $HOME_NET any -> [216.3.111.60] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200035; rev:1;) alert tcp $HOME_NET any -> [94.100.95.109] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200036; rev:1;) alert tcp $HOME_NET any -> [162.218.233.81] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200037; rev:1;) alert tcp $HOME_NET any -> [37.59.47.74] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200038; rev:1;) alert tcp $HOME_NET any -> [54.197.49.202] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200039; rev:1;) alert tcp $HOME_NET any -> [192.161.182.178] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200040; rev:1;) alert tcp $HOME_NET any -> [85.10.228.68] 59131 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200041; rev:1;) alert tcp $HOME_NET any -> [89.39.83.153] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200042; rev:1;) alert tcp $HOME_NET any -> [194.58.100.232] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200043; rev:1;) alert tcp $HOME_NET any -> [178.18.142.15] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200044; rev:1;) alert tcp $HOME_NET any -> [185.26.146.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200045; rev:1;) alert tcp $HOME_NET any -> [185.36.253.136] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200046; rev:1;) alert tcp $HOME_NET any -> [109.120.161.224] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200047; rev:1;) alert tcp $HOME_NET any -> [192.161.182.214] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200048; rev:1;) alert tcp $HOME_NET any -> [64.120.193.138] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200049; rev:1;) alert tcp $HOME_NET any -> [95.181.179.240] 32131 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200050; rev:1;) alert tcp $HOME_NET any -> [137.135.208.245] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200051; rev:1;) alert tcp $HOME_NET any -> [209.237.238.211] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200052; rev:1;) alert tcp $HOME_NET any -> [107.181.161.145] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200053; rev:1;) alert tcp $HOME_NET any -> [208.77.23.16] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200054; rev:1;) alert tcp $HOME_NET any -> [91.237.198.61] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200055; rev:1;) alert tcp $HOME_NET any -> [62.210.195.223] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200056; rev:1;) alert tcp $HOME_NET any -> [62.76.185.30] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200057; rev:1;) alert tcp $HOME_NET any -> [37.200.65.119] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely CryptoWall C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200058; rev:1;) alert tcp $HOME_NET any -> [37.139.47.218] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200059; rev:1;) alert tcp $HOME_NET any -> [109.236.86.213] 62201 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200060; rev:1;) alert tcp $HOME_NET any -> [109.104.183.141] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200061; rev:1;) alert tcp $HOME_NET any -> [94.156.77.26] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely CryptoWall C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200062; rev:1;) alert tcp $HOME_NET any -> [194.58.97.32] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200063; rev:1;) alert tcp $HOME_NET any -> [54.81.100.98] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200064; rev:1;) alert tcp $HOME_NET any -> [185.14.28.135] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200065; rev:1;) alert tcp $HOME_NET any -> [191.101.5.26] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200066; rev:1;) alert tcp $HOME_NET any -> [54.83.35.44] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200067; rev:1;) alert tcp $HOME_NET any -> [148.251.72.75] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200068; rev:1;) alert tcp $HOME_NET any -> [103.11.143.177] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200069; rev:1;) alert tcp $HOME_NET any -> [62.76.41.55] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200070; rev:1;) alert tcp $HOME_NET any -> [192.198.82.3] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200071; rev:1;) alert tcp $HOME_NET any -> [109.120.165.240] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200072; rev:1;) alert tcp $HOME_NET any -> [109.120.161.77] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200073; rev:1;) alert tcp $HOME_NET any -> [109.120.161.78] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200074; rev:1;) alert tcp $HOME_NET any -> [5.63.152.177] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200075; rev:1;) alert tcp $HOME_NET any -> [109.237.109.246] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200076; rev:1;) alert tcp $HOME_NET any -> [166.78.174.37] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200077; rev:1;) alert tcp $HOME_NET any -> [79.136.65.12] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200078; rev:1;) alert tcp $HOME_NET any -> [78.135.97.139] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200079; rev:1;) alert tcp $HOME_NET any -> [176.122.227.28] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200080; rev:1;) alert tcp $HOME_NET any -> [62.109.24.233] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200081; rev:1;) alert tcp $HOME_NET any -> [37.26.93.222] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200082; rev:1;) alert tcp $HOME_NET any -> [191.101.1.94] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200083; rev:1;) alert tcp $HOME_NET any -> [162.247.154.118] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200084; rev:1;) alert tcp $HOME_NET any -> [162.247.154.117] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200085; rev:1;) alert tcp $HOME_NET any -> [181.41.199.51] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200086; rev:1;) alert tcp $HOME_NET any -> [144.76.249.110] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200087; rev:1;) alert tcp $HOME_NET any -> [222.110.205.22] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200088; rev:1;) alert tcp $HOME_NET any -> [213.175.184.150] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200089; rev:1;) alert tcp $HOME_NET any -> [85.25.99.51] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200090; rev:1;) alert tcp $HOME_NET any -> [37.228.92.146] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200091; rev:1;) alert tcp $HOME_NET any -> [195.62.25.239] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200092; rev:1;) alert tcp $HOME_NET any -> [188.190.117.67] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200093; rev:1;) alert tcp $HOME_NET any -> [178.159.246.12] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200094; rev:1;) alert tcp $HOME_NET any -> [93.188.165.176] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200095; rev:1;) alert tcp $HOME_NET any -> [80.240.133.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200096; rev:1;) alert tcp $HOME_NET any -> [23.89.188.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200097; rev:1;) alert tcp $HOME_NET any -> [146.185.248.23] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200098; rev:1;) alert tcp $HOME_NET any -> [198.50.171.35] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200099; rev:1;) alert tcp $HOME_NET any -> [141.105.69.206] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200100; rev:1;) alert tcp $HOME_NET any -> [46.28.68.166] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200101; rev:1;) alert tcp $HOME_NET any -> [193.124.16.136] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200102; rev:1;) alert tcp $HOME_NET any -> [108.61.198.109] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200103; rev:1;) alert tcp $HOME_NET any -> [109.120.180.45] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200104; rev:1;) alert tcp $HOME_NET any -> [109.120.190.5] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200105; rev:1;) alert tcp $HOME_NET any -> [109.120.180.46] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200106; rev:1;) alert tcp $HOME_NET any -> [178.20.225.105] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200107; rev:1;) alert tcp $HOME_NET any -> [54.88.82.254] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200108; rev:1;) alert tcp $HOME_NET any -> [188.241.141.137] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200109; rev:1;) alert tcp $HOME_NET any -> [87.121.52.82] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200110; rev:1;) alert tcp $HOME_NET any -> [66.23.230.75] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200111; rev:1;) alert tcp $HOME_NET any -> [62.109.24.253] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200112; rev:1;) alert tcp $HOME_NET any -> [141.5.102.15] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200113; rev:1;) alert tcp $HOME_NET any -> [23.254.203.175] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200114; rev:1;) alert tcp $HOME_NET any -> [109.200.11.67] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200115; rev:1;) alert tcp $HOME_NET any -> [5.34.183.165] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200116; rev:1;) alert tcp $HOME_NET any -> [195.62.25.239] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200117; rev:1;) alert tcp $HOME_NET any -> [62.76.178.171] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200118; rev:1;) alert tcp $HOME_NET any -> [82.165.129.253] 1863 (msg:"SSL Blacklist: Traffic to malicious host (likely Worm.Dorkbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200119; rev:1;) alert tcp $HOME_NET any -> [162.220.167.4] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200120; rev:1;) alert tcp $HOME_NET any -> [204.95.99.204] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200121; rev:1;) alert tcp $HOME_NET any -> [109.120.150.201] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200122; rev:1;) alert tcp $HOME_NET any -> [109.120.150.127] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200123; rev:1;) alert tcp $HOME_NET any -> [149.154.65.73] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200124; rev:1;) alert tcp $HOME_NET any -> [109.120.180.53] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200125; rev:1;) alert tcp $HOME_NET any -> [31.192.105.57] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200126; rev:1;) alert tcp $HOME_NET any -> [192.95.51.166] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200127; rev:1;) alert tcp $HOME_NET any -> [204.95.99.205] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200128; rev:1;) alert tcp $HOME_NET any -> [89.144.14.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200129; rev:1;) alert tcp $HOME_NET any -> [77.40.80.253] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200130; rev:1;) alert tcp $HOME_NET any -> [31.41.218.240] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200131; rev:1;) alert tcp $HOME_NET any -> [140.117.170.107] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200132; rev:1;) alert tcp $HOME_NET any -> [166.63.124.226] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200133; rev:1;) alert tcp $HOME_NET any -> [166.78.144.80] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200134; rev:1;) alert tcp $HOME_NET any -> [185.14.28.158] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200135; rev:1;) alert tcp $HOME_NET any -> [178.63.238.190] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200136; rev:1;) alert tcp $HOME_NET any -> [68.71.45.133] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200137; rev:1;) alert tcp $HOME_NET any -> [91.231.85.174] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200138; rev:1;) alert tcp $HOME_NET any -> [87.236.211.133] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200139; rev:1;) alert tcp $HOME_NET any -> [188.120.236.163] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200140; rev:1;) alert tcp $HOME_NET any -> [185.25.116.251] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200141; rev:1;) alert tcp $HOME_NET any -> [31.41.218.241] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200142; rev:1;) alert tcp $HOME_NET any -> [192.210.215.6] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200143; rev:1;) alert tcp $HOME_NET any -> [188.241.116.231] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200144; rev:1;) alert tcp $HOME_NET any -> [23.95.15.127] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200145; rev:1;) alert tcp $HOME_NET any -> [23.239.133.106] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200146; rev:1;) alert tcp $HOME_NET any -> [109.120.182.105] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200147; rev:1;) alert tcp $HOME_NET any -> [146.0.72.181] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200148; rev:1;) alert tcp $HOME_NET any -> [109.120.173.251] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200149; rev:1;) alert tcp $HOME_NET any -> [37.59.61.123] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200150; rev:1;) alert tcp $HOME_NET any -> [82.146.36.5] 11039 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200151; rev:1;) alert tcp $HOME_NET any -> [62.109.17.235] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200152; rev:1;) alert tcp $HOME_NET any -> [188.138.177.32] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200153; rev:1;) alert tcp $HOME_NET any -> [93.170.104.137] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200154; rev:1;) alert tcp $HOME_NET any -> [151.248.125.180] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200155; rev:1;) alert tcp $HOME_NET any -> [194.58.102.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200156; rev:1;) alert tcp $HOME_NET any -> [109.120.177.252] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200157; rev:1;) alert tcp $HOME_NET any -> [195.64.154.120] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200158; rev:1;) alert tcp $HOME_NET any -> [82.146.35.231] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200159; rev:1;) alert tcp $HOME_NET any -> [5.39.222.155] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200160; rev:1;) alert tcp $HOME_NET any -> [31.41.218.225] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200161; rev:1;) alert tcp $HOME_NET any -> [23.94.97.56] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200162; rev:1;) alert tcp $HOME_NET any -> [66.113.74.132] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200163; rev:1;) alert tcp $HOME_NET any -> [108.61.51.174] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200164; rev:1;) alert tcp $HOME_NET any -> [177.234.8.186] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely URLzone C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200165; rev:1;) alert tcp $HOME_NET any -> [93.171.172.240] 52009 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200166; rev:1;) alert tcp $HOME_NET any -> [208.76.52.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200167; rev:1;) alert tcp $HOME_NET any -> [109.236.86.187] 57016 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200168; rev:1;) alert tcp $HOME_NET any -> [166.78.18.204] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200169; rev:1;) alert tcp $HOME_NET any -> [109.120.183.135] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200170; rev:1;) alert tcp $HOME_NET any -> [83.172.8.195] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200171; rev:1;) alert tcp $HOME_NET any -> [162.211.121.133] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200172; rev:1;) alert tcp $HOME_NET any -> [185.14.30.198] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200173; rev:1;) alert tcp $HOME_NET any -> [91.207.6.22] 40601 (msg:"SSL Blacklist: Traffic to malicious host (likely Spambot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200174; rev:1;) alert tcp $HOME_NET any -> [176.53.19.132] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely URLzone C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200175; rev:1;) alert tcp $HOME_NET any -> [193.124.44.165] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200176; rev:1;) alert tcp $HOME_NET any -> [37.140.195.147] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200177; rev:1;) alert tcp $HOME_NET any -> [31.31.192.32] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200178; rev:1;) alert tcp $HOME_NET any -> [5.34.183.222] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200179; rev:1;) alert tcp $HOME_NET any -> [213.183.58.187] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200180; rev:1;) alert tcp $HOME_NET any -> [194.58.96.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200181; rev:1;) alert tcp $HOME_NET any -> [107.181.174.84] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200182; rev:1;) alert tcp $HOME_NET any -> [94.242.199.101] 61111 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200183; rev:1;) alert tcp $HOME_NET any -> [192.210.208.72] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200184; rev:1;) alert tcp $HOME_NET any -> [185.45.192.251] 49010 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200185; rev:1;) alert tcp $HOME_NET any -> [89.253.225.54] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200186; rev:1;) alert tcp $HOME_NET any -> [87.118.74.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200187; rev:1;) alert tcp $HOME_NET any -> [193.169.86.174] 21793 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200188; rev:1;) alert tcp $HOME_NET any -> [193.124.16.10] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200189; rev:1;) alert tcp $HOME_NET any -> [162.251.69.133] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200190; rev:1;) alert tcp $HOME_NET any -> [37.59.53.29] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200191; rev:1;) alert tcp $HOME_NET any -> [151.248.126.202] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200192; rev:1;) alert tcp $HOME_NET any -> [109.87.62.190] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200193; rev:1;) alert tcp $HOME_NET any -> [194.58.101.206] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely CryptoWall C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200194; rev:1;) alert tcp $HOME_NET any -> [109.120.180.143] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200195; rev:1;) alert tcp $HOME_NET any -> [194.58.101.203] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely CryptoWall C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200196; rev:1;) alert tcp $HOME_NET any -> [92.222.153.157] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200197; rev:1;) alert tcp $HOME_NET any -> [185.14.30.197] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200198; rev:1;) alert tcp $HOME_NET any -> [185.10.57.158] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200199; rev:1;) alert tcp $HOME_NET any -> [31.220.17.68] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200200; rev:1;) alert tcp $HOME_NET any -> [194.58.101.195] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely CryptoWall C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200201; rev:1;) alert tcp $HOME_NET any -> [194.28.174.121] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200202; rev:1;) alert tcp $HOME_NET any -> [193.124.44.164] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200203; rev:1;) alert tcp $HOME_NET any -> [89.253.228.181] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200204; rev:1;) alert tcp $HOME_NET any -> [94.102.53.173] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak MITM traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200205; rev:1;) alert tcp $HOME_NET any -> [109.163.233.150] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200206; rev:1;) alert tcp $HOME_NET any -> [109.163.233.151] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200207; rev:1;) alert tcp $HOME_NET any -> [178.88.115.218] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200208; rev:1;) alert tcp $HOME_NET any -> [133.242.50.107] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200209; rev:1;) alert tcp $HOME_NET any -> [193.124.44.166] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200210; rev:1;) alert tcp $HOME_NET any -> [151.248.118.197] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200211; rev:1;) alert tcp $HOME_NET any -> [146.185.248.22] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200212; rev:1;) alert tcp $HOME_NET any -> [109.236.86.220] 65499 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200213; rev:1;) alert tcp $HOME_NET any -> [109.120.165.20] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200214; rev:1;) alert tcp $HOME_NET any -> [77.245.66.76] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200215; rev:1;) alert tcp $HOME_NET any -> [176.9.177.244] 1890 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200216; rev:1;) alert tcp $HOME_NET any -> [195.248.235.219] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200217; rev:1;) alert tcp $HOME_NET any -> [188.227.179.83] 41573 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200218; rev:1;) alert tcp $HOME_NET any -> [109.120.182.188] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200219; rev:1;) alert tcp $HOME_NET any -> [109.120.177.111] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200220; rev:1;) alert tcp $HOME_NET any -> [91.218.230.8] 29200 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200221; rev:1;) alert tcp $HOME_NET any -> [109.120.173.94] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200222; rev:1;) alert tcp $HOME_NET any -> [188.165.204.210] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200223; rev:1;) alert tcp $HOME_NET any -> [77.40.119.145] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200224; rev:1;) alert tcp $HOME_NET any -> [149.210.140.212] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200225; rev:1;) alert tcp $HOME_NET any -> [62.109.16.244] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200226; rev:1;) alert tcp $HOME_NET any -> [109.236.86.220] 37707 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200227; rev:1;) alert tcp $HOME_NET any -> [94.23.236.54] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200228; rev:1;) alert tcp $HOME_NET any -> [72.232.41.213] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200229; rev:1;) alert tcp $HOME_NET any -> [194.58.103.136] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200230; rev:1;) alert tcp $HOME_NET any -> [109.120.164.205] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200231; rev:1;) alert tcp $HOME_NET any -> [194.58.103.168] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200232; rev:1;) alert tcp $HOME_NET any -> [80.69.77.228] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200233; rev:1;) alert tcp $HOME_NET any -> [77.221.145.66] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200234; rev:1;) alert tcp $HOME_NET any -> [178.124.140.143] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200235; rev:1;) alert tcp $HOME_NET any -> [194.58.47.23] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200236; rev:1;) alert tcp $HOME_NET any -> [194.58.108.118] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200237; rev:1;) alert tcp $HOME_NET any -> [217.12.199.52] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200238; rev:1;) alert tcp $HOME_NET any -> [185.20.224.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200239; rev:1;) alert tcp $HOME_NET any -> [162.220.8.120] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200240; rev:1;) alert tcp $HOME_NET any -> [151.248.114.96] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200241; rev:1;) alert tcp $HOME_NET any -> [62.210.172.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200242; rev:1;) alert tcp $HOME_NET any -> [37.228.91.171] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200243; rev:1;) alert tcp $HOME_NET any -> [194.58.103.231] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200244; rev:1;) alert tcp $HOME_NET any -> [198.27.110.173] 4881 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200245; rev:1;) alert tcp $HOME_NET any -> [194.58.103.150] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200246; rev:1;) alert tcp $HOME_NET any -> [108.61.49.30] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200247; rev:1;) alert tcp $HOME_NET any -> [92.63.100.216] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200248; rev:1;) alert tcp $HOME_NET any -> [37.59.2.139] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200249; rev:1;) alert tcp $HOME_NET any -> [108.61.51.166] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200250; rev:1;) alert tcp $HOME_NET any -> [31.31.203.149] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200251; rev:1;) alert tcp $HOME_NET any -> [95.163.121.209] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200252; rev:1;) alert tcp $HOME_NET any -> [188.165.222.11] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200253; rev:1;) alert tcp $HOME_NET any -> [46.30.42.22] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200254; rev:1;) alert tcp $HOME_NET any -> [185.15.208.228] 37189 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200255; rev:1;) alert tcp $HOME_NET any -> [94.23.35.188] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200256; rev:1;) alert tcp $HOME_NET any -> [188.120.253.63] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200257; rev:1;) alert tcp $HOME_NET any -> [77.221.145.89] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200258; rev:1;) alert tcp $HOME_NET any -> [77.221.145.85] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200259; rev:1;) alert tcp $HOME_NET any -> [188.165.251.144] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200260; rev:1;) alert tcp $HOME_NET any -> [37.59.46.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200261; rev:1;) alert tcp $HOME_NET any -> [64.251.31.170] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200262; rev:1;) alert tcp $HOME_NET any -> [94.23.35.188] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200263; rev:1;) alert tcp $HOME_NET any -> [109.236.86.221] 55999 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200264; rev:1;) alert tcp $HOME_NET any -> [37.228.91.172] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200265; rev:1;) alert tcp $HOME_NET any -> [93.190.95.246] 44373 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200266; rev:1;) alert tcp $HOME_NET any -> [198.58.95.49] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200267; rev:1;) alert tcp $HOME_NET any -> [5.9.106.163] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Teslacrypt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200268; rev:1;) alert tcp $HOME_NET any -> [46.161.30.16] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200269; rev:1;) alert tcp $HOME_NET any -> [199.204.45.197] 8586 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200270; rev:1;) alert tcp $HOME_NET any -> [176.99.121.195] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200271; rev:1;) alert tcp $HOME_NET any -> [75.127.2.101] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200272; rev:1;) alert tcp $HOME_NET any -> [213.239.196.143] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200273; rev:1;) alert tcp $HOME_NET any -> [95.211.223.206] 38193 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200274; rev:1;) alert tcp $HOME_NET any -> [37.59.46.50] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200275; rev:1;) alert tcp $HOME_NET any -> [188.165.227.37] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200276; rev:1;) alert tcp $HOME_NET any -> [109.120.181.170] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200277; rev:1;) alert tcp $HOME_NET any -> [185.22.232.138] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200278; rev:1;) alert tcp $HOME_NET any -> [185.22.232.138] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Teslacrypt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200279; rev:1;) alert tcp $HOME_NET any -> [159.253.19.103] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200280; rev:1;) alert tcp $HOME_NET any -> [188.165.251.144] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200281; rev:1;) alert tcp $HOME_NET any -> [46.105.122.128] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200282; rev:1;) alert tcp $HOME_NET any -> [94.23.252.40] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200283; rev:1;) alert tcp $HOME_NET any -> [188.165.16.13] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200284; rev:1;) alert tcp $HOME_NET any -> [46.105.98.111] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200285; rev:1;) alert tcp $HOME_NET any -> [184.95.63.226] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200286; rev:1;) alert tcp $HOME_NET any -> [188.165.227.37] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200287; rev:1;) alert tcp $HOME_NET any -> [46.105.98.111] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200288; rev:1;) alert tcp $HOME_NET any -> [91.213.233.198] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200289; rev:1;) alert tcp $HOME_NET any -> [185.5.52.135] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Upatre C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200290; rev:1;) alert tcp $HOME_NET any -> [141.255.167.120] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200291; rev:1;) alert tcp $HOME_NET any -> [93.190.95.243] 38043 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200292; rev:1;) alert tcp $HOME_NET any -> [41.185.78.17] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200293; rev:1;) alert tcp $HOME_NET any -> [193.124.46.93] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200294; rev:1;) alert tcp $HOME_NET any -> [5.135.111.156] 58943 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200295; rev:1;) alert tcp $HOME_NET any -> [149.154.70.18] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200296; rev:1;) alert tcp $HOME_NET any -> [46.161.30.19] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200297; rev:1;) alert tcp $HOME_NET any -> [46.151.53.81] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200298; rev:1;) alert tcp $HOME_NET any -> [193.124.94.207] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200299; rev:1;) alert tcp $HOME_NET any -> [77.246.146.35] 27564 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200300; rev:1;) alert tcp $HOME_NET any -> [212.175.66.70] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200301; rev:1;) alert tcp $HOME_NET any -> [77.81.244.170] 65529 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200302; rev:1;) alert tcp $HOME_NET any -> [46.161.30.21] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200303; rev:1;) alert tcp $HOME_NET any -> [5.39.15.162] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200304; rev:1;) alert tcp $HOME_NET any -> [46.109.187.46] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200305; rev:1;) alert tcp $HOME_NET any -> [62.76.185.72] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200306; rev:1;) alert tcp $HOME_NET any -> [62.141.34.225] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200307; rev:1;) alert tcp $HOME_NET any -> [5.231.67.242] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200308; rev:1;) alert tcp $HOME_NET any -> [185.61.149.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200309; rev:1;) alert tcp $HOME_NET any -> [46.161.30.22] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200310; rev:1;) alert tcp $HOME_NET any -> [46.161.30.23] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200311; rev:1;) alert tcp $HOME_NET any -> [37.59.68.9] 8586 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200312; rev:1;) alert tcp $HOME_NET any -> [93.190.95.243] 38143 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200313; rev:1;) alert tcp $HOME_NET any -> [46.161.30.24] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200314; rev:1;) alert tcp $HOME_NET any -> [46.161.30.26] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200315; rev:1;) alert tcp $HOME_NET any -> [192.225.175.94] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200316; rev:1;) alert tcp $HOME_NET any -> [46.161.30.27] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200317; rev:1;) alert tcp $HOME_NET any -> [93.190.95.246] 48383 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200318; rev:1;) alert tcp $HOME_NET any -> [46.161.30.40] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200319; rev:1;) alert tcp $HOME_NET any -> [207.12.89.221] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200320; rev:1;) alert tcp $HOME_NET any -> [46.161.30.41] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200321; rev:1;) alert tcp $HOME_NET any -> [93.170.130.78] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200322; rev:1;) alert tcp $HOME_NET any -> [49.50.251.48] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200323; rev:1;) alert tcp $HOME_NET any -> [46.161.30.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200324; rev:1;) alert tcp $HOME_NET any -> [31.148.220.186] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200325; rev:1;) alert tcp $HOME_NET any -> [46.161.30.43] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200326; rev:1;) alert tcp $HOME_NET any -> [89.32.149.60] 65398 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200327; rev:1;) alert tcp $HOME_NET any -> [37.228.91.176] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200328; rev:1;) alert tcp $HOME_NET any -> [189.2.90.233] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200329; rev:1;) alert tcp $HOME_NET any -> [176.99.6.57] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200330; rev:1;) alert tcp $HOME_NET any -> [46.161.30.46] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200331; rev:1;) alert tcp $HOME_NET any -> [37.1.200.35] 3443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200332; rev:1;) alert tcp $HOME_NET any -> [185.50.68.150] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200333; rev:1;) alert tcp $HOME_NET any -> [188.127.249.145] 54794 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200334; rev:1;) alert tcp $HOME_NET any -> [37.228.88.175] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200335; rev:1;) alert tcp $HOME_NET any -> [93.95.98.29] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200336; rev:1;) alert tcp $HOME_NET any -> [93.190.95.112] 35133 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200337; rev:1;) alert tcp $HOME_NET any -> [185.63.253.139] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200338; rev:1;) alert tcp $HOME_NET any -> [62.109.24.205] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200339; rev:1;) alert tcp $HOME_NET any -> [93.95.98.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200340; rev:1;) alert tcp $HOME_NET any -> [78.27.159.112] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200341; rev:1;) alert tcp $HOME_NET any -> [188.132.183.86] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200342; rev:1;) alert tcp $HOME_NET any -> [195.154.252.126] 40601 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200343; rev:1;) alert tcp $HOME_NET any -> [178.33.66.241] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200344; rev:1;) alert tcp $HOME_NET any -> [93.190.95.112] 38553 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200345; rev:1;) alert tcp $HOME_NET any -> [89.252.19.197] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200346; rev:1;) alert tcp $HOME_NET any -> [95.105.84.53] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200347; rev:1;) alert tcp $HOME_NET any -> [84.19.27.203] 42311 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200348; rev:1;) alert tcp $HOME_NET any -> [185.25.119.84] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200349; rev:1;) alert tcp $HOME_NET any -> [85.25.134.27] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200350; rev:1;) alert tcp $HOME_NET any -> [46.173.94.219] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200351; rev:1;) alert tcp $HOME_NET any -> [37.25.112.202] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200352; rev:1;) alert tcp $HOME_NET any -> [5.175.225.48] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200353; rev:1;) alert tcp $HOME_NET any -> [5.175.225.48] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200354; rev:1;) alert tcp $HOME_NET any -> [37.228.92.188] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200355; rev:1;) alert tcp $HOME_NET any -> [88.150.228.116] 38553 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200356; rev:1;) alert tcp $HOME_NET any -> [88.150.197.168] 42613 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200357; rev:1;) alert tcp $HOME_NET any -> [94.232.77.153] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200358; rev:1;) alert tcp $HOME_NET any -> [109.87.58.69] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200359; rev:1;) alert tcp $HOME_NET any -> [88.159.9.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely URLzone C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200360; rev:1;) alert tcp $HOME_NET any -> [82.146.52.170] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200361; rev:1;) alert tcp $HOME_NET any -> [77.81.244.65] 43894 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200362; rev:1;) alert tcp $HOME_NET any -> [177.129.134.254] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200363; rev:1;) alert tcp $HOME_NET any -> [89.32.149.92] 42613 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200364; rev:1;) alert tcp $HOME_NET any -> [188.241.112.88] 39316 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200365; rev:1;) alert tcp $HOME_NET any -> [46.28.68.142] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200366; rev:1;) alert tcp $HOME_NET any -> [80.243.190.217] 39817 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200367; rev:1;) alert tcp $HOME_NET any -> [84.19.27.189] 42613 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200368; rev:1;) alert tcp $HOME_NET any -> [85.198.189.250] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200369; rev:1;) alert tcp $HOME_NET any -> [62.108.40.206] 42613 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200370; rev:1;) alert tcp $HOME_NET any -> [62.108.40.217] 42253 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200371; rev:1;) alert tcp $HOME_NET any -> [88.150.228.98] 37818 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200372; rev:1;) alert tcp $HOME_NET any -> [95.143.198.50] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200373; rev:1;) alert tcp $HOME_NET any -> [95.143.198.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200374; rev:1;) alert tcp $HOME_NET any -> [188.120.249.145] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200375; rev:1;) alert tcp $HOME_NET any -> [91.229.210.17] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200376; rev:1;) alert tcp $HOME_NET any -> [88.85.89.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200377; rev:1;) alert tcp $HOME_NET any -> [91.207.86.210] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200378; rev:1;) alert tcp $HOME_NET any -> [91.245.76.123] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200379; rev:1;) alert tcp $HOME_NET any -> [92.222.18.232] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200380; rev:1;) alert tcp $HOME_NET any -> [104.236.5.78] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200381; rev:1;) alert tcp $HOME_NET any -> [185.25.117.55] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200382; rev:1;) alert tcp $HOME_NET any -> [193.235.147.102] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely CryptoLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200383; rev:1;) alert tcp $HOME_NET any -> [191.101.124.162] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200384; rev:1;) alert tcp $HOME_NET any -> [89.108.88.34] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200385; rev:1;) alert tcp $HOME_NET any -> [31.128.74.100] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200386; rev:1;) alert tcp $HOME_NET any -> [46.250.22.190] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200387; rev:1;) alert tcp $HOME_NET any -> [185.62.189.20] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200388; rev:1;) alert tcp $HOME_NET any -> [67.183.123.151] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200389; rev:1;) alert tcp $HOME_NET any -> [130.204.157.17] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200390; rev:1;) alert tcp $HOME_NET any -> [186.239.255.124] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200391; rev:1;) alert tcp $HOME_NET any -> [82.145.55.144] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200392; rev:1;) alert tcp $HOME_NET any -> [91.226.93.43] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200393; rev:1;) alert tcp $HOME_NET any -> [93.171.73.162] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200394; rev:1;) alert tcp $HOME_NET any -> [185.86.76.94] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200395; rev:1;) alert tcp $HOME_NET any -> [37.25.102.37] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200396; rev:1;) alert tcp $HOME_NET any -> [77.246.147.172] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200397; rev:1;) alert tcp $HOME_NET any -> [93.79.146.178] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200398; rev:1;) alert tcp $HOME_NET any -> [185.14.30.155] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200399; rev:1;) alert tcp $HOME_NET any -> [211.157.143.214] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200400; rev:1;) alert tcp $HOME_NET any -> [185.49.12.111] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200401; rev:1;) alert tcp $HOME_NET any -> [178.33.55.223] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200402; rev:1;) alert tcp $HOME_NET any -> [91.210.191.148] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200403; rev:1;) alert tcp $HOME_NET any -> [201.161.97.2] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200404; rev:1;) alert tcp $HOME_NET any -> [92.149.41.53] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200405; rev:1;) alert tcp $HOME_NET any -> [185.11.146.223] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200406; rev:1;) alert tcp $HOME_NET any -> [178.20.224.143] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200407; rev:1;) alert tcp $HOME_NET any -> [37.123.99.141] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200408; rev:1;) alert tcp $HOME_NET any -> [91.238.83.80] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200409; rev:1;) alert tcp $HOME_NET any -> [82.67.86.227] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200410; rev:1;) alert tcp $HOME_NET any -> [92.55.147.68] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200411; rev:1;) alert tcp $HOME_NET any -> [188.42.255.249] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200412; rev:1;) alert tcp $HOME_NET any -> [180.74.253.30] 9999 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200413; rev:1;) alert tcp $HOME_NET any -> [188.132.239.168] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200414; rev:1;) alert tcp $HOME_NET any -> [31.210.123.19] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200415; rev:1;) alert tcp $HOME_NET any -> [65.181.126.188] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Upatre C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200416; rev:1;) alert tcp $HOME_NET any -> [62.76.179.123] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200417; rev:1;) alert tcp $HOME_NET any -> [217.160.132.80] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200418; rev:1;) alert tcp $HOME_NET any -> [212.109.219.6] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200419; rev:1;) alert tcp $HOME_NET any -> [82.146.45.128] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200420; rev:1;) alert tcp $HOME_NET any -> [109.74.146.18] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200421; rev:1;) alert tcp $HOME_NET any -> [37.140.199.100] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200422; rev:1;) alert tcp $HOME_NET any -> [77.40.46.226] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200423; rev:1;) alert tcp $HOME_NET any -> [62.173.145.212] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200424; rev:1;) alert tcp $HOME_NET any -> [54.69.56.82] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200425; rev:1;) alert tcp $HOME_NET any -> [93.170.105.48] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200426; rev:1;) alert tcp $HOME_NET any -> [93.170.105.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200427; rev:1;) alert tcp $HOME_NET any -> [31.210.123.29] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200428; rev:1;) alert tcp $HOME_NET any -> [46.28.206.57] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200429; rev:1;) alert tcp $HOME_NET any -> [178.218.221.73] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200430; rev:1;) alert tcp $HOME_NET any -> [88.198.201.133] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200431; rev:1;) alert tcp $HOME_NET any -> [78.24.218.186] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200432; rev:1;) alert tcp $HOME_NET any -> [89.28.83.228] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200433; rev:1;) alert tcp $HOME_NET any -> [185.66.70.45] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200434; rev:1;) alert tcp $HOME_NET any -> [188.226.150.141] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200435; rev:1;) alert tcp $HOME_NET any -> [46.36.219.32] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200436; rev:1;) alert tcp $HOME_NET any -> [82.146.58.216] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200437; rev:1;) alert tcp $HOME_NET any -> [185.26.115.141] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200438; rev:1;) alert tcp $HOME_NET any -> [5.45.123.115] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200439; rev:1;) alert tcp $HOME_NET any -> [185.12.95.191] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200440; rev:1;) alert tcp $HOME_NET any -> [5.45.124.126] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200441; rev:1;) alert tcp $HOME_NET any -> [62.152.36.90] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200442; rev:1;) alert tcp $HOME_NET any -> [144.76.73.3] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200443; rev:1;) alert tcp $HOME_NET any -> [149.154.64.70] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200444; rev:1;) alert tcp $HOME_NET any -> [185.82.202.19] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200445; rev:1;) alert tcp $HOME_NET any -> [89.144.2.148] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200446; rev:1;) alert tcp $HOME_NET any -> [95.181.178.166] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200447; rev:1;) alert tcp $HOME_NET any -> [104.145.233.121] 8586 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200448; rev:1;) alert tcp $HOME_NET any -> [5.45.123.152] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200449; rev:1;) alert tcp $HOME_NET any -> [134.249.29.111] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200450; rev:1;) alert tcp $HOME_NET any -> [185.82.202.20] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200451; rev:1;) alert tcp $HOME_NET any -> [31.24.30.65] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200452; rev:1;) alert tcp $HOME_NET any -> [194.28.87.125] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200453; rev:1;) alert tcp $HOME_NET any -> [46.36.217.227] 3443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200454; rev:1;) alert tcp $HOME_NET any -> [185.9.156.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200455; rev:1;) alert tcp $HOME_NET any -> [176.31.128.123] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Bebloh C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200456; rev:1;) alert tcp $HOME_NET any -> [212.227.89.182] 3443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200457; rev:1;) alert tcp $HOME_NET any -> [95.163.121.138] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200458; rev:1;) alert tcp $HOME_NET any -> [5.44.216.44] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200459; rev:1;) alert tcp $HOME_NET any -> [134.19.180.78] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200460; rev:1;) alert tcp $HOME_NET any -> [59.28.198.171] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200461; rev:1;) alert tcp $HOME_NET any -> [5.39.8.212] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200462; rev:1;) alert tcp $HOME_NET any -> [185.38.84.59] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200463; rev:1;) alert tcp $HOME_NET any -> [91.234.24.116] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200464; rev:1;) alert tcp $HOME_NET any -> [87.117.229.29] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200465; rev:1;) alert tcp $HOME_NET any -> [185.26.115.13] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200466; rev:1;) alert tcp $HOME_NET any -> [213.111.138.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200467; rev:1;) alert tcp $HOME_NET any -> [185.42.15.147] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200468; rev:1;) alert tcp $HOME_NET any -> [91.219.29.148] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200469; rev:1;) alert tcp $HOME_NET any -> [173.214.162.88] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200470; rev:1;) alert tcp $HOME_NET any -> [43.249.81.85] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200471; rev:1;) alert tcp $HOME_NET any -> [159.253.20.116] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200472; rev:1;) alert tcp $HOME_NET any -> [151.97.243.220] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200473; rev:1;) alert tcp $HOME_NET any -> [185.91.175.94] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200474; rev:1;) alert tcp $HOME_NET any -> [37.143.15.116] 4433 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200475; rev:1;) alert tcp $HOME_NET any -> [46.36.217.227] 3443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200476; rev:1;) alert tcp $HOME_NET any -> [78.47.182.219] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200477; rev:1;) alert tcp $HOME_NET any -> [46.30.41.153] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200478; rev:1;) alert tcp $HOME_NET any -> [146.120.110.147] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200479; rev:1;) alert tcp $HOME_NET any -> [185.91.175.5] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200480; rev:1;) alert tcp $HOME_NET any -> [91.218.228.25] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200481; rev:1;) alert tcp $HOME_NET any -> [78.47.27.243] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Teslacrypt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200482; rev:1;) alert tcp $HOME_NET any -> [151.236.216.254] 2443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200483; rev:1;) alert tcp $HOME_NET any -> [98.27.145.224] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200484; rev:1;) alert tcp $HOME_NET any -> [185.15.185.201] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200485; rev:1;) alert tcp $HOME_NET any -> [5.63.154.228] 5443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200486; rev:1;) alert tcp $HOME_NET any -> [185.26.113.63] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200487; rev:1;) alert tcp $HOME_NET any -> [5.105.221.15] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200488; rev:1;) alert tcp $HOME_NET any -> [94.242.58.146] 4433 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200489; rev:1;) alert tcp $HOME_NET any -> [78.46.60.131] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200490; rev:1;) alert tcp $HOME_NET any -> [176.31.28.250] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200491; rev:1;) alert tcp $HOME_NET any -> [78.47.182.222] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200492; rev:1;) alert tcp $HOME_NET any -> [185.11.247.226] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200493; rev:1;) alert tcp $HOME_NET any -> [77.122.225.133] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200494; rev:1;) alert tcp $HOME_NET any -> [107.161.27.153] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200495; rev:1;) alert tcp $HOME_NET any -> [118.69.201.20] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200496; rev:1;) alert tcp $HOME_NET any -> [178.250.247.28] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200497; rev:1;) alert tcp $HOME_NET any -> [91.215.138.108] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200498; rev:1;) alert tcp $HOME_NET any -> [91.207.146.140] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200499; rev:1;) alert tcp $HOME_NET any -> [178.32.78.173] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200500; rev:1;) alert tcp $HOME_NET any -> [130.88.148.74] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200501; rev:1;) alert tcp $HOME_NET any -> [216.119.147.87] 2443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200502; rev:1;) alert tcp $HOME_NET any -> [95.163.121.137] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200503; rev:1;) alert tcp $HOME_NET any -> [62.210.214.249] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200504; rev:1;) alert tcp $HOME_NET any -> [146.185.221.31] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200505; rev:1;) alert tcp $HOME_NET any -> [94.23.77.155] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200506; rev:1;) alert tcp $HOME_NET any -> [5.254.106.219] 9866 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200507; rev:1;) alert tcp $HOME_NET any -> [144.76.238.214] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200508; rev:1;) alert tcp $HOME_NET any -> [62.76.44.111] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200509; rev:1;) alert tcp $HOME_NET any -> [188.190.219.104] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200510; rev:1;) alert tcp $HOME_NET any -> [134.0.115.157] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200511; rev:1;) alert tcp $HOME_NET any -> [62.76.191.84] 5443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200512; rev:1;) alert tcp $HOME_NET any -> [178.32.53.123] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200513; rev:1;) alert tcp $HOME_NET any -> [80.242.123.144] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200514; rev:1;) alert tcp $HOME_NET any -> [5.100.249.215] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200515; rev:1;) alert tcp $HOME_NET any -> [62.240.61.45] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200516; rev:1;) alert tcp $HOME_NET any -> [178.20.227.49] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200517; rev:1;) alert tcp $HOME_NET any -> [77.123.202.83] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200518; rev:1;) alert tcp $HOME_NET any -> [107.170.1.205] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200519; rev:1;) alert tcp $HOME_NET any -> [146.185.128.226] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200520; rev:1;) alert tcp $HOME_NET any -> [31.186.99.250] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200521; rev:1;) alert tcp $HOME_NET any -> [185.91.175.159] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200522; rev:1;) alert tcp $HOME_NET any -> [77.123.197.14] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200523; rev:1;) alert tcp $HOME_NET any -> [31.148.219.153] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200524; rev:1;) alert tcp $HOME_NET any -> [77.122.54.165] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200525; rev:1;) alert tcp $HOME_NET any -> [212.92.243.65] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200526; rev:1;) alert tcp $HOME_NET any -> [37.140.195.177] 7443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200527; rev:1;) alert tcp $HOME_NET any -> [37.115.187.23] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200528; rev:1;) alert tcp $HOME_NET any -> [87.236.215.151] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200529; rev:1;) alert tcp $HOME_NET any -> [185.92.221.196] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200530; rev:1;) alert tcp $HOME_NET any -> [185.12.95.40] 7443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200531; rev:1;) alert tcp $HOME_NET any -> [70.32.74.108] 7443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200532; rev:1;) alert tcp $HOME_NET any -> [203.151.94.120] 4433 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200533; rev:1;) alert tcp $HOME_NET any -> [188.120.249.231] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200534; rev:1;) alert tcp $HOME_NET any -> [176.38.106.4] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200535; rev:1;) alert tcp $HOME_NET any -> [91.196.63.151] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200536; rev:1;) alert tcp $HOME_NET any -> [103.27.232.165] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200537; rev:1;) alert tcp $HOME_NET any -> [79.143.191.147] 6443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200538; rev:1;) alert tcp $HOME_NET any -> [5.135.28.117] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200539; rev:1;) alert tcp $HOME_NET any -> [78.47.136.47] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200540; rev:1;) alert tcp $HOME_NET any -> [173.230.130.172] 2443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200541; rev:1;) alert tcp $HOME_NET any -> [209.40.206.231] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200542; rev:1;) alert tcp $HOME_NET any -> [78.47.182.215] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200543; rev:1;) alert tcp $HOME_NET any -> [91.226.93.33] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200544; rev:1;) alert tcp $HOME_NET any -> [217.174.105.27] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200545; rev:1;) alert tcp $HOME_NET any -> [94.23.53.23] 2443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200546; rev:1;) alert tcp $HOME_NET any -> [78.47.28.178] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200547; rev:1;) alert tcp $HOME_NET any -> [213.111.203.203] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200548; rev:1;) alert tcp $HOME_NET any -> [31.207.196.222] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200549; rev:1;) alert tcp $HOME_NET any -> [71.14.1.139] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200550; rev:1;) alert tcp $HOME_NET any -> [134.249.238.140] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200551; rev:1;) alert tcp $HOME_NET any -> [31.210.125.234] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200552; rev:1;) alert tcp $HOME_NET any -> [94.153.65.249] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200553; rev:1;) alert tcp $HOME_NET any -> [124.156.129.29] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200554; rev:1;) alert tcp $HOME_NET any -> [87.236.215.158] 8685 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200555; rev:1;) alert tcp $HOME_NET any -> [136.243.14.142] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200556; rev:1;) alert tcp $HOME_NET any -> [193.13.142.11] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200557; rev:1;) alert tcp $HOME_NET any -> [185.65.246.199] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200558; rev:1;) alert tcp $HOME_NET any -> [128.135.149.243] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200559; rev:1;) alert tcp $HOME_NET any -> [37.143.11.165] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200560; rev:1;) alert tcp $HOME_NET any -> [5.135.28.108] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200561; rev:1;) alert tcp $HOME_NET any -> [176.9.143.115] 2443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200562; rev:1;) alert tcp $HOME_NET any -> [109.254.58.99] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200563; rev:1;) alert tcp $HOME_NET any -> [185.86.76.80] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200564; rev:1;) alert tcp $HOME_NET any -> [195.169.147.79] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200565; rev:1;) alert tcp $HOME_NET any -> [78.47.182.212] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200566; rev:1;) alert tcp $HOME_NET any -> [87.98.173.211] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200567; rev:1;) alert tcp $HOME_NET any -> [93.188.162.29] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely URLzone C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200568; rev:1;) alert tcp $HOME_NET any -> [76.74.177.209] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200569; rev:1;) alert tcp $HOME_NET any -> [178.213.187.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200570; rev:1;) alert tcp $HOME_NET any -> [86.105.195.109] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200571; rev:1;) alert tcp $HOME_NET any -> [93.78.19.128] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200572; rev:1;) alert tcp $HOME_NET any -> [188.230.15.191] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200573; rev:1;) alert tcp $HOME_NET any -> [178.136.205.53] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200574; rev:1;) alert tcp $HOME_NET any -> [185.81.155.103] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200575; rev:1;) alert tcp $HOME_NET any -> [95.47.28.117] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200576; rev:1;) alert tcp $HOME_NET any -> [212.92.231.196] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200577; rev:1;) alert tcp $HOME_NET any -> [188.230.84.45] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200578; rev:1;) alert tcp $HOME_NET any -> [185.42.15.152] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200579; rev:1;) alert tcp $HOME_NET any -> [178.20.227.48] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200580; rev:1;) alert tcp $HOME_NET any -> [31.202.220.140] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200581; rev:1;) alert tcp $HOME_NET any -> [85.25.238.8] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200582; rev:1;) alert tcp $HOME_NET any -> [188.40.170.154] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200583; rev:1;) alert tcp $HOME_NET any -> [195.114.159.190] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200584; rev:1;) alert tcp $HOME_NET any -> [37.229.222.241] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200585; rev:1;) alert tcp $HOME_NET any -> [185.62.190.26] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200586; rev:1;) alert tcp $HOME_NET any -> [178.211.41.175] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200587; rev:1;) alert tcp $HOME_NET any -> [185.14.29.193] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200588; rev:1;) alert tcp $HOME_NET any -> [78.137.55.55] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200589; rev:1;) alert tcp $HOME_NET any -> [78.47.139.58] 843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200590; rev:1;) alert tcp $HOME_NET any -> [183.81.166.5] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200591; rev:1;) alert tcp $HOME_NET any -> [118.174.151.27] 943 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200592; rev:1;) alert tcp $HOME_NET any -> [5.39.52.203] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200593; rev:1;) alert tcp $HOME_NET any -> [176.111.184.13] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200594; rev:1;) alert tcp $HOME_NET any -> [46.19.136.211] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200595; rev:1;) alert tcp $HOME_NET any -> [91.244.9.212] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200596; rev:1;) alert tcp $HOME_NET any -> [178.32.72.224] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200597; rev:1;) alert tcp $HOME_NET any -> [5.63.158.48] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200598; rev:1;) alert tcp $HOME_NET any -> [37.229.13.98] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200599; rev:1;) alert tcp $HOME_NET any -> [87.254.45.100] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200600; rev:1;) alert tcp $HOME_NET any -> [188.226.166.43] 448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200601; rev:1;) alert tcp $HOME_NET any -> [178.150.153.18] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200602; rev:1;) alert tcp $HOME_NET any -> [96.227.129.124] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200603; rev:1;) alert tcp $HOME_NET any -> [77.121.172.23] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200604; rev:1;) alert tcp $HOME_NET any -> [69.164.213.85] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200605; rev:1;) alert tcp $HOME_NET any -> [212.55.84.80] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200606; rev:1;) alert tcp $HOME_NET any -> [5.1.30.184] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200607; rev:1;) alert tcp $HOME_NET any -> [46.119.46.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200608; rev:1;) alert tcp $HOME_NET any -> [62.84.253.186] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200609; rev:1;) alert tcp $HOME_NET any -> [46.166.171.83] 9999 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200610; rev:1;) alert tcp $HOME_NET any -> [80.252.246.25] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200611; rev:1;) alert tcp $HOME_NET any -> [211.230.11.228] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200612; rev:1;) alert tcp $HOME_NET any -> [109.72.120.184] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200613; rev:1;) alert tcp $HOME_NET any -> [37.123.101.168] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200614; rev:1;) alert tcp $HOME_NET any -> [62.210.214.106] 448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200615; rev:1;) alert tcp $HOME_NET any -> [176.28.10.253] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200616; rev:1;) alert tcp $HOME_NET any -> [212.114.109.235] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200617; rev:1;) alert tcp $HOME_NET any -> [185.39.149.98] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200618; rev:1;) alert tcp $HOME_NET any -> [176.9.118.201] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200619; rev:1;) alert tcp $HOME_NET any -> [176.99.6.10] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200620; rev:1;) alert tcp $HOME_NET any -> [178.151.197.61] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200621; rev:1;) alert tcp $HOME_NET any -> [81.9.24.250] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200622; rev:1;) alert tcp $HOME_NET any -> [78.47.248.147] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200623; rev:1;) alert tcp $HOME_NET any -> [78.47.143.212] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200624; rev:1;) alert tcp $HOME_NET any -> [109.237.47.9] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200625; rev:1;) alert tcp $HOME_NET any -> [37.52.123.48] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200626; rev:1;) alert tcp $HOME_NET any -> [5.196.249.187] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200627; rev:1;) alert tcp $HOME_NET any -> [178.236.143.5] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200628; rev:1;) alert tcp $HOME_NET any -> [46.151.52.100] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200629; rev:1;) alert tcp $HOME_NET any -> [37.123.96.184] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200630; rev:1;) alert tcp $HOME_NET any -> [151.80.10.66] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200631; rev:1;) alert tcp $HOME_NET any -> [192.199.254.173] 8080 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200632; rev:1;) alert tcp $HOME_NET any -> [91.121.91.221] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200633; rev:1;) alert tcp $HOME_NET any -> [151.248.123.100] 743 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200634; rev:1;) alert tcp $HOME_NET any -> [5.178.82.105] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200635; rev:1;) alert tcp $HOME_NET any -> [210.209.89.162] 8080 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200636; rev:1;) alert tcp $HOME_NET any -> [188.40.170.157] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200637; rev:1;) alert tcp $HOME_NET any -> [188.40.170.157] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200638; rev:1;) alert tcp $HOME_NET any -> [91.201.215.46] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200639; rev:1;) alert tcp $HOME_NET any -> [86.105.18.114] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200640; rev:1;) alert tcp $HOME_NET any -> [194.58.96.45] 4543 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200641; rev:1;) alert tcp $HOME_NET any -> [95.163.121.252] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200642; rev:1;) alert tcp $HOME_NET any -> [162.243.12.14] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200643; rev:1;) alert tcp $HOME_NET any -> [188.93.73.90] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200644; rev:1;) alert tcp $HOME_NET any -> [199.241.30.233] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200645; rev:1;) alert tcp $HOME_NET any -> [94.23.110.45] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200646; rev:1;) alert tcp $HOME_NET any -> [68.169.49.213] 448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200647; rev:1;) alert tcp $HOME_NET any -> [109.86.230.210] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200648; rev:1;) alert tcp $HOME_NET any -> [185.83.144.162] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200649; rev:1;) alert tcp $HOME_NET any -> [93.171.158.199] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200650; rev:1;) alert tcp $HOME_NET any -> [85.25.199.246] 543 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200651; rev:1;) alert tcp $HOME_NET any -> [31.131.251.33] 743 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200652; rev:1;) alert tcp $HOME_NET any -> [144.76.232.59] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200653; rev:1;) alert tcp $HOME_NET any -> [178.151.89.152] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200654; rev:1;) alert tcp $HOME_NET any -> [78.46.160.71] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200655; rev:1;) alert tcp $HOME_NET any -> [93.171.132.5] 743 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200656; rev:1;) alert tcp $HOME_NET any -> [185.65.244.18] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200657; rev:1;) alert tcp $HOME_NET any -> [178.137.242.146] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200658; rev:1;) alert tcp $HOME_NET any -> [109.104.189.67] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200659; rev:1;) alert tcp $HOME_NET any -> [136.243.219.242] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200660; rev:1;) alert tcp $HOME_NET any -> [91.202.105.30] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200661; rev:1;) alert tcp $HOME_NET any -> [146.185.243.3] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200662; rev:1;) alert tcp $HOME_NET any -> [91.218.231.69] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200663; rev:1;) alert tcp $HOME_NET any -> [78.115.79.21] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200664; rev:1;) alert tcp $HOME_NET any -> [88.198.25.92] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200665; rev:1;) alert tcp $HOME_NET any -> [46.36.219.141] 448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200666; rev:1;) alert tcp $HOME_NET any -> [78.137.52.175] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200667; rev:1;) alert tcp $HOME_NET any -> [37.1.17.1] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200668; rev:1;) alert tcp $HOME_NET any -> [93.170.155.207] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200669; rev:1;) alert tcp $HOME_NET any -> [194.58.111.157] 448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200670; rev:1;) alert tcp $HOME_NET any -> [91.231.84.120] 448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200671; rev:1;) alert tcp $HOME_NET any -> [148.251.157.148] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200672; rev:1;) alert tcp $HOME_NET any -> [80.247.233.18] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200673; rev:1;) alert tcp $HOME_NET any -> [80.245.117.198] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200674; rev:1;) alert tcp $HOME_NET any -> [176.110.22.247] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200675; rev:1;) alert tcp $HOME_NET any -> [176.110.22.247] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200676; rev:1;) alert tcp $HOME_NET any -> [188.138.71.67] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200677; rev:1;) alert tcp $HOME_NET any -> [91.221.36.218] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200678; rev:1;) alert tcp $HOME_NET any -> [80.252.250.149] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200679; rev:1;) alert tcp $HOME_NET any -> [212.47.196.149] 543 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200680; rev:1;) alert tcp $HOME_NET any -> [188.40.170.155] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200681; rev:1;) alert tcp $HOME_NET any -> [188.40.170.155] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200682; rev:1;) alert tcp $HOME_NET any -> [176.113.235.26] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200683; rev:1;) alert tcp $HOME_NET any -> [176.8.78.178] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200684; rev:1;) alert tcp $HOME_NET any -> [151.0.52.255] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200685; rev:1;) alert tcp $HOME_NET any -> [88.226.196.239] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200686; rev:1;) alert tcp $HOME_NET any -> [103.252.85.146] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200687; rev:1;) alert tcp $HOME_NET any -> [119.81.87.154] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200688; rev:1;) alert tcp $HOME_NET any -> [109.234.34.186] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200689; rev:1;) alert tcp $HOME_NET any -> [109.72.120.184] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200690; rev:1;) alert tcp $HOME_NET any -> [46.10.155.98] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200691; rev:1;) alert tcp $HOME_NET any -> [89.185.12.238] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200692; rev:1;) alert tcp $HOME_NET any -> [89.33.64.175] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200693; rev:1;) alert tcp $HOME_NET any -> [109.87.187.170] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200694; rev:1;) alert tcp $HOME_NET any -> [185.53.130.244] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200695; rev:1;) alert tcp $HOME_NET any -> [62.16.38.131] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200696; rev:1;) alert tcp $HOME_NET any -> [91.121.82.113] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200697; rev:1;) alert tcp $HOME_NET any -> [188.190.76.247] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200698; rev:1;) alert tcp $HOME_NET any -> [195.154.184.240] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200699; rev:1;) alert tcp $HOME_NET any -> [14.33.25.64] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200700; rev:1;) alert tcp $HOME_NET any -> [46.160.66.218] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200701; rev:1;) alert tcp $HOME_NET any -> [213.130.8.151] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200702; rev:1;) alert tcp $HOME_NET any -> [201.175.17.35] 448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200703; rev:1;) alert tcp $HOME_NET any -> [64.58.156.132] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200704; rev:1;) alert tcp $HOME_NET any -> [213.111.149.163] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200705; rev:1;) alert tcp $HOME_NET any -> [77.121.173.27] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200706; rev:1;) alert tcp $HOME_NET any -> [87.76.55.248] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200707; rev:1;) alert tcp $HOME_NET any -> [141.0.177.142] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200708; rev:1;) alert tcp $HOME_NET any -> [176.114.47.28] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200709; rev:1;) alert tcp $HOME_NET any -> [50.7.202.202] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200710; rev:1;) alert tcp $HOME_NET any -> [74.119.194.18] 448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200711; rev:1;) alert tcp $HOME_NET any -> [178.54.238.73] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200712; rev:1;) alert tcp $HOME_NET any -> [46.118.158.172] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200713; rev:1;) alert tcp $HOME_NET any -> [46.118.113.3] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200714; rev:1;) alert tcp $HOME_NET any -> [188.42.254.65] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200715; rev:1;) alert tcp $HOME_NET any -> [95.105.249.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200716; rev:1;) alert tcp $HOME_NET any -> [212.115.244.218] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200717; rev:1;) alert tcp $HOME_NET any -> [91.121.15.225] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200718; rev:1;) alert tcp $HOME_NET any -> [31.131.115.55] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200719; rev:1;) alert tcp $HOME_NET any -> [46.175.76.22] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200720; rev:1;) alert tcp $HOME_NET any -> [134.249.24.200] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200721; rev:1;) alert tcp $HOME_NET any -> [217.23.7.121] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200722; rev:1;) alert tcp $HOME_NET any -> [62.152.36.25] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200723; rev:1;) alert tcp $HOME_NET any -> [93.170.76.230] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200724; rev:1;) alert tcp $HOME_NET any -> [31.133.76.115] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200725; rev:1;) alert tcp $HOME_NET any -> [173.71.98.228] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200726; rev:1;) alert tcp $HOME_NET any -> [173.71.98.228] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200727; rev:1;) alert tcp $HOME_NET any -> [78.47.119.85] 543 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200728; rev:1;) alert tcp $HOME_NET any -> [95.134.255.41] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200729; rev:1;) alert tcp $HOME_NET any -> [46.250.120.231] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200730; rev:1;) alert tcp $HOME_NET any -> [5.196.227.51] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200731; rev:1;) alert tcp $HOME_NET any -> [66.240.183.19] 843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200732; rev:1;) alert tcp $HOME_NET any -> [91.201.155.96] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200733; rev:1;) alert tcp $HOME_NET any -> [31.43.102.34] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200734; rev:1;) alert tcp $HOME_NET any -> [195.154.184.240] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200735; rev:1;) alert tcp $HOME_NET any -> [217.79.184.115] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200736; rev:1;) alert tcp $HOME_NET any -> [5.248.99.180] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200737; rev:1;) alert tcp $HOME_NET any -> [46.118.54.10] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200738; rev:1;) alert tcp $HOME_NET any -> [178.151.161.143] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200739; rev:1;) alert tcp $HOME_NET any -> [31.131.115.55] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200740; rev:1;) alert tcp $HOME_NET any -> [37.57.86.141] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200741; rev:1;) alert tcp $HOME_NET any -> [176.36.174.59] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200742; rev:1;) alert tcp $HOME_NET any -> [176.106.2.38] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200743; rev:1;) alert tcp $HOME_NET any -> [31.41.51.8] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200744; rev:1;) alert tcp $HOME_NET any -> [5.154.190.191] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200745; rev:1;) alert tcp $HOME_NET any -> [71.226.78.56] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200746; rev:1;) alert tcp $HOME_NET any -> [77.121.248.109] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200747; rev:1;) alert tcp $HOME_NET any -> [46.63.51.190] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200748; rev:1;) alert tcp $HOME_NET any -> [195.38.117.3] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200749; rev:1;) alert tcp $HOME_NET any -> [46.119.7.179] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200750; rev:1;) alert tcp $HOME_NET any -> [178.216.226.16] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200751; rev:1;) alert tcp $HOME_NET any -> [43.251.158.175] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200752; rev:1;) alert tcp $HOME_NET any -> [109.162.95.100] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200753; rev:1;) alert tcp $HOME_NET any -> [185.112.249.93] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200754; rev:1;) alert tcp $HOME_NET any -> [97.75.107.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200755; rev:1;) alert tcp $HOME_NET any -> [37.115.7.53] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200756; rev:1;) alert tcp $HOME_NET any -> [185.82.203.157] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200757; rev:1;) alert tcp $HOME_NET any -> [46.252.214.148] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200758; rev:1;) alert tcp $HOME_NET any -> [93.76.104.167] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200759; rev:1;) alert tcp $HOME_NET any -> [176.106.31.227] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200760; rev:1;) alert tcp $HOME_NET any -> [37.229.220.249] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200761; rev:1;) alert tcp $HOME_NET any -> [80.78.251.49] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200762; rev:1;) alert tcp $HOME_NET any -> [213.111.203.203] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200763; rev:1;) alert tcp $HOME_NET any -> [188.231.147.199] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200764; rev:1;) alert tcp $HOME_NET any -> [93.171.253.155] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200765; rev:1;) alert tcp $HOME_NET any -> [178.150.184.9] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200766; rev:1;) alert tcp $HOME_NET any -> [109.200.224.223] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200767; rev:1;) alert tcp $HOME_NET any -> [46.119.89.198] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200768; rev:1;) alert tcp $HOME_NET any -> [151.0.13.155] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200769; rev:1;) alert tcp $HOME_NET any -> [109.120.156.2] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200770; rev:1;) alert tcp $HOME_NET any -> [5.248.55.58] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200771; rev:1;) alert tcp $HOME_NET any -> [91.239.232.9] 8448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200772; rev:1;) alert tcp $HOME_NET any -> [31.202.213.206] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200773; rev:1;) alert tcp $HOME_NET any -> [178.158.148.195] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200774; rev:1;) alert tcp $HOME_NET any -> [93.126.104.254] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200775; rev:1;) alert tcp $HOME_NET any -> [178.151.24.112] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200776; rev:1;) alert tcp $HOME_NET any -> [88.198.206.121] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200777; rev:1;) alert tcp $HOME_NET any -> [195.114.153.231] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200778; rev:1;) alert tcp $HOME_NET any -> [109.86.210.227] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200779; rev:1;) alert tcp $HOME_NET any -> [178.158.203.91] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200780; rev:1;) alert tcp $HOME_NET any -> [46.119.173.111] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200781; rev:1;) alert tcp $HOME_NET any -> [97.82.168.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200782; rev:1;) alert tcp $HOME_NET any -> [85.114.216.12] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200783; rev:1;) alert tcp $HOME_NET any -> [185.15.208.65] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200784; rev:1;) alert tcp $HOME_NET any -> [91.225.58.52] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200785; rev:1;) alert tcp $HOME_NET any -> [93.127.119.6] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200786; rev:1;) alert tcp $HOME_NET any -> [93.127.119.6] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200787; rev:1;) alert tcp $HOME_NET any -> [81.162.67.208] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200788; rev:1;) alert tcp $HOME_NET any -> [176.36.23.31] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200789; rev:1;) alert tcp $HOME_NET any -> [176.104.75.5] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200790; rev:1;) alert tcp $HOME_NET any -> [24.122.211.18] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200791; rev:1;) alert tcp $HOME_NET any -> [46.250.16.255] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200792; rev:1;) alert tcp $HOME_NET any -> [178.216.225.175] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200793; rev:1;) alert tcp $HOME_NET any -> [134.249.201.60] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200794; rev:1;) alert tcp $HOME_NET any -> [37.229.211.121] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200795; rev:1;) alert tcp $HOME_NET any -> [188.191.235.23] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200796; rev:1;) alert tcp $HOME_NET any -> [178.151.73.157] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200797; rev:1;) alert tcp $HOME_NET any -> [62.84.255.35] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200798; rev:1;) alert tcp $HOME_NET any -> [185.5.175.216] 2028 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200799; rev:1;) alert tcp $HOME_NET any -> [188.230.31.190] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200800; rev:1;) alert tcp $HOME_NET any -> [37.229.150.88] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200801; rev:1;) alert tcp $HOME_NET any -> [176.8.32.193] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200802; rev:1;) alert tcp $HOME_NET any -> [185.5.175.216] 2027 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200803; rev:1;) alert tcp $HOME_NET any -> [134.249.65.209] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200804; rev:1;) alert tcp $HOME_NET any -> [212.80.56.118] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200805; rev:1;) alert tcp $HOME_NET any -> [176.99.101.48] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200806; rev:1;) alert tcp $HOME_NET any -> [46.118.24.111] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200807; rev:1;) alert tcp $HOME_NET any -> [188.0.122.38] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200808; rev:1;) alert tcp $HOME_NET any -> [46.211.18.203] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200809; rev:1;) alert tcp $HOME_NET any -> [46.146.2.34] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200810; rev:1;) alert tcp $HOME_NET any -> [77.109.58.97] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200811; rev:1;) alert tcp $HOME_NET any -> [91.225.161.21] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200812; rev:1;) alert tcp $HOME_NET any -> [31.28.27.15] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200813; rev:1;) alert tcp $HOME_NET any -> [178.32.127.112] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200814; rev:1;) alert tcp $HOME_NET any -> [185.65.247.66] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200815; rev:1;) alert tcp $HOME_NET any -> [125.134.125.208] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200816; rev:1;) alert tcp $HOME_NET any -> [46.118.66.221] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200817; rev:1;) alert tcp $HOME_NET any -> [46.33.52.21] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200818; rev:1;) alert tcp $HOME_NET any -> [46.250.27.183] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200819; rev:1;) alert tcp $HOME_NET any -> [192.0.198.51] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200820; rev:1;) alert tcp $HOME_NET any -> [134.249.40.43] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200821; rev:1;) alert tcp $HOME_NET any -> [5.149.249.181] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200822; rev:1;) alert tcp $HOME_NET any -> [113.204.137.55] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200823; rev:1;) alert tcp $HOME_NET any -> [31.135.122.100] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200824; rev:1;) alert tcp $HOME_NET any -> [111.118.187.81] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200825; rev:1;) alert tcp $HOME_NET any -> [178.32.160.71] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200826; rev:1;) alert tcp $HOME_NET any -> [31.43.61.24] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200827; rev:1;) alert tcp $HOME_NET any -> [67.161.171.204] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200828; rev:1;) alert tcp $HOME_NET any -> [109.162.86.32] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200829; rev:1;) alert tcp $HOME_NET any -> [46.211.42.123] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200830; rev:1;) alert tcp $HOME_NET any -> [46.151.250.192] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200831; rev:1;) alert tcp $HOME_NET any -> [78.30.193.128] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200832; rev:1;) alert tcp $HOME_NET any -> [80.78.245.185] 3443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200833; rev:1;) alert tcp $HOME_NET any -> [169.53.155.228] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200834; rev:1;) alert tcp $HOME_NET any -> [149.202.114.6] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200835; rev:1;) alert tcp $HOME_NET any -> [46.33.250.182] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200836; rev:1;) alert tcp $HOME_NET any -> [91.239.104.131] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200837; rev:1;) alert tcp $HOME_NET any -> [176.104.24.228] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200838; rev:1;) alert tcp $HOME_NET any -> [176.73.13.72] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200839; rev:1;) alert tcp $HOME_NET any -> [46.250.31.148] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200840; rev:1;) alert tcp $HOME_NET any -> [31.135.118.149] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200841; rev:1;) alert tcp $HOME_NET any -> [176.102.203.178] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200842; rev:1;) alert tcp $HOME_NET any -> [62.213.67.250] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200843; rev:1;) alert tcp $HOME_NET any -> [37.229.24.30] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200844; rev:1;) alert tcp $HOME_NET any -> [31.128.83.65] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200845; rev:1;) alert tcp $HOME_NET any -> [5.39.222.172] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200846; rev:1;) alert tcp $HOME_NET any -> [89.185.29.54] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200847; rev:1;) alert tcp $HOME_NET any -> [79.113.93.158] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200848; rev:1;) alert tcp $HOME_NET any -> [176.98.20.110] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200849; rev:1;) alert tcp $HOME_NET any -> [93.76.64.117] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200850; rev:1;) alert tcp $HOME_NET any -> [58.176.100.75] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200851; rev:1;) alert tcp $HOME_NET any -> [46.151.252.174] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200852; rev:1;) alert tcp $HOME_NET any -> [109.251.126.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200853; rev:1;) alert tcp $HOME_NET any -> [193.189.127.121] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200854; rev:1;) alert tcp $HOME_NET any -> [93.79.220.228] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200855; rev:1;) alert tcp $HOME_NET any -> [46.35.240.81] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200856; rev:1;) alert tcp $HOME_NET any -> [194.79.60.87] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200857; rev:1;) alert tcp $HOME_NET any -> [91.214.209.193] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200858; rev:1;) alert tcp $HOME_NET any -> [158.181.229.159] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200859; rev:1;) alert tcp $HOME_NET any -> [194.1.156.96] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200860; rev:1;) alert tcp $HOME_NET any -> [176.113.233.228] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200861; rev:1;) alert tcp $HOME_NET any -> [176.99.101.48] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200862; rev:1;) alert tcp $HOME_NET any -> [46.172.248.90] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200863; rev:1;) alert tcp $HOME_NET any -> [134.249.43.14] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200864; rev:1;) alert tcp $HOME_NET any -> [134.249.43.14] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200865; rev:1;) alert tcp $HOME_NET any -> [46.46.90.65] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200866; rev:1;) alert tcp $HOME_NET any -> [46.98.228.56] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200867; rev:1;) alert tcp $HOME_NET any -> [46.174.241.113] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200868; rev:1;) alert tcp $HOME_NET any -> [185.66.218.2] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Rovnix C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200869; rev:1;) alert tcp $HOME_NET any -> [37.57.240.152] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200870; rev:1;) alert tcp $HOME_NET any -> [178.151.116.140] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200871; rev:1;) alert tcp $HOME_NET any -> [93.171.253.155] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200872; rev:1;) alert tcp $HOME_NET any -> [46.161.40.109] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200873; rev:1;) alert tcp $HOME_NET any -> [93.171.158.209] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200874; rev:1;) alert tcp $HOME_NET any -> [95.169.150.39] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200875; rev:1;) alert tcp $HOME_NET any -> [94.76.127.113] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200876; rev:1;) alert tcp $HOME_NET any -> [46.98.198.6] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200877; rev:1;) alert tcp $HOME_NET any -> [188.190.220.74] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200878; rev:1;) alert tcp $HOME_NET any -> [89.65.63.95] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200879; rev:1;) alert tcp $HOME_NET any -> [37.229.248.188] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200880; rev:1;) alert tcp $HOME_NET any -> [46.20.33.67] 1031 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200881; rev:1;) alert tcp $HOME_NET any -> [176.113.149.167] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200882; rev:1;) alert tcp $HOME_NET any -> [81.22.130.97] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200883; rev:1;) alert tcp $HOME_NET any -> [37.0.125.106] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Rovnix C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200884; rev:1;) alert tcp $HOME_NET any -> [178.20.227.208] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200885; rev:1;) alert tcp $HOME_NET any -> [50.7.246.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200886; rev:1;) alert tcp $HOME_NET any -> [93.76.76.69] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200887; rev:1;) alert tcp $HOME_NET any -> [93.179.69.118] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200888; rev:1;) alert tcp $HOME_NET any -> [94.41.203.23] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely KINS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200889; rev:1;) alert tcp $HOME_NET any -> [5.8.61.10] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200890; rev:1;) alert tcp $HOME_NET any -> [95.143.198.13] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200891; rev:1;) alert tcp $HOME_NET any -> [95.143.198.13] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200892; rev:1;) alert tcp $HOME_NET any -> [46.166.172.96] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200893; rev:1;) alert tcp $HOME_NET any -> [89.33.64.105] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200894; rev:1;) alert tcp $HOME_NET any -> [191.101.21.10] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200895; rev:1;) alert tcp $HOME_NET any -> [109.120.155.159] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200896; rev:1;) alert tcp $HOME_NET any -> [94.242.224.207] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200897; rev:1;) alert tcp $HOME_NET any -> [78.46.236.9] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200898; rev:1;) alert tcp $HOME_NET any -> [185.74.252.131] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200899; rev:1;) alert tcp $HOME_NET any -> [107.161.188.203] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200900; rev:1;) alert tcp $HOME_NET any -> [95.173.183.138] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200901; rev:1;) alert tcp $HOME_NET any -> [94.103.80.249] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200902; rev:1;) alert tcp $HOME_NET any -> [185.82.200.100] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200903; rev:1;) alert tcp $HOME_NET any -> [178.63.192.245] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200904; rev:1;) alert tcp $HOME_NET any -> [185.86.79.80] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200905; rev:1;) alert tcp $HOME_NET any -> [5.34.181.13] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200906; rev:1;) alert tcp $HOME_NET any -> [193.218.145.184] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200907; rev:1;) alert tcp $HOME_NET any -> [5.1.82.140] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200908; rev:1;) alert tcp $HOME_NET any -> [93.179.69.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200909; rev:1;) alert tcp $HOME_NET any -> [62.75.195.209] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200910; rev:1;) alert tcp $HOME_NET any -> [185.113.223.239] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200911; rev:1;) alert tcp $HOME_NET any -> [95.215.108.70] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200912; rev:1;) alert tcp $HOME_NET any -> [185.75.56.133] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200913; rev:1;) alert tcp $HOME_NET any -> [80.82.64.29] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200914; rev:1;) alert tcp $HOME_NET any -> [185.22.233.47] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200915; rev:1;) alert tcp $HOME_NET any -> [51.254.61.46] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200916; rev:1;) alert tcp $HOME_NET any -> [194.31.59.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200917; rev:1;) alert tcp $HOME_NET any -> [50.7.202.204] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200918; rev:1;) alert tcp $HOME_NET any -> [46.30.41.30] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200919; rev:1;) alert tcp $HOME_NET any -> [188.40.227.39] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200920; rev:1;) alert tcp $HOME_NET any -> [188.40.227.39] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200921; rev:1;) alert tcp $HOME_NET any -> [82.146.40.76] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200922; rev:1;) alert tcp $HOME_NET any -> [87.249.215.197] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200923; rev:1;) alert tcp $HOME_NET any -> [82.118.24.167] 4483 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200924; rev:1;) alert tcp $HOME_NET any -> [136.243.237.218] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200925; rev:1;) alert tcp $HOME_NET any -> [88.151.246.80] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200926; rev:1;) alert tcp $HOME_NET any -> [62.109.20.77] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Teslacrypt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200927; rev:1;) alert tcp $HOME_NET any -> [109.120.156.217] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200928; rev:1;) alert tcp $HOME_NET any -> [92.51.129.33] 4483 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200929; rev:1;) alert tcp $HOME_NET any -> [188.225.72.25] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200930; rev:1;) alert tcp $HOME_NET any -> [50.30.36.98] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200931; rev:1;) alert tcp $HOME_NET any -> [185.26.120.78] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200932; rev:1;) alert tcp $HOME_NET any -> [46.30.45.203] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200933; rev:1;) alert tcp $HOME_NET any -> [185.65.246.242] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200934; rev:1;) alert tcp $HOME_NET any -> [37.0.125.106] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200935; rev:1;) alert tcp $HOME_NET any -> [185.75.56.137] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200936; rev:1;) alert tcp $HOME_NET any -> [178.208.77.10] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200937; rev:1;) alert tcp $HOME_NET any -> [178.208.77.10] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200938; rev:1;) alert tcp $HOME_NET any -> [188.225.74.44] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200939; rev:1;) alert tcp $HOME_NET any -> [84.246.226.211] 448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200940; rev:1;) alert tcp $HOME_NET any -> [37.128.132.96] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200941; rev:1;) alert tcp $HOME_NET any -> [113.53.234.218] 448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200942; rev:1;) alert tcp $HOME_NET any -> [46.30.42.105] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200943; rev:1;) alert tcp $HOME_NET any -> [87.106.18.216] 4483 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200944; rev:1;) alert tcp $HOME_NET any -> [188.225.74.109] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200945; rev:1;) alert tcp $HOME_NET any -> [95.163.107.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200946; rev:1;) alert tcp $HOME_NET any -> [92.114.92.104] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200947; rev:1;) alert tcp $HOME_NET any -> [195.251.250.37] 448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200948; rev:1;) alert tcp $HOME_NET any -> [51.254.139.49] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200949; rev:1;) alert tcp $HOME_NET any -> [212.109.220.249] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200950; rev:1;) alert tcp $HOME_NET any -> [198.61.187.234] 4483 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200951; rev:1;) alert tcp $HOME_NET any -> [146.148.124.166] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200952; rev:1;) alert tcp $HOME_NET any -> [185.82.202.101] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200953; rev:1;) alert tcp $HOME_NET any -> [185.82.202.101] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200954; rev:1;) alert tcp $HOME_NET any -> [188.65.211.205] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200955; rev:1;) alert tcp $HOME_NET any -> [86.105.33.102] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200956; rev:1;) alert tcp $HOME_NET any -> [62.213.67.152] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200957; rev:1;) alert tcp $HOME_NET any -> [5.8.60.15] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200958; rev:1;) alert tcp $HOME_NET any -> [93.170.128.75] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200959; rev:1;) alert tcp $HOME_NET any -> [185.4.75.9] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200960; rev:1;) alert tcp $HOME_NET any -> [77.221.144.118] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200961; rev:1;) alert tcp $HOME_NET any -> [31.184.196.83] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200962; rev:1;) alert tcp $HOME_NET any -> [89.248.164.58] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200963; rev:1;) alert tcp $HOME_NET any -> [149.210.180.13] 4483 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200964; rev:1;) alert tcp $HOME_NET any -> [185.24.219.202] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200965; rev:1;) alert tcp $HOME_NET any -> [78.46.30.43] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200966; rev:1;) alert tcp $HOME_NET any -> [109.120.155.254] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200967; rev:1;) alert tcp $HOME_NET any -> [93.171.159.109] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200968; rev:1;) alert tcp $HOME_NET any -> [212.154.175.3] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200969; rev:1;) alert tcp $HOME_NET any -> [38.84.132.172] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200970; rev:1;) alert tcp $HOME_NET any -> [89.32.145.12] 4483 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200971; rev:1;) alert tcp $HOME_NET any -> [104.130.17.100] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely URLzone C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200972; rev:1;) alert tcp $HOME_NET any -> [193.169.86.130] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200973; rev:1;) alert tcp $HOME_NET any -> [37.187.87.228] 473 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200974; rev:1;) alert tcp $HOME_NET any -> [93.185.75.21] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200975; rev:1;) alert tcp $HOME_NET any -> [45.55.136.31] 473 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200976; rev:1;) alert tcp $HOME_NET any -> [185.114.22.218] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200977; rev:1;) alert tcp $HOME_NET any -> [185.24.233.212] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200978; rev:1;) alert tcp $HOME_NET any -> [185.24.233.212] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200979; rev:1;) alert tcp $HOME_NET any -> [51.254.140.74] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200980; rev:1;) alert tcp $HOME_NET any -> [213.159.214.156] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200981; rev:1;) alert tcp $HOME_NET any -> [185.26.120.140] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200982; rev:1;) alert tcp $HOME_NET any -> [157.252.245.49] 473 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200983; rev:1;) alert tcp $HOME_NET any -> [106.187.38.36] 473 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200984; rev:1;) alert tcp $HOME_NET any -> [185.14.29.96] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200985; rev:1;) alert tcp $HOME_NET any -> [107.170.237.112] 473 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200986; rev:1;) alert tcp $HOME_NET any -> [188.166.250.20] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200987; rev:1;) alert tcp $HOME_NET any -> [31.41.44.147] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200988; rev:1;) alert tcp $HOME_NET any -> [119.47.112.227] 473 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200989; rev:1;) alert tcp $HOME_NET any -> [198.50.205.130] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200990; rev:1;) alert tcp $HOME_NET any -> [188.65.211.209] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200991; rev:1;) alert tcp $HOME_NET any -> [103.251.90.43] 5445 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200992; rev:1;) alert tcp $HOME_NET any -> [198.74.58.153] 5445 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200993; rev:1;) alert tcp $HOME_NET any -> [46.37.1.88] 473 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200994; rev:1;) alert tcp $HOME_NET any -> [91.226.8.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200995; rev:1;) alert tcp $HOME_NET any -> [68.168.100.232] 6446 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200996; rev:1;) alert tcp $HOME_NET any -> [62.102.249.157] 843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200997; rev:1;) alert tcp $HOME_NET any -> [5.8.60.90] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200998; rev:1;) alert tcp $HOME_NET any -> [188.120.250.62] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903200999; rev:1;) alert tcp $HOME_NET any -> [82.146.59.109] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201000; rev:1;) alert tcp $HOME_NET any -> [78.129.153.5] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201001; rev:1;) alert tcp $HOME_NET any -> [74.86.70.102] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201002; rev:1;) alert tcp $HOME_NET any -> [5.187.4.183] 473 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201003; rev:1;) alert tcp $HOME_NET any -> [69.64.59.144] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201004; rev:1;) alert tcp $HOME_NET any -> [31.129.95.173] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201005; rev:1;) alert tcp $HOME_NET any -> [69.64.50.99] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201006; rev:1;) alert tcp $HOME_NET any -> [91.204.113.136] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201007; rev:1;) alert tcp $HOME_NET any -> [83.218.228.46] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201008; rev:1;) alert tcp $HOME_NET any -> [108.166.178.146] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201009; rev:1;) alert tcp $HOME_NET any -> [202.129.57.130] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201010; rev:1;) alert tcp $HOME_NET any -> [185.97.253.62] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201011; rev:1;) alert tcp $HOME_NET any -> [62.22.91.92] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201012; rev:1;) alert tcp $HOME_NET any -> [94.45.148.60] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201013; rev:1;) alert tcp $HOME_NET any -> [173.65.73.254] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201014; rev:1;) alert tcp $HOME_NET any -> [91.230.211.206] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ProxyChanger C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201015; rev:1;) alert tcp $HOME_NET any -> [5.8.60.194] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201016; rev:1;) alert tcp $HOME_NET any -> [199.217.113.235] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Downloder-Bot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201017; rev:1;) alert tcp $HOME_NET any -> [176.113.149.167] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201018; rev:1;) alert tcp $HOME_NET any -> [75.126.60.251] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201019; rev:1;) alert tcp $HOME_NET any -> [5.135.42.140] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201020; rev:1;) alert tcp $HOME_NET any -> [5.8.66.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201021; rev:1;) alert tcp $HOME_NET any -> [108.166.178.106] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201022; rev:1;) alert tcp $HOME_NET any -> [93.77.4.198] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201023; rev:1;) alert tcp $HOME_NET any -> [95.211.188.202] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201024; rev:1;) alert tcp $HOME_NET any -> [31.41.44.32] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201025; rev:1;) alert tcp $HOME_NET any -> [37.115.15.172] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201026; rev:1;) alert tcp $HOME_NET any -> [195.225.228.156] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201027; rev:1;) alert tcp $HOME_NET any -> [128.199.122.196] 6446 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201028; rev:1;) alert tcp $HOME_NET any -> [89.252.60.48] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201029; rev:1;) alert tcp $HOME_NET any -> [46.119.173.111] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201030; rev:1;) alert tcp $HOME_NET any -> [178.76.214.86] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201031; rev:1;) alert tcp $HOME_NET any -> [93.113.176.105] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201032; rev:1;) alert tcp $HOME_NET any -> [43.251.159.9] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201033; rev:1;) alert tcp $HOME_NET any -> [92.255.219.49] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201034; rev:1;) alert tcp $HOME_NET any -> [178.167.92.223] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201035; rev:1;) alert tcp $HOME_NET any -> [31.135.231.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201036; rev:1;) alert tcp $HOME_NET any -> [1.93.0.224] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201037; rev:1;) alert tcp $HOME_NET any -> [93.79.244.245] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201038; rev:1;) alert tcp $HOME_NET any -> [188.127.237.117] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ProxyChanger C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201039; rev:1;) alert tcp $HOME_NET any -> [163.53.247.20] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201040; rev:1;) alert tcp $HOME_NET any -> [46.173.94.191] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201041; rev:1;) alert tcp $HOME_NET any -> [24.70.124.49] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201042; rev:1;) alert tcp $HOME_NET any -> [116.100.36.175] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201043; rev:1;) alert tcp $HOME_NET any -> [128.199.239.142] 8843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201044; rev:1;) alert tcp $HOME_NET any -> [79.114.28.168] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201045; rev:1;) alert tcp $HOME_NET any -> [82.146.34.197] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201046; rev:1;) alert tcp $HOME_NET any -> [89.185.15.235] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201047; rev:1;) alert tcp $HOME_NET any -> [185.14.30.243] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201048; rev:1;) alert tcp $HOME_NET any -> [89.108.71.148] 8843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201049; rev:1;) alert tcp $HOME_NET any -> [62.129.240.74] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201050; rev:1;) alert tcp $HOME_NET any -> [213.111.238.98] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201051; rev:1;) alert tcp $HOME_NET any -> [178.137.224.117] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201052; rev:1;) alert tcp $HOME_NET any -> [49.50.66.60] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201053; rev:1;) alert tcp $HOME_NET any -> [5.14.212.139] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201054; rev:1;) alert tcp $HOME_NET any -> [5.248.51.145] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201055; rev:1;) alert tcp $HOME_NET any -> [85.238.101.24] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201056; rev:1;) alert tcp $HOME_NET any -> [95.105.249.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201057; rev:1;) alert tcp $HOME_NET any -> [134.249.54.24] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201058; rev:1;) alert tcp $HOME_NET any -> [176.104.32.207] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201059; rev:1;) alert tcp $HOME_NET any -> [212.83.171.2] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201060; rev:1;) alert tcp $HOME_NET any -> [78.142.18.68] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201061; rev:1;) alert tcp $HOME_NET any -> [221.132.35.56] 8843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201062; rev:1;) alert tcp $HOME_NET any -> [89.189.174.19] 444 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201063; rev:1;) alert tcp $HOME_NET any -> [178.166.249.241] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201064; rev:1;) alert tcp $HOME_NET any -> [89.163.134.221] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely VMZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201065; rev:1;) alert tcp $HOME_NET any -> [5.164.229.40] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201066; rev:1;) alert tcp $HOME_NET any -> [75.99.13.123] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201067; rev:1;) alert tcp $HOME_NET any -> [46.174.246.236] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201068; rev:1;) alert tcp $HOME_NET any -> [134.249.238.140] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201069; rev:1;) alert tcp $HOME_NET any -> [77.93.52.212] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201070; rev:1;) alert tcp $HOME_NET any -> [77.122.184.254] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201071; rev:1;) alert tcp $HOME_NET any -> [46.148.176.222] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201072; rev:1;) alert tcp $HOME_NET any -> [188.190.79.185] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201073; rev:1;) alert tcp $HOME_NET any -> [46.50.179.195] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201074; rev:1;) alert tcp $HOME_NET any -> [91.237.165.175] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201075; rev:1;) alert tcp $HOME_NET any -> [68.169.54.179] 6446 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201076; rev:1;) alert tcp $HOME_NET any -> [109.87.176.87] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201077; rev:1;) alert tcp $HOME_NET any -> [92.38.98.69] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201078; rev:1;) alert tcp $HOME_NET any -> [46.146.34.254] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201079; rev:1;) alert tcp $HOME_NET any -> [163.53.247.79] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201080; rev:1;) alert tcp $HOME_NET any -> [176.123.29.23] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201081; rev:1;) alert tcp $HOME_NET any -> [176.123.29.23] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201082; rev:1;) alert tcp $HOME_NET any -> [176.116.219.35] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201083; rev:1;) alert tcp $HOME_NET any -> [77.121.161.66] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201084; rev:1;) alert tcp $HOME_NET any -> [46.98.28.94] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201085; rev:1;) alert tcp $HOME_NET any -> [46.211.60.80] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201086; rev:1;) alert tcp $HOME_NET any -> [217.12.218.99] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201087; rev:1;) alert tcp $HOME_NET any -> [95.105.36.219] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201088; rev:1;) alert tcp $HOME_NET any -> [31.170.130.120] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201089; rev:1;) alert tcp $HOME_NET any -> [163.53.247.75] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201090; rev:1;) alert tcp $HOME_NET any -> [50.30.44.74] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201091; rev:1;) alert tcp $HOME_NET any -> [173.45.192.173] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201092; rev:1;) alert tcp $HOME_NET any -> [178.207.86.183] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201093; rev:1;) alert tcp $HOME_NET any -> [5.44.100.157] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201094; rev:1;) alert tcp $HOME_NET any -> [46.211.80.140] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201095; rev:1;) alert tcp $HOME_NET any -> [5.15.201.13] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201096; rev:1;) alert tcp $HOME_NET any -> [89.43.212.203] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201097; rev:1;) alert tcp $HOME_NET any -> [188.209.103.249] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201098; rev:1;) alert tcp $HOME_NET any -> [50.83.40.3] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201099; rev:1;) alert tcp $HOME_NET any -> [91.142.221.195] 5445 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201100; rev:1;) alert tcp $HOME_NET any -> [178.54.182.27] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201101; rev:1;) alert tcp $HOME_NET any -> [89.32.40.194] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201102; rev:1;) alert tcp $HOME_NET any -> [95.67.46.154] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201103; rev:1;) alert tcp $HOME_NET any -> [94.45.140.60] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201104; rev:1;) alert tcp $HOME_NET any -> [91.202.105.30] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201105; rev:1;) alert tcp $HOME_NET any -> [178.44.126.88] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201106; rev:1;) alert tcp $HOME_NET any -> [188.232.142.90] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201107; rev:1;) alert tcp $HOME_NET any -> [185.10.56.115] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201108; rev:1;) alert tcp $HOME_NET any -> [185.10.56.111] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201109; rev:1;) alert tcp $HOME_NET any -> [185.10.56.111] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201110; rev:1;) alert tcp $HOME_NET any -> [178.211.178.213] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201111; rev:1;) alert tcp $HOME_NET any -> [89.32.145.12] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201112; rev:1;) alert tcp $HOME_NET any -> [5.248.156.162] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201113; rev:1;) alert tcp $HOME_NET any -> [185.87.51.64] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201114; rev:1;) alert tcp $HOME_NET any -> [178.150.114.140] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201115; rev:1;) alert tcp $HOME_NET any -> [212.3.104.250] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201116; rev:1;) alert tcp $HOME_NET any -> [95.154.203.249] 4438 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201117; rev:1;) alert tcp $HOME_NET any -> [182.18.182.20] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201118; rev:1;) alert tcp $HOME_NET any -> [185.25.49.119] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201119; rev:1;) alert tcp $HOME_NET any -> [31.207.177.127] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201120; rev:1;) alert tcp $HOME_NET any -> [124.219.79.244] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201121; rev:1;) alert tcp $HOME_NET any -> [37.115.77.215] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201122; rev:1;) alert tcp $HOME_NET any -> [144.76.251.60] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201123; rev:1;) alert tcp $HOME_NET any -> [46.0.105.129] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201124; rev:1;) alert tcp $HOME_NET any -> [194.44.26.169] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201125; rev:1;) alert tcp $HOME_NET any -> [89.136.78.110] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201126; rev:1;) alert tcp $HOME_NET any -> [176.104.102.59] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201127; rev:1;) alert tcp $HOME_NET any -> [85.173.178.10] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201128; rev:1;) alert tcp $HOME_NET any -> [5.15.233.255] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201129; rev:1;) alert tcp $HOME_NET any -> [185.97.253.55] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201130; rev:1;) alert tcp $HOME_NET any -> [77.108.234.90] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201131; rev:1;) alert tcp $HOME_NET any -> [178.234.113.102] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201132; rev:1;) alert tcp $HOME_NET any -> [85.214.71.240] 4438 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201133; rev:1;) alert tcp $HOME_NET any -> [189.220.184.112] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201134; rev:1;) alert tcp $HOME_NET any -> [109.200.148.114] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201135; rev:1;) alert tcp $HOME_NET any -> [85.214.152.31] 4438 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201136; rev:1;) alert tcp $HOME_NET any -> [31.170.107.240] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201137; rev:1;) alert tcp $HOME_NET any -> [213.202.214.141] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201138; rev:1;) alert tcp $HOME_NET any -> [213.202.214.141] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201139; rev:1;) alert tcp $HOME_NET any -> [185.31.163.136] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201140; rev:1;) alert tcp $HOME_NET any -> [5.13.190.196] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201141; rev:1;) alert tcp $HOME_NET any -> [46.185.23.169] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201142; rev:1;) alert tcp $HOME_NET any -> [95.84.35.196] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201143; rev:1;) alert tcp $HOME_NET any -> [23.92.221.82] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201144; rev:1;) alert tcp $HOME_NET any -> [23.92.221.82] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201145; rev:1;) alert tcp $HOME_NET any -> [176.31.69.78] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201146; rev:1;) alert tcp $HOME_NET any -> [176.31.69.78] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201147; rev:1;) alert tcp $HOME_NET any -> [176.99.12.194] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201148; rev:1;) alert tcp $HOME_NET any -> [91.200.14.87] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201149; rev:1;) alert tcp $HOME_NET any -> [92.114.125.172] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201150; rev:1;) alert tcp $HOME_NET any -> [5.144.76.135] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201151; rev:1;) alert tcp $HOME_NET any -> [178.158.148.195] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201152; rev:1;) alert tcp $HOME_NET any -> [5.105.57.242] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201153; rev:1;) alert tcp $HOME_NET any -> [46.43.224.57] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201154; rev:1;) alert tcp $HOME_NET any -> [185.82.202.73] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201155; rev:1;) alert tcp $HOME_NET any -> [89.207.129.95] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201156; rev:1;) alert tcp $HOME_NET any -> [82.79.179.30] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201157; rev:1;) alert tcp $HOME_NET any -> [89.41.173.221] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201158; rev:1;) alert tcp $HOME_NET any -> [89.41.173.221] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201159; rev:1;) alert tcp $HOME_NET any -> [217.73.93.77] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201160; rev:1;) alert tcp $HOME_NET any -> [62.75.167.188] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201161; rev:1;) alert tcp $HOME_NET any -> [178.166.229.61] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201162; rev:1;) alert tcp $HOME_NET any -> [77.246.145.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201163; rev:1;) alert tcp $HOME_NET any -> [74.139.176.131] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201164; rev:1;) alert tcp $HOME_NET any -> [163.53.247.37] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201165; rev:1;) alert tcp $HOME_NET any -> [163.53.247.37] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201166; rev:1;) alert tcp $HOME_NET any -> [46.211.23.222] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201167; rev:1;) alert tcp $HOME_NET any -> [109.104.165.232] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201168; rev:1;) alert tcp $HOME_NET any -> [107.15.99.91] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201169; rev:1;) alert tcp $HOME_NET any -> [77.121.83.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201170; rev:1;) alert tcp $HOME_NET any -> [5.2.205.126] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201171; rev:1;) alert tcp $HOME_NET any -> [46.250.3.215] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201172; rev:1;) alert tcp $HOME_NET any -> [92.248.135.6] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201173; rev:1;) alert tcp $HOME_NET any -> [46.4.173.212] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201174; rev:1;) alert tcp $HOME_NET any -> [89.252.41.9] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201175; rev:1;) alert tcp $HOME_NET any -> [187.141.112.98] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201176; rev:1;) alert tcp $HOME_NET any -> [203.172.180.195] 4493 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201177; rev:1;) alert tcp $HOME_NET any -> [109.87.204.143] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201178; rev:1;) alert tcp $HOME_NET any -> [182.93.220.146] 4438 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201179; rev:1;) alert tcp $HOME_NET any -> [93.77.100.11] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201180; rev:1;) alert tcp $HOME_NET any -> [94.137.4.221] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201181; rev:1;) alert tcp $HOME_NET any -> [81.177.181.217] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201182; rev:1;) alert tcp $HOME_NET any -> [213.231.62.201] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201183; rev:1;) alert tcp $HOME_NET any -> [85.186.231.180] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201184; rev:1;) alert tcp $HOME_NET any -> [78.129.133.249] 4493 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201185; rev:1;) alert tcp $HOME_NET any -> [130.204.240.102] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201186; rev:1;) alert tcp $HOME_NET any -> [81.162.226.26] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201187; rev:1;) alert tcp $HOME_NET any -> [78.30.229.43] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201188; rev:1;) alert tcp $HOME_NET any -> [109.234.34.133] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201189; rev:1;) alert tcp $HOME_NET any -> [185.82.216.109] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201190; rev:1;) alert tcp $HOME_NET any -> [185.14.29.186] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201191; rev:1;) alert tcp $HOME_NET any -> [104.207.156.191] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201192; rev:1;) alert tcp $HOME_NET any -> [185.14.30.53] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Retefe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201193; rev:1;) alert tcp $HOME_NET any -> [46.236.191.230] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201194; rev:1;) alert tcp $HOME_NET any -> [104.238.177.7] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201195; rev:1;) alert tcp $HOME_NET any -> [62.76.43.176] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201196; rev:1;) alert tcp $HOME_NET any -> [119.246.242.148] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201197; rev:1;) alert tcp $HOME_NET any -> [185.12.14.8] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201198; rev:1;) alert tcp $HOME_NET any -> [194.135.82.127] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201199; rev:1;) alert tcp $HOME_NET any -> [157.252.245.32] 2448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201200; rev:1;) alert tcp $HOME_NET any -> [91.212.89.239] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201201; rev:1;) alert tcp $HOME_NET any -> [188.138.105.21] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201202; rev:1;) alert tcp $HOME_NET any -> [5.255.78.133] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201203; rev:1;) alert tcp $HOME_NET any -> [79.117.88.74] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201204; rev:1;) alert tcp $HOME_NET any -> [176.104.24.228] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201205; rev:1;) alert tcp $HOME_NET any -> [185.58.225.193] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201206; rev:1;) alert tcp $HOME_NET any -> [185.58.225.193] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201207; rev:1;) alert tcp $HOME_NET any -> [94.253.126.53] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201208; rev:1;) alert tcp $HOME_NET any -> [188.190.209.109] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201209; rev:1;) alert tcp $HOME_NET any -> [5.255.78.133] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201210; rev:1;) alert tcp $HOME_NET any -> [185.12.14.8] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201211; rev:1;) alert tcp $HOME_NET any -> [78.47.161.143] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201212; rev:1;) alert tcp $HOME_NET any -> [46.20.177.0] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201213; rev:1;) alert tcp $HOME_NET any -> [167.160.36.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201214; rev:1;) alert tcp $HOME_NET any -> [31.220.109.193] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201215; rev:1;) alert tcp $HOME_NET any -> [46.119.94.57] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201216; rev:1;) alert tcp $HOME_NET any -> [213.111.99.179] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201217; rev:1;) alert tcp $HOME_NET any -> [185.27.102.160] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201218; rev:1;) alert tcp $HOME_NET any -> [46.118.71.18] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201219; rev:1;) alert tcp $HOME_NET any -> [151.0.15.219] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201220; rev:1;) alert tcp $HOME_NET any -> [37.229.230.169] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201221; rev:1;) alert tcp $HOME_NET any -> [213.111.189.152] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201222; rev:1;) alert tcp $HOME_NET any -> [92.114.92.116] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201223; rev:1;) alert tcp $HOME_NET any -> [92.114.92.116] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201224; rev:1;) alert tcp $HOME_NET any -> [5.9.253.137] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201225; rev:1;) alert tcp $HOME_NET any -> [5.9.253.137] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201226; rev:1;) alert tcp $HOME_NET any -> [163.53.247.136] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201227; rev:1;) alert tcp $HOME_NET any -> [93.123.236.46] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201228; rev:1;) alert tcp $HOME_NET any -> [176.118.46.39] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201229; rev:1;) alert tcp $HOME_NET any -> [77.55.254.156] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201230; rev:1;) alert tcp $HOME_NET any -> [77.55.254.156] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201231; rev:1;) alert tcp $HOME_NET any -> [194.135.83.184] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201232; rev:1;) alert tcp $HOME_NET any -> [181.41.210.188] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201233; rev:1;) alert tcp $HOME_NET any -> [94.76.127.113] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201234; rev:1;) alert tcp $HOME_NET any -> [163.53.247.33] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201235; rev:1;) alert tcp $HOME_NET any -> [79.114.91.71] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201236; rev:1;) alert tcp $HOME_NET any -> [163.53.247.14] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201237; rev:1;) alert tcp $HOME_NET any -> [163.53.247.14] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201238; rev:1;) alert tcp $HOME_NET any -> [185.117.72.251] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201239; rev:1;) alert tcp $HOME_NET any -> [88.150.234.34] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201240; rev:1;) alert tcp $HOME_NET any -> [87.249.215.214] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201241; rev:1;) alert tcp $HOME_NET any -> [87.249.215.214] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201242; rev:1;) alert tcp $HOME_NET any -> [31.24.30.175] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201243; rev:1;) alert tcp $HOME_NET any -> [185.73.222.47] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201244; rev:1;) alert tcp $HOME_NET any -> [192.3.135.47] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201245; rev:1;) alert tcp $HOME_NET any -> [185.106.94.60] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201246; rev:1;) alert tcp $HOME_NET any -> [94.73.155.10] 2448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201247; rev:1;) alert tcp $HOME_NET any -> [199.175.55.116] 4493 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201248; rev:1;) alert tcp $HOME_NET any -> [203.158.193.83] 444 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201249; rev:1;) alert tcp $HOME_NET any -> [213.111.141.179] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201250; rev:1;) alert tcp $HOME_NET any -> [46.22.134.78] 4493 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201251; rev:1;) alert tcp $HOME_NET any -> [89.46.65.44] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201252; rev:1;) alert tcp $HOME_NET any -> [192.227.136.226] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201253; rev:1;) alert tcp $HOME_NET any -> [78.47.203.94] 4493 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201254; rev:1;) alert tcp $HOME_NET any -> [94.73.155.12] 2448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201255; rev:1;) alert tcp $HOME_NET any -> [103.252.100.44] 4493 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201256; rev:1;) alert tcp $HOME_NET any -> [84.200.70.46] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201257; rev:1;) alert tcp $HOME_NET any -> [46.30.43.4] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201258; rev:1;) alert tcp $HOME_NET any -> [188.165.152.190] 4438 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201259; rev:1;) alert tcp $HOME_NET any -> [176.108.251.247] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201260; rev:1;) alert tcp $HOME_NET any -> [198.23.164.196] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201261; rev:1;) alert tcp $HOME_NET any -> [79.98.104.59] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201262; rev:1;) alert tcp $HOME_NET any -> [5.136.178.9] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201263; rev:1;) alert tcp $HOME_NET any -> [198.23.164.196] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201264; rev:1;) alert tcp $HOME_NET any -> [46.175.99.82] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201265; rev:1;) alert tcp $HOME_NET any -> [86.121.139.243] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201266; rev:1;) alert tcp $HOME_NET any -> [42.117.2.85] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201267; rev:1;) alert tcp $HOME_NET any -> [46.101.222.127] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201268; rev:1;) alert tcp $HOME_NET any -> [46.101.222.127] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201269; rev:1;) alert tcp $HOME_NET any -> [178.137.82.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201270; rev:1;) alert tcp $HOME_NET any -> [81.2.243.94] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201271; rev:1;) alert tcp $HOME_NET any -> [159.253.3.233] 448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201272; rev:1;) alert tcp $HOME_NET any -> [62.80.253.44] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201273; rev:1;) alert tcp $HOME_NET any -> [46.201.54.91] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201274; rev:1;) alert tcp $HOME_NET any -> [185.86.149.194] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201275; rev:1;) alert tcp $HOME_NET any -> [185.86.149.194] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201276; rev:1;) alert tcp $HOME_NET any -> [157.252.245.29] 2448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201277; rev:1;) alert tcp $HOME_NET any -> [45.127.92.179] 4538 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201278; rev:1;) alert tcp $HOME_NET any -> [185.117.73.211] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201279; rev:1;) alert tcp $HOME_NET any -> [46.211.39.37] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201280; rev:1;) alert tcp $HOME_NET any -> [94.73.155.11] 2448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201281; rev:1;) alert tcp $HOME_NET any -> [115.249.247.26] 4538 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201282; rev:1;) alert tcp $HOME_NET any -> [188.40.253.158] 243 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201283; rev:1;) alert tcp $HOME_NET any -> [213.159.253.119] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201284; rev:1;) alert tcp $HOME_NET any -> [92.222.98.101] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201285; rev:1;) alert tcp $HOME_NET any -> [188.24.184.86] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201286; rev:1;) alert tcp $HOME_NET any -> [188.167.160.26] 444 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201287; rev:1;) alert tcp $HOME_NET any -> [91.222.245.35] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201288; rev:1;) alert tcp $HOME_NET any -> [176.99.171.58] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201289; rev:1;) alert tcp $HOME_NET any -> [94.232.79.98] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201290; rev:1;) alert tcp $HOME_NET any -> [78.47.66.169] 7447 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201291; rev:1;) alert tcp $HOME_NET any -> [162.208.8.198] 3448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201292; rev:1;) alert tcp $HOME_NET any -> [95.106.31.223] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201293; rev:1;) alert tcp $HOME_NET any -> [37.46.121.133] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201294; rev:1;) alert tcp $HOME_NET any -> [95.190.48.175] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201295; rev:1;) alert tcp $HOME_NET any -> [23.113.113.105] 243 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201296; rev:1;) alert tcp $HOME_NET any -> [200.49.169.94] 444 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201297; rev:1;) alert tcp $HOME_NET any -> [188.230.65.72] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201298; rev:1;) alert tcp $HOME_NET any -> [108.61.178.212] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201299; rev:1;) alert tcp $HOME_NET any -> [95.110.30.165] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201300; rev:1;) alert tcp $HOME_NET any -> [46.183.217.165] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201301; rev:1;) alert tcp $HOME_NET any -> [188.210.228.211] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201302; rev:1;) alert tcp $HOME_NET any -> [80.78.253.86] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201303; rev:1;) alert tcp $HOME_NET any -> [151.236.18.110] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201304; rev:1;) alert tcp $HOME_NET any -> [151.236.18.110] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201305; rev:1;) alert tcp $HOME_NET any -> [84.200.70.46] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201306; rev:1;) alert tcp $HOME_NET any -> [85.237.35.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201307; rev:1;) alert tcp $HOME_NET any -> [5.45.179.178] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201308; rev:1;) alert tcp $HOME_NET any -> [5.45.179.178] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201309; rev:1;) alert tcp $HOME_NET any -> [193.238.97.98] 243 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201310; rev:1;) alert tcp $HOME_NET any -> [89.121.205.190] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201311; rev:1;) alert tcp $HOME_NET any -> [176.124.10.74] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201312; rev:1;) alert tcp $HOME_NET any -> [93.76.205.220] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201313; rev:1;) alert tcp $HOME_NET any -> [5.196.128.192] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201314; rev:1;) alert tcp $HOME_NET any -> [216.189.52.147] 243 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201315; rev:1;) alert tcp $HOME_NET any -> [91.214.114.196] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201316; rev:1;) alert tcp $HOME_NET any -> [5.136.78.25] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201317; rev:1;) alert tcp $HOME_NET any -> [46.254.17.92] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201318; rev:1;) alert tcp $HOME_NET any -> [5.165.138.228] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201319; rev:1;) alert tcp $HOME_NET any -> [94.179.172.123] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201320; rev:1;) alert tcp $HOME_NET any -> [192.227.158.140] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201321; rev:1;) alert tcp $HOME_NET any -> [136.145.86.27] 3448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201322; rev:1;) alert tcp $HOME_NET any -> [109.201.220.125] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201323; rev:1;) alert tcp $HOME_NET any -> [88.198.119.118] 5001 (msg:"SSL Blacklist: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201324; rev:1;) alert tcp $HOME_NET any -> [89.185.12.238] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201325; rev:1;) alert tcp $HOME_NET any -> [188.126.116.26] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201326; rev:1;) alert tcp $HOME_NET any -> [91.244.38.12] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201327; rev:1;) alert tcp $HOME_NET any -> [93.78.67.85] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201328; rev:1;) alert tcp $HOME_NET any -> [43.249.36.86] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201329; rev:1;) alert tcp $HOME_NET any -> [31.184.198.248] 5001 (msg:"SSL Blacklist: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201330; rev:1;) alert tcp $HOME_NET any -> [86.124.10.172] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201331; rev:1;) alert tcp $HOME_NET any -> [195.14.104.139] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201332; rev:1;) alert tcp $HOME_NET any -> [95.85.23.88] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201333; rev:1;) alert tcp $HOME_NET any -> [95.85.23.88] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201334; rev:1;) alert tcp $HOME_NET any -> [212.91.196.240] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201335; rev:1;) alert tcp $HOME_NET any -> [136.243.99.219] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201336; rev:1;) alert tcp $HOME_NET any -> [212.106.48.238] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201337; rev:1;) alert tcp $HOME_NET any -> [195.66.222.86] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201338; rev:1;) alert tcp $HOME_NET any -> [188.186.75.41] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201339; rev:1;) alert tcp $HOME_NET any -> [185.45.192.210] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201340; rev:1;) alert tcp $HOME_NET any -> [185.45.192.210] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201341; rev:1;) alert tcp $HOME_NET any -> [188.0.93.2] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201342; rev:1;) alert tcp $HOME_NET any -> [85.143.219.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201343; rev:1;) alert tcp $HOME_NET any -> [46.98.164.139] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201344; rev:1;) alert tcp $HOME_NET any -> [188.0.122.38] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201345; rev:1;) alert tcp $HOME_NET any -> [185.86.149.224] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201346; rev:1;) alert tcp $HOME_NET any -> [146.185.243.80] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201347; rev:1;) alert tcp $HOME_NET any -> [192.227.158.188] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201348; rev:1;) alert tcp $HOME_NET any -> [192.227.158.188] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201349; rev:1;) alert tcp $HOME_NET any -> [199.7.136.84] 8143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201350; rev:1;) alert tcp $HOME_NET any -> [64.79.99.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201351; rev:1;) alert tcp $HOME_NET any -> [24.214.18.167] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201352; rev:1;) alert tcp $HOME_NET any -> [95.215.108.11] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201353; rev:1;) alert tcp $HOME_NET any -> [176.121.252.119] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201354; rev:1;) alert tcp $HOME_NET any -> [138.4.249.254] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201355; rev:1;) alert tcp $HOME_NET any -> [104.206.221.165] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201356; rev:1;) alert tcp $HOME_NET any -> [104.206.221.165] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201357; rev:1;) alert tcp $HOME_NET any -> [185.117.72.87] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201358; rev:1;) alert tcp $HOME_NET any -> [185.117.72.87] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201359; rev:1;) alert tcp $HOME_NET any -> [134.249.74.86] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201360; rev:1;) alert tcp $HOME_NET any -> [31.6.124.141] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201361; rev:1;) alert tcp $HOME_NET any -> [123.203.102.113] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201362; rev:1;) alert tcp $HOME_NET any -> [192.227.158.140] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201363; rev:1;) alert tcp $HOME_NET any -> [80.96.150.201] 9943 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201364; rev:1;) alert tcp $HOME_NET any -> [168.187.96.115] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201365; rev:1;) alert tcp $HOME_NET any -> [188.190.72.59] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201366; rev:1;) alert tcp $HOME_NET any -> [185.82.202.38] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201367; rev:1;) alert tcp $HOME_NET any -> [185.82.202.38] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201368; rev:1;) alert tcp $HOME_NET any -> [109.87.187.170] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201369; rev:1;) alert tcp $HOME_NET any -> [202.69.40.173] 243 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201370; rev:1;) alert tcp $HOME_NET any -> [185.82.202.84] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201371; rev:1;) alert tcp $HOME_NET any -> [78.61.114.43] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201372; rev:1;) alert tcp $HOME_NET any -> [93.174.95.35] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201373; rev:1;) alert tcp $HOME_NET any -> [198.96.89.181] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201374; rev:1;) alert tcp $HOME_NET any -> [37.229.28.69] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201375; rev:1;) alert tcp $HOME_NET any -> [93.170.152.201] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201376; rev:1;) alert tcp $HOME_NET any -> [46.98.109.3] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201377; rev:1;) alert tcp $HOME_NET any -> [85.93.145.9] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201378; rev:1;) alert tcp $HOME_NET any -> [176.102.216.221] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201379; rev:1;) alert tcp $HOME_NET any -> [51.255.146.81] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201380; rev:1;) alert tcp $HOME_NET any -> [46.119.119.112] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201381; rev:1;) alert tcp $HOME_NET any -> [109.194.13.46] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201382; rev:1;) alert tcp $HOME_NET any -> [213.111.147.244] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201383; rev:1;) alert tcp $HOME_NET any -> [93.113.248.85] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201384; rev:1;) alert tcp $HOME_NET any -> [91.243.229.223] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201385; rev:1;) alert tcp $HOME_NET any -> [172.248.107.77] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201386; rev:1;) alert tcp $HOME_NET any -> [195.66.223.39] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201387; rev:1;) alert tcp $HOME_NET any -> [91.244.37.202] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201388; rev:1;) alert tcp $HOME_NET any -> [188.166.74.217] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201389; rev:1;) alert tcp $HOME_NET any -> [188.166.74.217] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201390; rev:1;) alert tcp $HOME_NET any -> [88.214.207.68] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201391; rev:1;) alert tcp $HOME_NET any -> [78.47.64.118] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201392; rev:1;) alert tcp $HOME_NET any -> [95.106.82.63] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201393; rev:1;) alert tcp $HOME_NET any -> [198.96.89.181] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201394; rev:1;) alert tcp $HOME_NET any -> [199.68.198.117] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201395; rev:1;) alert tcp $HOME_NET any -> [199.68.198.117] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201396; rev:1;) alert tcp $HOME_NET any -> [188.127.249.165] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201397; rev:1;) alert tcp $HOME_NET any -> [5.105.197.75] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201398; rev:1;) alert tcp $HOME_NET any -> [178.150.6.152] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201399; rev:1;) alert tcp $HOME_NET any -> [79.126.59.177] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201400; rev:1;) alert tcp $HOME_NET any -> [176.115.155.191] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201401; rev:1;) alert tcp $HOME_NET any -> [194.8.158.212] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201402; rev:1;) alert tcp $HOME_NET any -> [213.111.142.72] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201403; rev:1;) alert tcp $HOME_NET any -> [199.7.136.88] 8143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201404; rev:1;) alert tcp $HOME_NET any -> [151.80.142.33] 1743 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201405; rev:1;) alert tcp $HOME_NET any -> [62.109.133.248] 444 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201406; rev:1;) alert tcp $HOME_NET any -> [213.159.214.196] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201407; rev:1;) alert tcp $HOME_NET any -> [193.28.179.149] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201408; rev:1;) alert tcp $HOME_NET any -> [46.161.40.105] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201409; rev:1;) alert tcp $HOME_NET any -> [193.218.145.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201410; rev:1;) alert tcp $HOME_NET any -> [185.36.102.95] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201411; rev:1;) alert tcp $HOME_NET any -> [31.170.152.131] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201412; rev:1;) alert tcp $HOME_NET any -> [176.37.225.130] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201413; rev:1;) alert tcp $HOME_NET any -> [109.235.70.20] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201414; rev:1;) alert tcp $HOME_NET any -> [109.235.70.20] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201415; rev:1;) alert tcp $HOME_NET any -> [195.66.222.173] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201416; rev:1;) alert tcp $HOME_NET any -> [176.10.124.195] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201417; rev:1;) alert tcp $HOME_NET any -> [178.18.249.147] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201418; rev:1;) alert tcp $HOME_NET any -> [178.18.249.147] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201419; rev:1;) alert tcp $HOME_NET any -> [31.41.44.5] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201420; rev:1;) alert tcp $HOME_NET any -> [37.115.157.90] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201421; rev:1;) alert tcp $HOME_NET any -> [178.20.159.93] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201422; rev:1;) alert tcp $HOME_NET any -> [92.87.69.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201423; rev:1;) alert tcp $HOME_NET any -> [94.232.207.193] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201424; rev:1;) alert tcp $HOME_NET any -> [94.19.198.38] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201425; rev:1;) alert tcp $HOME_NET any -> [188.27.236.220] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201426; rev:1;) alert tcp $HOME_NET any -> [46.151.42.154] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201427; rev:1;) alert tcp $HOME_NET any -> [23.88.104.64] 243 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201428; rev:1;) alert tcp $HOME_NET any -> [109.237.108.176] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201429; rev:1;) alert tcp $HOME_NET any -> [87.120.37.218] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201430; rev:1;) alert tcp $HOME_NET any -> [46.173.71.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201431; rev:1;) alert tcp $HOME_NET any -> [94.253.83.111] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201432; rev:1;) alert tcp $HOME_NET any -> [213.111.232.28] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201433; rev:1;) alert tcp $HOME_NET any -> [78.47.119.93] 666 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201434; rev:1;) alert tcp $HOME_NET any -> [117.239.192.228] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201435; rev:1;) alert tcp $HOME_NET any -> [62.68.148.132] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201436; rev:1;) alert tcp $HOME_NET any -> [5.135.99.128] 14756 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201437; rev:1;) alert tcp $HOME_NET any -> [89.38.150.118] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201438; rev:1;) alert tcp $HOME_NET any -> [104.131.59.185] 243 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201439; rev:1;) alert tcp $HOME_NET any -> [1.179.170.7] 4493 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201440; rev:1;) alert tcp $HOME_NET any -> [162.244.76.40] 3448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201441; rev:1;) alert tcp $HOME_NET any -> [177.153.4.189] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201442; rev:1;) alert tcp $HOME_NET any -> [5.39.185.231] 444 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201443; rev:1;) alert tcp $HOME_NET any -> [62.76.188.237] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201444; rev:1;) alert tcp $HOME_NET any -> [91.241.227.106] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201445; rev:1;) alert tcp $HOME_NET any -> [46.211.43.150] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201446; rev:1;) alert tcp $HOME_NET any -> [93.127.114.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201447; rev:1;) alert tcp $HOME_NET any -> [109.87.249.48] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201448; rev:1;) alert tcp $HOME_NET any -> [93.171.21.27] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201449; rev:1;) alert tcp $HOME_NET any -> [31.170.104.57] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201450; rev:1;) alert tcp $HOME_NET any -> [178.216.227.244] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201451; rev:1;) alert tcp $HOME_NET any -> [51.255.155.169] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201452; rev:1;) alert tcp $HOME_NET any -> [185.45.193.220] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201453; rev:1;) alert tcp $HOME_NET any -> [94.153.65.14] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201454; rev:1;) alert tcp $HOME_NET any -> [93.78.7.146] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201455; rev:1;) alert tcp $HOME_NET any -> [94.52.72.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201456; rev:1;) alert tcp $HOME_NET any -> [89.35.61.44] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201457; rev:1;) alert tcp $HOME_NET any -> [193.93.218.81] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201458; rev:1;) alert tcp $HOME_NET any -> [5.2.32.18] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201459; rev:1;) alert tcp $HOME_NET any -> [93.77.115.10] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201460; rev:1;) alert tcp $HOME_NET any -> [37.229.135.205] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201461; rev:1;) alert tcp $HOME_NET any -> [46.249.131.74] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201462; rev:1;) alert tcp $HOME_NET any -> [77.121.255.9] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201463; rev:1;) alert tcp $HOME_NET any -> [185.22.17.85] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201464; rev:1;) alert tcp $HOME_NET any -> [95.133.197.95] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201465; rev:1;) alert tcp $HOME_NET any -> [193.242.211.187] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201466; rev:1;) alert tcp $HOME_NET any -> [114.215.108.157] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201467; rev:1;) alert tcp $HOME_NET any -> [93.79.199.189] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201468; rev:1;) alert tcp $HOME_NET any -> [80.58.201.5] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201469; rev:1;) alert tcp $HOME_NET any -> [185.14.28.9] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201470; rev:1;) alert tcp $HOME_NET any -> [198.55.107.114] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201471; rev:1;) alert tcp $HOME_NET any -> [162.221.183.11] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201472; rev:1;) alert tcp $HOME_NET any -> [85.25.200.103] 1143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201473; rev:1;) alert tcp $HOME_NET any -> [41.38.18.230] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201474; rev:1;) alert tcp $HOME_NET any -> [172.245.130.32] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201475; rev:1;) alert tcp $HOME_NET any -> [172.245.130.32] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201476; rev:1;) alert tcp $HOME_NET any -> [89.37.214.2] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201477; rev:1;) alert tcp $HOME_NET any -> [104.224.128.163] 3448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201478; rev:1;) alert tcp $HOME_NET any -> [188.138.88.14] 1143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201479; rev:1;) alert tcp $HOME_NET any -> [110.77.142.156] 8143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201480; rev:1;) alert tcp $HOME_NET any -> [185.25.116.98] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201481; rev:1;) alert tcp $HOME_NET any -> [45.32.94.132] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201482; rev:1;) alert tcp $HOME_NET any -> [87.117.242.7] 8843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201483; rev:1;) alert tcp $HOME_NET any -> [195.219.57.34] 8843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201484; rev:1;) alert tcp $HOME_NET any -> [185.25.118.197] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201485; rev:1;) alert tcp $HOME_NET any -> [216.117.130.191] 1143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201486; rev:1;) alert tcp $HOME_NET any -> [89.42.70.241] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201487; rev:1;) alert tcp $HOME_NET any -> [178.76.67.12] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201488; rev:1;) alert tcp $HOME_NET any -> [46.101.190.62] 1143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201489; rev:1;) alert tcp $HOME_NET any -> [203.151.94.214] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201490; rev:1;) alert tcp $HOME_NET any -> [188.138.71.59] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201491; rev:1;) alert tcp $HOME_NET any -> [62.75.219.30] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201492; rev:1;) alert tcp $HOME_NET any -> [192.232.204.53] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201493; rev:1;) alert tcp $HOME_NET any -> [198.50.234.211] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201494; rev:1;) alert tcp $HOME_NET any -> [216.59.16.175] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201495; rev:1;) alert tcp $HOME_NET any -> [176.53.0.103] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201496; rev:1;) alert tcp $HOME_NET any -> [114.113.148.141] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201497; rev:1;) alert tcp $HOME_NET any -> [93.188.163.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201498; rev:1;) alert tcp $HOME_NET any -> [216.224.175.92] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201499; rev:1;) alert tcp $HOME_NET any -> [37.46.128.37] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201500; rev:1;) alert tcp $HOME_NET any -> [46.183.165.8] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201501; rev:1;) alert tcp $HOME_NET any -> [45.124.65.51] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201502; rev:1;) alert tcp $HOME_NET any -> [79.174.65.197] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201503; rev:1;) alert tcp $HOME_NET any -> [79.174.64.84] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201504; rev:1;) alert tcp $HOME_NET any -> [198.154.62.28] 444 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201505; rev:1;) alert tcp $HOME_NET any -> [80.78.253.130] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201506; rev:1;) alert tcp $HOME_NET any -> [216.170.126.138] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201507; rev:1;) alert tcp $HOME_NET any -> [125.212.205.220] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201508; rev:1;) alert tcp $HOME_NET any -> [109.234.35.112] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201509; rev:1;) alert tcp $HOME_NET any -> [192.241.207.251] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201510; rev:1;) alert tcp $HOME_NET any -> [91.199.149.187] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201511; rev:1;) alert tcp $HOME_NET any -> [95.163.107.52] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201512; rev:1;) alert tcp $HOME_NET any -> [78.137.13.12] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201513; rev:1;) alert tcp $HOME_NET any -> [185.30.98.82] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201514; rev:1;) alert tcp $HOME_NET any -> [188.227.74.90] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201515; rev:1;) alert tcp $HOME_NET any -> [103.193.4.131] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201516; rev:1;) alert tcp $HOME_NET any -> [194.58.97.60] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201517; rev:1;) alert tcp $HOME_NET any -> [107.161.145.175] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201518; rev:1;) alert tcp $HOME_NET any -> [192.210.137.123] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201519; rev:1;) alert tcp $HOME_NET any -> [91.195.12.150] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201520; rev:1;) alert tcp $HOME_NET any -> [103.224.83.130] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201521; rev:1;) alert tcp $HOME_NET any -> [46.105.88.116] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201522; rev:1;) alert tcp $HOME_NET any -> [77.121.63.196] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201523; rev:1;) alert tcp $HOME_NET any -> [51.255.107.20] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201524; rev:1;) alert tcp $HOME_NET any -> [85.143.221.170] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201525; rev:1;) alert tcp $HOME_NET any -> [149.202.127.212] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201526; rev:1;) alert tcp $HOME_NET any -> [149.202.127.212] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201527; rev:1;) alert tcp $HOME_NET any -> [110.138.108.142] 3448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201528; rev:1;) alert tcp $HOME_NET any -> [119.160.223.115] 1143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201529; rev:1;) alert tcp $HOME_NET any -> [91.215.153.43] 5001 (msg:"SSL Blacklist: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201530; rev:1;) alert tcp $HOME_NET any -> [195.110.58.105] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201531; rev:1;) alert tcp $HOME_NET any -> [85.93.145.30] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201532; rev:1;) alert tcp $HOME_NET any -> [92.63.99.34] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201533; rev:1;) alert tcp $HOME_NET any -> [103.194.43.48] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201534; rev:1;) alert tcp $HOME_NET any -> [109.237.109.148] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201535; rev:1;) alert tcp $HOME_NET any -> [51.255.107.49] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201536; rev:1;) alert tcp $HOME_NET any -> [194.126.100.220] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201537; rev:1;) alert tcp $HOME_NET any -> [91.240.84.224] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201538; rev:1;) alert tcp $HOME_NET any -> [193.218.145.168] 5001 (msg:"SSL Blacklist: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201539; rev:1;) alert tcp $HOME_NET any -> [95.163.121.204] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201540; rev:1;) alert tcp $HOME_NET any -> [80.90.179.149] 5001 (msg:"SSL Blacklist: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201541; rev:1;) alert tcp $HOME_NET any -> [185.130.4.98] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201542; rev:1;) alert tcp $HOME_NET any -> [162.253.176.224] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201543; rev:1;) alert tcp $HOME_NET any -> [138.204.171.113] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201544; rev:1;) alert tcp $HOME_NET any -> [198.50.234.210] 343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201545; rev:1;) alert tcp $HOME_NET any -> [91.195.12.164] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201546; rev:1;) alert tcp $HOME_NET any -> [104.244.159.15] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201547; rev:1;) alert tcp $HOME_NET any -> [46.63.1.192] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201548; rev:1;) alert tcp $HOME_NET any -> [45.58.62.161] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201549; rev:1;) alert tcp $HOME_NET any -> [162.210.249.90] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201550; rev:1;) alert tcp $HOME_NET any -> [192.157.239.137] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201551; rev:1;) alert tcp $HOME_NET any -> [192.157.239.137] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201552; rev:1;) alert tcp $HOME_NET any -> [88.214.207.56] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201553; rev:1;) alert tcp $HOME_NET any -> [85.143.166.200] 1743 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201554; rev:1;) alert tcp $HOME_NET any -> [195.72.158.150] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201555; rev:1;) alert tcp $HOME_NET any -> [50.7.143.19] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201556; rev:1;) alert tcp $HOME_NET any -> [85.25.102.156] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201557; rev:1;) alert tcp $HOME_NET any -> [85.25.102.155] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201558; rev:1;) alert tcp $HOME_NET any -> [89.248.171.237] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201559; rev:1;) alert tcp $HOME_NET any -> [89.248.171.237] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201560; rev:1;) alert tcp $HOME_NET any -> [185.24.92.236] 1743 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201561; rev:1;) alert tcp $HOME_NET any -> [85.143.223.23] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201562; rev:1;) alert tcp $HOME_NET any -> [46.101.155.53] 1143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201563; rev:1;) alert tcp $HOME_NET any -> [160.114.111.17] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201564; rev:1;) alert tcp $HOME_NET any -> [185.24.92.229] 4743 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201565; rev:1;) alert tcp $HOME_NET any -> [37.139.47.101] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201566; rev:1;) alert tcp $HOME_NET any -> [93.171.158.234] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201567; rev:1;) alert tcp $HOME_NET any -> [188.227.75.59] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201568; rev:1;) alert tcp $HOME_NET any -> [91.239.232.145] 1743 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201569; rev:1;) alert tcp $HOME_NET any -> [81.177.27.80] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201570; rev:1;) alert tcp $HOME_NET any -> [188.255.93.37] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201571; rev:1;) alert tcp $HOME_NET any -> [188.127.231.194] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201572; rev:1;) alert tcp $HOME_NET any -> [119.160.223.114] 343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201573; rev:1;) alert tcp $HOME_NET any -> [89.252.203.18] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201574; rev:1;) alert tcp $HOME_NET any -> [185.35.108.138] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201575; rev:1;) alert tcp $HOME_NET any -> [95.163.121.185] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201576; rev:1;) alert tcp $HOME_NET any -> [185.118.142.211] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201577; rev:1;) alert tcp $HOME_NET any -> [195.128.125.191] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201578; rev:1;) alert tcp $HOME_NET any -> [109.237.111.126] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201579; rev:1;) alert tcp $HOME_NET any -> [151.80.176.72] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201580; rev:1;) alert tcp $HOME_NET any -> [151.80.176.72] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201581; rev:1;) alert tcp $HOME_NET any -> [93.78.217.148] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201582; rev:1;) alert tcp $HOME_NET any -> [103.245.153.70] 343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201583; rev:1;) alert tcp $HOME_NET any -> [181.177.231.245] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201584; rev:1;) alert tcp $HOME_NET any -> [95.215.110.120] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201585; rev:1;) alert tcp $HOME_NET any -> [147.156.165.26] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201586; rev:1;) alert tcp $HOME_NET any -> [62.75.237.13] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201587; rev:1;) alert tcp $HOME_NET any -> [62.76.191.108] 1743 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201588; rev:1;) alert tcp $HOME_NET any -> [212.126.59.41] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201589; rev:1;) alert tcp $HOME_NET any -> [93.76.72.58] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201590; rev:1;) alert tcp $HOME_NET any -> [165.233.159.225] 444 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201591; rev:1;) alert tcp $HOME_NET any -> [82.118.226.43] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201592; rev:1;) alert tcp $HOME_NET any -> [82.118.226.43] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201593; rev:1;) alert tcp $HOME_NET any -> [81.4.123.193] 9943 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201594; rev:1;) alert tcp $HOME_NET any -> [46.16.200.133] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201595; rev:1;) alert tcp $HOME_NET any -> [194.58.122.40] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201596; rev:1;) alert tcp $HOME_NET any -> [188.40.224.73] 643 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201597; rev:1;) alert tcp $HOME_NET any -> [188.138.25.229] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201598; rev:1;) alert tcp $HOME_NET any -> [188.127.237.198] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201599; rev:1;) alert tcp $HOME_NET any -> [81.176.239.97] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201600; rev:1;) alert tcp $HOME_NET any -> [178.250.241.65] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201601; rev:1;) alert tcp $HOME_NET any -> [80.87.200.157] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201602; rev:1;) alert tcp $HOME_NET any -> [50.56.184.194] 643 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201603; rev:1;) alert tcp $HOME_NET any -> [188.127.231.170] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201604; rev:1;) alert tcp $HOME_NET any -> [188.225.34.221] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201605; rev:1;) alert tcp $HOME_NET any -> [91.199.149.227] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201606; rev:1;) alert tcp $HOME_NET any -> [194.58.119.138] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201607; rev:1;) alert tcp $HOME_NET any -> [62.75.196.98] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201608; rev:1;) alert tcp $HOME_NET any -> [91.214.114.110] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201609; rev:1;) alert tcp $HOME_NET any -> [134.249.31.13] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201610; rev:1;) alert tcp $HOME_NET any -> [188.165.28.233] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201611; rev:1;) alert tcp $HOME_NET any -> [192.157.227.220] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201612; rev:1;) alert tcp $HOME_NET any -> [188.227.18.202] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201613; rev:1;) alert tcp $HOME_NET any -> [91.200.14.59] 5001 (msg:"SSL Blacklist: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201614; rev:1;) alert tcp $HOME_NET any -> [194.58.92.2] 643 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201615; rev:1;) alert tcp $HOME_NET any -> [213.157.51.28] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201616; rev:1;) alert tcp $HOME_NET any -> [192.80.190.233] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201617; rev:1;) alert tcp $HOME_NET any -> [87.229.86.20] 843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201618; rev:1;) alert tcp $HOME_NET any -> [85.143.218.236] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201619; rev:1;) alert tcp $HOME_NET any -> [149.202.251.62] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201620; rev:1;) alert tcp $HOME_NET any -> [202.158.123.130] 643 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201621; rev:1;) alert tcp $HOME_NET any -> [59.148.246.214] 243 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201622; rev:1;) alert tcp $HOME_NET any -> [84.38.67.231] 643 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201623; rev:1;) alert tcp $HOME_NET any -> [178.250.240.189] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201624; rev:1;) alert tcp $HOME_NET any -> [185.82.216.38] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201625; rev:1;) alert tcp $HOME_NET any -> [217.106.239.102] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201626; rev:1;) alert tcp $HOME_NET any -> [192.100.170.19] 843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201627; rev:1;) alert tcp $HOME_NET any -> [62.213.67.77] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201628; rev:1;) alert tcp $HOME_NET any -> [46.118.130.60] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201629; rev:1;) alert tcp $HOME_NET any -> [185.80.53.20] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201630; rev:1;) alert tcp $HOME_NET any -> [5.136.100.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201631; rev:1;) alert tcp $HOME_NET any -> [185.46.10.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201632; rev:1;) alert tcp $HOME_NET any -> [178.151.203.248] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201633; rev:1;) alert tcp $HOME_NET any -> [43.251.157.139] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201634; rev:1;) alert tcp $HOME_NET any -> [185.86.150.115] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201635; rev:1;) alert tcp $HOME_NET any -> [51.254.162.83] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201636; rev:1;) alert tcp $HOME_NET any -> [37.139.47.252] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201637; rev:1;) alert tcp $HOME_NET any -> [178.250.240.44] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201638; rev:1;) alert tcp $HOME_NET any -> [185.12.12.154] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201639; rev:1;) alert tcp $HOME_NET any -> [31.130.9.247] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201640; rev:1;) alert tcp $HOME_NET any -> [185.86.150.103] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201641; rev:1;) alert tcp $HOME_NET any -> [210.70.242.41] 448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201642; rev:1;) alert tcp $HOME_NET any -> [128.199.186.92] 643 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201643; rev:1;) alert tcp $HOME_NET any -> [41.79.173.47] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201644; rev:1;) alert tcp $HOME_NET any -> [185.22.65.81] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201645; rev:1;) alert tcp $HOME_NET any -> [203.158.193.3] 843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201646; rev:1;) alert tcp $HOME_NET any -> [27.131.149.102] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201647; rev:1;) alert tcp $HOME_NET any -> [176.123.29.91] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201648; rev:1;) alert tcp $HOME_NET any -> [5.101.67.138] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201649; rev:1;) alert tcp $HOME_NET any -> [95.213.165.183] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201650; rev:1;) alert tcp $HOME_NET any -> [194.58.120.251] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201651; rev:1;) alert tcp $HOME_NET any -> [31.148.99.248] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201652; rev:1;) alert tcp $HOME_NET any -> [168.235.66.206] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201653; rev:1;) alert tcp $HOME_NET any -> [23.249.171.33] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201654; rev:1;) alert tcp $HOME_NET any -> [166.84.7.180] 4113 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201655; rev:1;) alert tcp $HOME_NET any -> [31.41.45.9] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201656; rev:1;) alert tcp $HOME_NET any -> [192.100.170.12] 843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201657; rev:1;) alert tcp $HOME_NET any -> [46.98.198.248] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201658; rev:1;) alert tcp $HOME_NET any -> [46.148.187.74] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201659; rev:1;) alert tcp $HOME_NET any -> [31.135.112.64] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201660; rev:1;) alert tcp $HOME_NET any -> [85.25.236.32] 4430 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201661; rev:1;) alert tcp $HOME_NET any -> [164.132.53.34] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201662; rev:1;) alert tcp $HOME_NET any -> [192.169.6.173] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201663; rev:1;) alert tcp $HOME_NET any -> [178.137.80.252] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201664; rev:1;) alert tcp $HOME_NET any -> [222.255.121.202] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201665; rev:1;) alert tcp $HOME_NET any -> [193.111.188.230] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201666; rev:1;) alert tcp $HOME_NET any -> [217.144.170.77] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201667; rev:1;) alert tcp $HOME_NET any -> [95.79.72.128] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201668; rev:1;) alert tcp $HOME_NET any -> [155.94.144.93] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201669; rev:1;) alert tcp $HOME_NET any -> [80.86.91.232] 4243 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201670; rev:1;) alert tcp $HOME_NET any -> [213.192.1.178] 4113 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201671; rev:1;) alert tcp $HOME_NET any -> [188.40.224.76] 643 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201672; rev:1;) alert tcp $HOME_NET any -> [81.93.151.248] 4243 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201673; rev:1;) alert tcp $HOME_NET any -> [91.236.4.234] 4243 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201674; rev:1;) alert tcp $HOME_NET any -> [91.83.45.96] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201675; rev:1;) alert tcp $HOME_NET any -> [203.162.141.13] 843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201676; rev:1;) alert tcp $HOME_NET any -> [46.22.128.133] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201677; rev:1;) alert tcp $HOME_NET any -> [192.157.238.182] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201678; rev:1;) alert tcp $HOME_NET any -> [84.200.2.23] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201679; rev:1;) alert tcp $HOME_NET any -> [78.47.235.236] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201680; rev:1;) alert tcp $HOME_NET any -> [5.8.55.194] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201681; rev:1;) alert tcp $HOME_NET any -> [83.220.172.231] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201682; rev:1;) alert tcp $HOME_NET any -> [181.215.115.202] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201683; rev:1;) alert tcp $HOME_NET any -> [95.46.114.30] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201684; rev:1;) alert tcp $HOME_NET any -> [195.123.209.64] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201685; rev:1;) alert tcp $HOME_NET any -> [75.99.13.124] 943 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201686; rev:1;) alert tcp $HOME_NET any -> [188.40.224.78] 643 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201687; rev:1;) alert tcp $HOME_NET any -> [192.157.249.24] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201688; rev:1;) alert tcp $HOME_NET any -> [83.220.173.3] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201689; rev:1;) alert tcp $HOME_NET any -> [80.249.6.216] 943 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201690; rev:1;) alert tcp $HOME_NET any -> [51.254.19.207] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201691; rev:1;) alert tcp $HOME_NET any -> [78.108.93.186] 643 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201692; rev:1;) alert tcp $HOME_NET any -> [103.13.29.158] 943 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201693; rev:1;) alert tcp $HOME_NET any -> [62.76.184.86] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201694; rev:1;) alert tcp $HOME_NET any -> [185.118.65.167] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201695; rev:1;) alert tcp $HOME_NET any -> [188.127.231.102] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201696; rev:1;) alert tcp $HOME_NET any -> [185.118.65.172] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201697; rev:1;) alert tcp $HOME_NET any -> [91.201.214.38] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201698; rev:1;) alert tcp $HOME_NET any -> [188.165.215.180] 1234 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201699; rev:1;) alert tcp $HOME_NET any -> [87.106.8.177] 643 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201700; rev:1;) alert tcp $HOME_NET any -> [46.166.172.111] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201701; rev:1;) alert tcp $HOME_NET any -> [78.40.108.81] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201702; rev:1;) alert tcp $HOME_NET any -> [38.64.199.3] 1234 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201703; rev:1;) alert tcp $HOME_NET any -> [62.213.67.43] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201704; rev:1;) alert tcp $HOME_NET any -> [64.76.19.251] 4243 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201705; rev:1;) alert tcp $HOME_NET any -> [82.146.46.31] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201706; rev:1;) alert tcp $HOME_NET any -> [185.8.62.74] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201707; rev:1;) alert tcp $HOME_NET any -> [118.98.221.68] 448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201708; rev:1;) alert tcp $HOME_NET any -> [64.76.19.244] 1113 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201709; rev:1;) alert tcp $HOME_NET any -> [185.17.104.4] 1234 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201710; rev:1;) alert tcp $HOME_NET any -> [5.152.201.19] 4331 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201711; rev:1;) alert tcp $HOME_NET any -> [210.65.11.155] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201712; rev:1;) alert tcp $HOME_NET any -> [130.255.55.6] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201713; rev:1;) alert tcp $HOME_NET any -> [46.173.81.51] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201714; rev:1;) alert tcp $HOME_NET any -> [188.166.224.251] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201715; rev:1;) alert tcp $HOME_NET any -> [98.116.11.226] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201716; rev:1;) alert tcp $HOME_NET any -> [188.0.85.176] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201717; rev:1;) alert tcp $HOME_NET any -> [178.93.115.60] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201718; rev:1;) alert tcp $HOME_NET any -> [87.117.242.31] 4843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201719; rev:1;) alert tcp $HOME_NET any -> [185.22.65.92] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201720; rev:1;) alert tcp $HOME_NET any -> [82.146.60.196] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201721; rev:1;) alert tcp $HOME_NET any -> [188.93.239.28] 4843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201722; rev:1;) alert tcp $HOME_NET any -> [31.148.99.44] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201723; rev:1;) alert tcp $HOME_NET any -> [188.227.19.223] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201724; rev:1;) alert tcp $HOME_NET any -> [5.152.201.26] 4843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201725; rev:1;) alert tcp $HOME_NET any -> [47.88.191.14] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201726; rev:1;) alert tcp $HOME_NET any -> [38.64.199.33] 4843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201727; rev:1;) alert tcp $HOME_NET any -> [64.147.192.68] 4043 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201728; rev:1;) alert tcp $HOME_NET any -> [93.104.211.103] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201729; rev:1;) alert tcp $HOME_NET any -> [206.54.170.89] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201730; rev:1;) alert tcp $HOME_NET any -> [213.154.202.88] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201731; rev:1;) alert tcp $HOME_NET any -> [80.252.253.111] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201732; rev:1;) alert tcp $HOME_NET any -> [91.216.245.35] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201733; rev:1;) alert tcp $HOME_NET any -> [154.120.229.44] 4043 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201734; rev:1;) alert tcp $HOME_NET any -> [193.28.179.151] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201735; rev:1;) alert tcp $HOME_NET any -> [38.64.199.113] 1943 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201736; rev:1;) alert tcp $HOME_NET any -> [162.252.175.208] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201737; rev:1;) alert tcp $HOME_NET any -> [71.46.208.93] 1943 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201738; rev:1;) alert tcp $HOME_NET any -> [94.8.36.110] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201739; rev:1;) alert tcp $HOME_NET any -> [74.122.198.116] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201740; rev:1;) alert tcp $HOME_NET any -> [198.167.140.64] 4043 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201741; rev:1;) alert tcp $HOME_NET any -> [93.82.193.162] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201742; rev:1;) alert tcp $HOME_NET any -> [50.3.24.155] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201743; rev:1;) alert tcp $HOME_NET any -> [5.199.129.253] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201744; rev:1;) alert tcp $HOME_NET any -> [91.219.28.43] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201745; rev:1;) alert tcp $HOME_NET any -> [185.15.208.200] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201746; rev:1;) alert tcp $HOME_NET any -> [185.8.60.34] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201747; rev:1;) alert tcp $HOME_NET any -> [188.227.19.11] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201748; rev:1;) alert tcp $HOME_NET any -> [82.146.32.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201749; rev:1;) alert tcp $HOME_NET any -> [87.117.242.13] 4331 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201750; rev:1;) alert tcp $HOME_NET any -> [69.15.194.26] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201751; rev:1;) alert tcp $HOME_NET any -> [70.164.127.132] 2443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201752; rev:1;) alert tcp $HOME_NET any -> [199.193.250.105] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201753; rev:1;) alert tcp $HOME_NET any -> [185.117.88.112] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201754; rev:1;) alert tcp $HOME_NET any -> [167.114.24.46] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201755; rev:1;) alert tcp $HOME_NET any -> [188.138.71.62] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201756; rev:1;) alert tcp $HOME_NET any -> [191.101.251.163] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201757; rev:1;) alert tcp $HOME_NET any -> [191.101.251.23] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201758; rev:1;) alert tcp $HOME_NET any -> [185.15.208.215] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201759; rev:1;) alert tcp $HOME_NET any -> [198.144.184.96] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201760; rev:1;) alert tcp $HOME_NET any -> [185.106.121.66] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201761; rev:1;) alert tcp $HOME_NET any -> [158.255.6.223] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201762; rev:1;) alert tcp $HOME_NET any -> [86.106.93.60] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201763; rev:1;) alert tcp $HOME_NET any -> [195.169.147.88] 1943 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201764; rev:1;) alert tcp $HOME_NET any -> [93.174.126.37] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201765; rev:1;) alert tcp $HOME_NET any -> [209.58.184.213] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201766; rev:1;) alert tcp $HOME_NET any -> [192.52.167.201] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201767; rev:1;) alert tcp $HOME_NET any -> [37.46.131.147] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201768; rev:1;) alert tcp $HOME_NET any -> [93.115.201.103] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201769; rev:1;) alert tcp $HOME_NET any -> [5.230.208.16] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201770; rev:1;) alert tcp $HOME_NET any -> [192.169.6.155] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201771; rev:1;) alert tcp $HOME_NET any -> [176.121.14.120] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201772; rev:1;) alert tcp $HOME_NET any -> [37.220.3.132] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201773; rev:1;) alert tcp $HOME_NET any -> [5.187.5.204] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201774; rev:1;) alert tcp $HOME_NET any -> [138.128.125.153] 4033 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201775; rev:1;) alert tcp $HOME_NET any -> [103.245.153.65] 4033 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201776; rev:1;) alert tcp $HOME_NET any -> [162.219.29.78] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201777; rev:1;) alert tcp $HOME_NET any -> [45.32.152.165] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201778; rev:1;) alert tcp $HOME_NET any -> [168.235.89.81] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201779; rev:1;) alert tcp $HOME_NET any -> [23.249.1.171] 43443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201780; rev:1;) alert tcp $HOME_NET any -> [50.56.118.137] 4033 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201781; rev:1;) alert tcp $HOME_NET any -> [210.245.92.63] 4043 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201782; rev:1;) alert tcp $HOME_NET any -> [192.157.251.239] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201783; rev:1;) alert tcp $HOME_NET any -> [5.200.35.126] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201784; rev:1;) alert tcp $HOME_NET any -> [109.68.190.175] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201785; rev:1;) alert tcp $HOME_NET any -> [204.44.102.217] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201786; rev:1;) alert tcp $HOME_NET any -> [178.33.167.120] 2443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201787; rev:1;) alert tcp $HOME_NET any -> [162.217.248.241] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201788; rev:1;) alert tcp $HOME_NET any -> [62.213.103.173] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201789; rev:1;) alert tcp $HOME_NET any -> [136.243.124.143] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201790; rev:1;) alert tcp $HOME_NET any -> [104.223.125.163] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201791; rev:1;) alert tcp $HOME_NET any -> [199.231.211.74] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201792; rev:1;) alert tcp $HOME_NET any -> [193.90.12.220] 8043 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201793; rev:1;) alert tcp $HOME_NET any -> [96.57.23.154] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201794; rev:1;) alert tcp $HOME_NET any -> [194.116.73.71] 4033 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201795; rev:1;) alert tcp $HOME_NET any -> [193.90.12.221] 8043 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201796; rev:1;) alert tcp $HOME_NET any -> [192.157.251.245] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201797; rev:1;) alert tcp $HOME_NET any -> [31.41.44.119] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201798; rev:1;) alert tcp $HOME_NET any -> [95.183.53.68] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201799; rev:1;) alert tcp $HOME_NET any -> [200.159.128.144] 2443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201800; rev:1;) alert tcp $HOME_NET any -> [185.118.166.112] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201801; rev:1;) alert tcp $HOME_NET any -> [186.250.48.10] 10443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201802; rev:1;) alert tcp $HOME_NET any -> [23.105.71.119] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201803; rev:1;) alert tcp $HOME_NET any -> [176.9.113.216] 8043 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201804; rev:1;) alert tcp $HOME_NET any -> [198.105.117.128] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201805; rev:1;) alert tcp $HOME_NET any -> [185.117.119.169] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201806; rev:1;) alert tcp $HOME_NET any -> [199.68.198.132] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201807; rev:1;) alert tcp $HOME_NET any -> [45.127.92.175] 40443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201808; rev:1;) alert tcp $HOME_NET any -> [103.245.153.154] 4033 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201809; rev:1;) alert tcp $HOME_NET any -> [176.9.113.214] 8043 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201810; rev:1;) alert tcp $HOME_NET any -> [80.82.64.200] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201811; rev:1;) alert tcp $HOME_NET any -> [192.157.251.54] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201812; rev:1;) alert tcp $HOME_NET any -> [103.245.153.151] 4033 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201813; rev:1;) alert tcp $HOME_NET any -> [46.183.165.191] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201814; rev:1;) alert tcp $HOME_NET any -> [213.192.1.171] 40443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201815; rev:1;) alert tcp $HOME_NET any -> [104.152.188.24] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201816; rev:1;) alert tcp $HOME_NET any -> [185.82.202.100] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201817; rev:1;) alert tcp $HOME_NET any -> [125.212.205.209] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201818; rev:1;) alert tcp $HOME_NET any -> [192.52.167.210] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201819; rev:1;) alert tcp $HOME_NET any -> [192.241.252.152] 4343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201820; rev:1;) alert tcp $HOME_NET any -> [104.131.50.79] 4343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201821; rev:1;) alert tcp $HOME_NET any -> [217.64.100.34] 4033 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201822; rev:1;) alert tcp $HOME_NET any -> [182.23.64.182] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Shylock C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201823; rev:1;) alert tcp $HOME_NET any -> [162.251.84.219] 4343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201824; rev:1;) alert tcp $HOME_NET any -> [188.227.72.203] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201825; rev:1;) alert tcp $HOME_NET any -> [104.152.188.33] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201826; rev:1;) alert tcp $HOME_NET any -> [85.143.218.41] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201827; rev:1;) alert tcp $HOME_NET any -> [125.212.205.196] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201828; rev:1;) alert tcp $HOME_NET any -> [46.249.199.87] 4343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201829; rev:1;) alert tcp $HOME_NET any -> [103.230.189.210] 4343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201830; rev:1;) alert tcp $HOME_NET any -> [23.88.239.220] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201831; rev:1;) alert tcp $HOME_NET any -> [118.193.237.233] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201832; rev:1;) alert tcp $HOME_NET any -> [24.199.222.250] 4343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201833; rev:1;) alert tcp $HOME_NET any -> [188.120.253.193] 40443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201834; rev:1;) alert tcp $HOME_NET any -> [104.37.169.139] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201835; rev:1;) alert tcp $HOME_NET any -> [185.106.120.52] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201836; rev:1;) alert tcp $HOME_NET any -> [160.16.69.29] 11443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201837; rev:1;) alert tcp $HOME_NET any -> [198.12.81.102] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201838; rev:1;) alert tcp $HOME_NET any -> [87.106.19.38] 4343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201839; rev:1;) alert tcp $HOME_NET any -> [162.244.67.31] 4343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201840; rev:1;) alert tcp $HOME_NET any -> [1.55.227.59] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201841; rev:1;) alert tcp $HOME_NET any -> [94.76.233.152] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201842; rev:1;) alert tcp $HOME_NET any -> [95.183.52.215] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201843; rev:1;) alert tcp $HOME_NET any -> [89.32.40.220] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201844; rev:1;) alert tcp $HOME_NET any -> [1.54.70.28] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201845; rev:1;) alert tcp $HOME_NET any -> [117.7.135.67] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201846; rev:1;) alert tcp $HOME_NET any -> [62.218.147.233] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely DiamondFox C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201847; rev:1;) alert tcp $HOME_NET any -> [68.238.148.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201848; rev:1;) alert tcp $HOME_NET any -> [165.255.99.44] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201849; rev:1;) alert tcp $HOME_NET any -> [178.183.120.96] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201850; rev:1;) alert tcp $HOME_NET any -> [95.215.44.84] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201851; rev:1;) alert tcp $HOME_NET any -> [81.4.125.138] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201852; rev:1;) alert tcp $HOME_NET any -> [201.73.230.19] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201853; rev:1;) alert tcp $HOME_NET any -> [148.100.111.208] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201854; rev:1;) alert tcp $HOME_NET any -> [198.199.112.190] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201855; rev:1;) alert tcp $HOME_NET any -> [95.163.127.146] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201856; rev:1;) alert tcp $HOME_NET any -> [173.27.216.49] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201857; rev:1;) alert tcp $HOME_NET any -> [27.74.41.60] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201858; rev:1;) alert tcp $HOME_NET any -> [188.127.231.237] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201859; rev:1;) alert tcp $HOME_NET any -> [185.118.142.116] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201860; rev:1;) alert tcp $HOME_NET any -> [80.88.89.222] 11443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201861; rev:1;) alert tcp $HOME_NET any -> [62.213.100.149] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201862; rev:1;) alert tcp $HOME_NET any -> [173.27.216.49] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201863; rev:1;) alert tcp $HOME_NET any -> [162.246.61.100] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201864; rev:1;) alert tcp $HOME_NET any -> [93.158.212.61] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201865; rev:1;) alert tcp $HOME_NET any -> [185.141.25.31] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201866; rev:1;) alert tcp $HOME_NET any -> [87.106.173.115] 11443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201867; rev:1;) alert tcp $HOME_NET any -> [195.169.147.26] 4843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201868; rev:1;) alert tcp $HOME_NET any -> [84.200.17.38] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201869; rev:1;) alert tcp $HOME_NET any -> [94.102.49.236] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201870; rev:1;) alert tcp $HOME_NET any -> [173.14.220.253] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201871; rev:1;) alert tcp $HOME_NET any -> [104.193.252.157] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201872; rev:1;) alert tcp $HOME_NET any -> [87.98.242.115] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201873; rev:1;) alert tcp $HOME_NET any -> [185.141.27.205] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201874; rev:1;) alert tcp $HOME_NET any -> [198.2.254.188] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201875; rev:1;) alert tcp $HOME_NET any -> [92.222.204.59] 11443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201876; rev:1;) alert tcp $HOME_NET any -> [176.31.126.53] 11443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201877; rev:1;) alert tcp $HOME_NET any -> [199.231.211.222] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201878; rev:1;) alert tcp $HOME_NET any -> [116.118.28.229] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201879; rev:1;) alert tcp $HOME_NET any -> [68.238.148.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201880; rev:1;) alert tcp $HOME_NET any -> [69.14.43.154] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201881; rev:1;) alert tcp $HOME_NET any -> [216.137.226.64] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201882; rev:1;) alert tcp $HOME_NET any -> [91.134.226.39] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201883; rev:1;) alert tcp $HOME_NET any -> [69.76.172.101] 995 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201884; rev:1;) alert tcp $HOME_NET any -> [70.31.34.200] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201885; rev:1;) alert tcp $HOME_NET any -> [94.156.77.40] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201886; rev:1;) alert tcp $HOME_NET any -> [212.109.221.120] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201887; rev:1;) alert tcp $HOME_NET any -> [64.237.220.215] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201888; rev:1;) alert tcp $HOME_NET any -> [97.78.250.78] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201889; rev:1;) alert tcp $HOME_NET any -> [24.158.5.82] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201890; rev:1;) alert tcp $HOME_NET any -> [24.46.43.61] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201891; rev:1;) alert tcp $HOME_NET any -> [85.17.155.148] 1234 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201892; rev:1;) alert tcp $HOME_NET any -> [121.223.163.197] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201893; rev:1;) alert tcp $HOME_NET any -> [95.183.52.148] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201894; rev:1;) alert tcp $HOME_NET any -> [172.98.74.191] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201895; rev:1;) alert tcp $HOME_NET any -> [109.234.36.75] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201896; rev:1;) alert tcp $HOME_NET any -> [95.215.46.163] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201897; rev:1;) alert tcp $HOME_NET any -> [180.189.206.17] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201898; rev:1;) alert tcp $HOME_NET any -> [50.62.40.241] 11443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201899; rev:1;) alert tcp $HOME_NET any -> [91.215.154.178] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201900; rev:1;) alert tcp $HOME_NET any -> [112.166.103.245] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201901; rev:1;) alert tcp $HOME_NET any -> [171.4.58.50] 995 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201902; rev:1;) alert tcp $HOME_NET any -> [78.46.160.67] 11443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201903; rev:1;) alert tcp $HOME_NET any -> [89.43.60.122] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201904; rev:1;) alert tcp $HOME_NET any -> [193.238.59.90] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201905; rev:1;) alert tcp $HOME_NET any -> [80.82.79.95] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201906; rev:1;) alert tcp $HOME_NET any -> [185.109.144.15] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201907; rev:1;) alert tcp $HOME_NET any -> [85.204.49.106] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201908; rev:1;) alert tcp $HOME_NET any -> [115.115.192.245] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201909; rev:1;) alert tcp $HOME_NET any -> [107.172.41.79] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201910; rev:1;) alert tcp $HOME_NET any -> [105.224.196.209] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201911; rev:1;) alert tcp $HOME_NET any -> [212.92.97.33] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201912; rev:1;) alert tcp $HOME_NET any -> [195.154.47.69] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201913; rev:1;) alert tcp $HOME_NET any -> [80.87.197.48] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201914; rev:1;) alert tcp $HOME_NET any -> [185.45.192.106] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201915; rev:1;) alert tcp $HOME_NET any -> [115.76.205.33] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201916; rev:1;) alert tcp $HOME_NET any -> [77.246.159.80] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201917; rev:1;) alert tcp $HOME_NET any -> [5.39.34.152] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201918; rev:1;) alert tcp $HOME_NET any -> [75.136.11.219] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201919; rev:1;) alert tcp $HOME_NET any -> [93.115.10.203] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201920; rev:1;) alert tcp $HOME_NET any -> [173.61.183.100] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201921; rev:1;) alert tcp $HOME_NET any -> [68.191.126.222] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201922; rev:1;) alert tcp $HOME_NET any -> [203.162.81.247] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201923; rev:1;) alert tcp $HOME_NET any -> [113.186.80.2] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201924; rev:1;) alert tcp $HOME_NET any -> [93.170.253.84] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201925; rev:1;) alert tcp $HOME_NET any -> [23.234.26.210] 5658 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201926; rev:1;) alert tcp $HOME_NET any -> [134.255.221.192] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201927; rev:1;) alert tcp $HOME_NET any -> [140.113.214.68] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201928; rev:1;) alert tcp $HOME_NET any -> [176.126.68.81] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201929; rev:1;) alert tcp $HOME_NET any -> [120.145.53.93] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201930; rev:1;) alert tcp $HOME_NET any -> [217.162.92.99] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201931; rev:1;) alert tcp $HOME_NET any -> [199.193.6.102] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201932; rev:1;) alert tcp $HOME_NET any -> [149.62.173.22] 12443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201933; rev:1;) alert tcp $HOME_NET any -> [85.25.177.206] 11443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201934; rev:1;) alert tcp $HOME_NET any -> [70.31.32.129] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201935; rev:1;) alert tcp $HOME_NET any -> [90.125.147.234] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201936; rev:1;) alert tcp $HOME_NET any -> [67.10.229.104] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201937; rev:1;) alert tcp $HOME_NET any -> [50.109.232.44] 995 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201938; rev:1;) alert tcp $HOME_NET any -> [58.187.217.3] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201939; rev:1;) alert tcp $HOME_NET any -> [52.67.39.104] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201940; rev:1;) alert tcp $HOME_NET any -> [112.217.178.26] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201941; rev:1;) alert tcp $HOME_NET any -> [176.56.236.91] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201942; rev:1;) alert tcp $HOME_NET any -> [172.91.160.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201943; rev:1;) alert tcp $HOME_NET any -> [107.170.132.24] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201944; rev:1;) alert tcp $HOME_NET any -> [68.101.225.113] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201945; rev:1;) alert tcp $HOME_NET any -> [24.88.123.190] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201946; rev:1;) alert tcp $HOME_NET any -> [115.76.170.211] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201947; rev:1;) alert tcp $HOME_NET any -> [191.101.22.50] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201948; rev:1;) alert tcp $HOME_NET any -> [119.59.124.163] 40443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201949; rev:1;) alert tcp $HOME_NET any -> [172.245.57.174] 2448 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201950; rev:1;) alert tcp $HOME_NET any -> [24.172.94.180] 4113 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201951; rev:1;) alert tcp $HOME_NET any -> [188.138.69.102] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201952; rev:1;) alert tcp $HOME_NET any -> [188.225.39.2] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201953; rev:1;) alert tcp $HOME_NET any -> [190.14.38.157] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201954; rev:1;) alert tcp $HOME_NET any -> [89.33.246.92] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201955; rev:1;) alert tcp $HOME_NET any -> [65.23.222.222] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201956; rev:1;) alert tcp $HOME_NET any -> [194.67.201.123] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely H1N1 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201957; rev:1;) alert tcp $HOME_NET any -> [45.40.142.185] 2443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201958; rev:1;) alert tcp $HOME_NET any -> [216.59.21.40] 41443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201959; rev:1;) alert tcp $HOME_NET any -> [78.47.93.16] 13443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201960; rev:1;) alert tcp $HOME_NET any -> [62.76.103.206] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201961; rev:1;) alert tcp $HOME_NET any -> [92.63.100.227] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201962; rev:1;) alert tcp $HOME_NET any -> [184.75.209.98] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201963; rev:1;) alert tcp $HOME_NET any -> [5.64.243.30] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201964; rev:1;) alert tcp $HOME_NET any -> [59.144.17.122] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201965; rev:1;) alert tcp $HOME_NET any -> [164.132.15.78] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201966; rev:1;) alert tcp $HOME_NET any -> [113.162.5.179] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201967; rev:1;) alert tcp $HOME_NET any -> [194.31.59.40] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201968; rev:1;) alert tcp $HOME_NET any -> [141.10.91.35] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201969; rev:1;) alert tcp $HOME_NET any -> [66.50.43.163] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201970; rev:1;) alert tcp $HOME_NET any -> [24.239.157.31] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201971; rev:1;) alert tcp $HOME_NET any -> [77.42.157.2] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201972; rev:1;) alert tcp $HOME_NET any -> [46.105.151.247] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201973; rev:1;) alert tcp $HOME_NET any -> [212.47.223.189] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201974; rev:1;) alert tcp $HOME_NET any -> [95.183.51.24] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201975; rev:1;) alert tcp $HOME_NET any -> [23.229.54.99] 13443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201976; rev:1;) alert tcp $HOME_NET any -> [70.32.97.158] 13443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201977; rev:1;) alert tcp $HOME_NET any -> [51.255.69.127] 13443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201978; rev:1;) alert tcp $HOME_NET any -> [5.1.80.127] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201979; rev:1;) alert tcp $HOME_NET any -> [117.169.20.208] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201980; rev:1;) alert tcp $HOME_NET any -> [212.231.129.194] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201981; rev:1;) alert tcp $HOME_NET any -> [112.20.178.110] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201982; rev:1;) alert tcp $HOME_NET any -> [107.181.19.88] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201983; rev:1;) alert tcp $HOME_NET any -> [144.208.127.112] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201984; rev:1;) alert tcp $HOME_NET any -> [108.21.203.155] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201985; rev:1;) alert tcp $HOME_NET any -> [193.0.178.28] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201986; rev:1;) alert tcp $HOME_NET any -> [5.79.96.37] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201987; rev:1;) alert tcp $HOME_NET any -> [152.170.237.47] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201988; rev:1;) alert tcp $HOME_NET any -> [185.141.27.159] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201989; rev:1;) alert tcp $HOME_NET any -> [81.177.22.162] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201990; rev:1;) alert tcp $HOME_NET any -> [31.200.247.82] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201991; rev:1;) alert tcp $HOME_NET any -> [188.241.116.163] 11443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201992; rev:1;) alert tcp $HOME_NET any -> [78.47.158.131] 13443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201993; rev:1;) alert tcp $HOME_NET any -> [176.31.75.101] 13443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201994; rev:1;) alert tcp $HOME_NET any -> [66.147.107.178] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201995; rev:1;) alert tcp $HOME_NET any -> [115.124.125.19] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201996; rev:1;) alert tcp $HOME_NET any -> [91.121.65.64] 41443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201997; rev:1;) alert tcp $HOME_NET any -> [202.143.148.163] 4113 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201998; rev:1;) alert tcp $HOME_NET any -> [91.219.28.77] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903201999; rev:1;) alert tcp $HOME_NET any -> [192.169.7.193] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202000; rev:1;) alert tcp $HOME_NET any -> [115.90.71.164] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202001; rev:1;) alert tcp $HOME_NET any -> [27.93.201.99] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202002; rev:1;) alert tcp $HOME_NET any -> [62.76.184.225] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202003; rev:1;) alert tcp $HOME_NET any -> [94.156.35.57] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202004; rev:1;) alert tcp $HOME_NET any -> [97.78.250.78] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202005; rev:1;) alert tcp $HOME_NET any -> [188.209.52.101] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202006; rev:1;) alert tcp $HOME_NET any -> [37.220.3.149] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202007; rev:1;) alert tcp $HOME_NET any -> [23.110.85.211] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202008; rev:1;) alert tcp $HOME_NET any -> [212.129.46.156] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202009; rev:1;) alert tcp $HOME_NET any -> [70.30.105.231] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202010; rev:1;) alert tcp $HOME_NET any -> [70.31.61.115] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202011; rev:1;) alert tcp $HOME_NET any -> [158.255.215.61] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202012; rev:1;) alert tcp $HOME_NET any -> [104.171.123.15] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202013; rev:1;) alert tcp $HOME_NET any -> [86.105.18.30] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202014; rev:1;) alert tcp $HOME_NET any -> [185.36.102.35] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202015; rev:1;) alert tcp $HOME_NET any -> [95.175.110.130] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Downloader.Pony C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202016; rev:1;) alert tcp $HOME_NET any -> [185.106.120.104] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202017; rev:1;) alert tcp $HOME_NET any -> [164.132.221.157] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202018; rev:1;) alert tcp $HOME_NET any -> [194.1.238.45] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202019; rev:1;) alert tcp $HOME_NET any -> [217.125.140.215] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202020; rev:1;) alert tcp $HOME_NET any -> [172.246.126.156] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202021; rev:1;) alert tcp $HOME_NET any -> [23.249.164.126] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202022; rev:1;) alert tcp $HOME_NET any -> [185.93.185.5] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202023; rev:1;) alert tcp $HOME_NET any -> [31.44.189.100] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202024; rev:1;) alert tcp $HOME_NET any -> [41.231.53.156] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202025; rev:1;) alert tcp $HOME_NET any -> [94.156.35.71] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202026; rev:1;) alert tcp $HOME_NET any -> [165.246.35.197] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202027; rev:1;) alert tcp $HOME_NET any -> [109.203.117.155] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202028; rev:1;) alert tcp $HOME_NET any -> [201.238.232.46] 3443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202029; rev:1;) alert tcp $HOME_NET any -> [205.186.154.79] 13443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202030; rev:1;) alert tcp $HOME_NET any -> [104.153.0.227] 18443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202031; rev:1;) alert tcp $HOME_NET any -> [185.26.114.26] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202032; rev:1;) alert tcp $HOME_NET any -> [91.92.198.228] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202033; rev:1;) alert tcp $HOME_NET any -> [93.189.43.27] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202034; rev:1;) alert tcp $HOME_NET any -> [77.246.149.85] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202035; rev:1;) alert tcp $HOME_NET any -> [194.58.122.128] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202036; rev:1;) alert tcp $HOME_NET any -> [202.7.59.171] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202037; rev:1;) alert tcp $HOME_NET any -> [137.74.175.83] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202038; rev:1;) alert tcp $HOME_NET any -> [81.177.26.146] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202039; rev:1;) alert tcp $HOME_NET any -> [37.48.90.100] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202040; rev:1;) alert tcp $HOME_NET any -> [91.203.5.144] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202041; rev:1;) alert tcp $HOME_NET any -> [83.243.40.81] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202042; rev:1;) alert tcp $HOME_NET any -> [80.42.164.216] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202043; rev:1;) alert tcp $HOME_NET any -> [5.157.38.50] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202044; rev:1;) alert tcp $HOME_NET any -> [109.120.169.94] 18443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202045; rev:1;) alert tcp $HOME_NET any -> [5.63.152.13] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202046; rev:1;) alert tcp $HOME_NET any -> [37.230.115.205] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202047; rev:1;) alert tcp $HOME_NET any -> [185.14.28.107] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202048; rev:1;) alert tcp $HOME_NET any -> [188.120.243.11] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202049; rev:1;) alert tcp $HOME_NET any -> [185.40.152.212] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202050; rev:1;) alert tcp $HOME_NET any -> [86.105.18.173] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202051; rev:1;) alert tcp $HOME_NET any -> [206.221.181.20] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202052; rev:1;) alert tcp $HOME_NET any -> [194.67.209.108] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202053; rev:1;) alert tcp $HOME_NET any -> [217.29.58.167] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202054; rev:1;) alert tcp $HOME_NET any -> [185.46.8.214] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Hancitor C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202055; rev:1;) alert tcp $HOME_NET any -> [23.152.0.210] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202056; rev:1;) alert tcp $HOME_NET any -> [104.131.35.60] 18443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202057; rev:1;) alert tcp $HOME_NET any -> [199.19.105.103] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202058; rev:1;) alert tcp $HOME_NET any -> [185.22.65.47] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202059; rev:1;) alert tcp $HOME_NET any -> [91.215.154.221] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202060; rev:1;) alert tcp $HOME_NET any -> [93.189.40.175] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202061; rev:1;) alert tcp $HOME_NET any -> [122.252.225.133] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202062; rev:1;) alert tcp $HOME_NET any -> [60.162.195.203] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202063; rev:1;) alert tcp $HOME_NET any -> [5.79.96.33] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202064; rev:1;) alert tcp $HOME_NET any -> [200.54.180.101] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202065; rev:1;) alert tcp $HOME_NET any -> [105.227.251.219] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202066; rev:1;) alert tcp $HOME_NET any -> [2.107.220.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202067; rev:1;) alert tcp $HOME_NET any -> [207.58.163.118] 4434 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202068; rev:1;) alert tcp $HOME_NET any -> [37.59.8.81] 18443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202069; rev:1;) alert tcp $HOME_NET any -> [188.166.10.125] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202070; rev:1;) alert tcp $HOME_NET any -> [91.235.129.178] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202071; rev:1;) alert tcp $HOME_NET any -> [85.143.166.99] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202072; rev:1;) alert tcp $HOME_NET any -> [146.185.254.35] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202073; rev:1;) alert tcp $HOME_NET any -> [62.75.195.103] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202074; rev:1;) alert tcp $HOME_NET any -> [24.181.57.181] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202075; rev:1;) alert tcp $HOME_NET any -> [80.79.114.179] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202076; rev:1;) alert tcp $HOME_NET any -> [93.158.203.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202077; rev:1;) alert tcp $HOME_NET any -> [210.172.213.117] 18443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202078; rev:1;) alert tcp $HOME_NET any -> [87.98.132.57] 18443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202079; rev:1;) alert tcp $HOME_NET any -> [85.214.207.16] 18443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202080; rev:1;) alert tcp $HOME_NET any -> [109.234.38.4] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202081; rev:1;) alert tcp $HOME_NET any -> [5.1.75.220] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202082; rev:1;) alert tcp $HOME_NET any -> [75.134.205.120] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202083; rev:1;) alert tcp $HOME_NET any -> [101.51.30.133] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202084; rev:1;) alert tcp $HOME_NET any -> [37.221.210.196] 4434 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202085; rev:1;) alert tcp $HOME_NET any -> [198.61.220.159] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202086; rev:1;) alert tcp $HOME_NET any -> [180.183.141.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202087; rev:1;) alert tcp $HOME_NET any -> [198.98.112.144] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202088; rev:1;) alert tcp $HOME_NET any -> [120.114.184.49] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202089; rev:1;) alert tcp $HOME_NET any -> [2.107.189.230] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202090; rev:1;) alert tcp $HOME_NET any -> [120.150.250.109] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202091; rev:1;) alert tcp $HOME_NET any -> [188.2.247.31] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202092; rev:1;) alert tcp $HOME_NET any -> [95.46.99.149] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202093; rev:1;) alert tcp $HOME_NET any -> [70.21.194.174] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202094; rev:1;) alert tcp $HOME_NET any -> [200.52.135.131] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202095; rev:1;) alert tcp $HOME_NET any -> [91.219.31.12] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202096; rev:1;) alert tcp $HOME_NET any -> [77.20.137.163] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202097; rev:1;) alert tcp $HOME_NET any -> [185.141.27.222] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202098; rev:1;) alert tcp $HOME_NET any -> [176.15.44.120] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202099; rev:1;) alert tcp $HOME_NET any -> [74.138.174.182] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202100; rev:1;) alert tcp $HOME_NET any -> [185.26.120.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202101; rev:1;) alert tcp $HOME_NET any -> [216.126.225.149] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202102; rev:1;) alert tcp $HOME_NET any -> [109.104.92.167] 13443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202103; rev:1;) alert tcp $HOME_NET any -> [85.143.213.16] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202104; rev:1;) alert tcp $HOME_NET any -> [66.85.27.108] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202105; rev:1;) alert tcp $HOME_NET any -> [95.46.99.21] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202106; rev:1;) alert tcp $HOME_NET any -> [37.46.128.233] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202107; rev:1;) alert tcp $HOME_NET any -> [86.98.46.164] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202108; rev:1;) alert tcp $HOME_NET any -> [91.227.18.22] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202109; rev:1;) alert tcp $HOME_NET any -> [84.76.246.49] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202110; rev:1;) alert tcp $HOME_NET any -> [148.251.222.143] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202111; rev:1;) alert tcp $HOME_NET any -> [178.21.14.193] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202112; rev:1;) alert tcp $HOME_NET any -> [192.157.241.136] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202113; rev:1;) alert tcp $HOME_NET any -> [95.46.98.89] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202114; rev:1;) alert tcp $HOME_NET any -> [178.250.244.23] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202115; rev:1;) alert tcp $HOME_NET any -> [50.57.75.172] 53443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202116; rev:1;) alert tcp $HOME_NET any -> [130.88.149.87] 53443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202117; rev:1;) alert tcp $HOME_NET any -> [198.101.12.57] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202118; rev:1;) alert tcp $HOME_NET any -> [95.47.161.41] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202119; rev:1;) alert tcp $HOME_NET any -> [185.117.75.53] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202120; rev:1;) alert tcp $HOME_NET any -> [45.51.17.196] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202121; rev:1;) alert tcp $HOME_NET any -> [204.145.94.123] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202122; rev:1;) alert tcp $HOME_NET any -> [185.158.152.179] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202123; rev:1;) alert tcp $HOME_NET any -> [137.74.199.27] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202124; rev:1;) alert tcp $HOME_NET any -> [93.171.202.162] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202125; rev:1;) alert tcp $HOME_NET any -> [81.177.13.242] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202126; rev:1;) alert tcp $HOME_NET any -> [107.191.119.162] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202127; rev:1;) alert tcp $HOME_NET any -> [24.217.71.115] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202128; rev:1;) alert tcp $HOME_NET any -> [186.176.140.17] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202129; rev:1;) alert tcp $HOME_NET any -> [109.234.38.37] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202130; rev:1;) alert tcp $HOME_NET any -> [51.255.157.186] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202131; rev:1;) alert tcp $HOME_NET any -> [45.124.51.3] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202132; rev:1;) alert tcp $HOME_NET any -> [151.237.6.68] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202133; rev:1;) alert tcp $HOME_NET any -> [185.80.53.96] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202134; rev:1;) alert tcp $HOME_NET any -> [185.82.216.58] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202135; rev:1;) alert tcp $HOME_NET any -> [74.50.56.162] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202136; rev:1;) alert tcp $HOME_NET any -> [61.252.138.115] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202137; rev:1;) alert tcp $HOME_NET any -> [78.108.87.155] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202138; rev:1;) alert tcp $HOME_NET any -> [188.246.91.173] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202139; rev:1;) alert tcp $HOME_NET any -> [190.161.133.235] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202140; rev:1;) alert tcp $HOME_NET any -> [62.75.195.117] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202141; rev:1;) alert tcp $HOME_NET any -> [43.239.221.51] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202142; rev:1;) alert tcp $HOME_NET any -> [92.222.251.251] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202143; rev:1;) alert tcp $HOME_NET any -> [31.220.56.32] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202144; rev:1;) alert tcp $HOME_NET any -> [62.108.36.240] 53443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202145; rev:1;) alert tcp $HOME_NET any -> [132.248.49.100] 53443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202146; rev:1;) alert tcp $HOME_NET any -> [148.251.46.169] 53443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202147; rev:1;) alert tcp $HOME_NET any -> [45.32.157.168] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202148; rev:1;) alert tcp $HOME_NET any -> [85.17.82.104] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202149; rev:1;) alert tcp $HOME_NET any -> [195.28.183.57] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202150; rev:1;) alert tcp $HOME_NET any -> [185.15.208.195] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202151; rev:1;) alert tcp $HOME_NET any -> [23.253.210.81] 53443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202152; rev:1;) alert tcp $HOME_NET any -> [212.116.113.163] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202153; rev:1;) alert tcp $HOME_NET any -> [91.200.14.81] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202154; rev:1;) alert tcp $HOME_NET any -> [37.48.106.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202155; rev:1;) alert tcp $HOME_NET any -> [31.43.41.51] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202156; rev:1;) alert tcp $HOME_NET any -> [91.221.37.164] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202157; rev:1;) alert tcp $HOME_NET any -> [173.89.28.70] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202158; rev:1;) alert tcp $HOME_NET any -> [79.110.251.102] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202159; rev:1;) alert tcp $HOME_NET any -> [88.214.207.43] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202160; rev:1;) alert tcp $HOME_NET any -> [185.118.166.73] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202161; rev:1;) alert tcp $HOME_NET any -> [185.155.96.110] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202162; rev:1;) alert tcp $HOME_NET any -> [85.143.209.126] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202163; rev:1;) alert tcp $HOME_NET any -> [95.213.139.101] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202164; rev:1;) alert tcp $HOME_NET any -> [195.123.209.94] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202165; rev:1;) alert tcp $HOME_NET any -> [91.240.87.25] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202166; rev:1;) alert tcp $HOME_NET any -> [46.38.52.233] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202167; rev:1;) alert tcp $HOME_NET any -> [185.48.56.220] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202168; rev:1;) alert tcp $HOME_NET any -> [52.77.110.77] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202169; rev:1;) alert tcp $HOME_NET any -> [92.63.111.178] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202170; rev:1;) alert tcp $HOME_NET any -> [31.184.233.105] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202171; rev:1;) alert tcp $HOME_NET any -> [185.26.120.70] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202172; rev:1;) alert tcp $HOME_NET any -> [185.40.152.22] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202173; rev:1;) alert tcp $HOME_NET any -> [189.49.185.126] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202174; rev:1;) alert tcp $HOME_NET any -> [91.220.131.174] 50007 (msg:"SSL Blacklist: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202175; rev:1;) alert tcp $HOME_NET any -> [78.155.217.154] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202176; rev:1;) alert tcp $HOME_NET any -> [194.1.236.149] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202177; rev:1;) alert tcp $HOME_NET any -> [185.153.198.34] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202178; rev:1;) alert tcp $HOME_NET any -> [5.39.47.12] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202179; rev:1;) alert tcp $HOME_NET any -> [96.9.244.115] 555 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202180; rev:1;) alert tcp $HOME_NET any -> [94.177.225.23] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202181; rev:1;) alert tcp $HOME_NET any -> [193.9.28.24] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202182; rev:1;) alert tcp $HOME_NET any -> [91.134.199.231] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202183; rev:1;) alert tcp $HOME_NET any -> [82.146.36.87] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202184; rev:1;) alert tcp $HOME_NET any -> [92.63.110.69] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202185; rev:1;) alert tcp $HOME_NET any -> [212.8.245.68] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202186; rev:1;) alert tcp $HOME_NET any -> [89.108.79.217] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202187; rev:1;) alert tcp $HOME_NET any -> [188.120.248.28] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202188; rev:1;) alert tcp $HOME_NET any -> [93.171.202.188] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202189; rev:1;) alert tcp $HOME_NET any -> [91.244.19.186] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202190; rev:1;) alert tcp $HOME_NET any -> [88.214.236.47] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202191; rev:1;) alert tcp $HOME_NET any -> [37.48.106.49] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202192; rev:1;) alert tcp $HOME_NET any -> [92.222.219.26] 53443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202193; rev:1;) alert tcp $HOME_NET any -> [103.199.16.56] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202194; rev:1;) alert tcp $HOME_NET any -> [190.123.45.112] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202195; rev:1;) alert tcp $HOME_NET any -> [189.1.172.49] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202196; rev:1;) alert tcp $HOME_NET any -> [89.108.76.212] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202197; rev:1;) alert tcp $HOME_NET any -> [138.201.69.137] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202198; rev:1;) alert tcp $HOME_NET any -> [23.94.93.109] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202199; rev:1;) alert tcp $HOME_NET any -> [2.176.118.127] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202200; rev:1;) alert tcp $HOME_NET any -> [178.149.68.20] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202201; rev:1;) alert tcp $HOME_NET any -> [82.77.104.71] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202202; rev:1;) alert tcp $HOME_NET any -> [182.72.222.14] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202203; rev:1;) alert tcp $HOME_NET any -> [110.164.205.225] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202204; rev:1;) alert tcp $HOME_NET any -> [46.229.58.234] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202205; rev:1;) alert tcp $HOME_NET any -> [198.20.239.21] 4453 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202206; rev:1;) alert tcp $HOME_NET any -> [46.101.10.156] 53443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202207; rev:1;) alert tcp $HOME_NET any -> [120.138.18.110] 53443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202208; rev:1;) alert tcp $HOME_NET any -> [78.153.149.52] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202209; rev:1;) alert tcp $HOME_NET any -> [149.154.71.223] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202210; rev:1;) alert tcp $HOME_NET any -> [91.121.238.200] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202211; rev:1;) alert tcp $HOME_NET any -> [83.220.174.41] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202212; rev:1;) alert tcp $HOME_NET any -> [192.3.111.51] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202213; rev:1;) alert tcp $HOME_NET any -> [187.199.114.3] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202214; rev:1;) alert tcp $HOME_NET any -> [185.106.122.139] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202215; rev:1;) alert tcp $HOME_NET any -> [83.217.11.179] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202216; rev:1;) alert tcp $HOME_NET any -> [105.228.99.40] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202217; rev:1;) alert tcp $HOME_NET any -> [193.28.179.153] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202218; rev:1;) alert tcp $HOME_NET any -> [46.161.40.101] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202219; rev:1;) alert tcp $HOME_NET any -> [88.212.220.119] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202220; rev:1;) alert tcp $HOME_NET any -> [77.246.145.69] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202221; rev:1;) alert tcp $HOME_NET any -> [162.243.47.192] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202222; rev:1;) alert tcp $HOME_NET any -> [210.2.86.72] 3443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202223; rev:1;) alert tcp $HOME_NET any -> [197.27.36.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202224; rev:1;) alert tcp $HOME_NET any -> [192.157.228.220] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202225; rev:1;) alert tcp $HOME_NET any -> [46.105.218.106] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202226; rev:1;) alert tcp $HOME_NET any -> [91.220.131.78] 50007 (msg:"SSL Blacklist: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202227; rev:1;) alert tcp $HOME_NET any -> [185.75.46.13] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202228; rev:1;) alert tcp $HOME_NET any -> [151.248.123.176] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Flokibot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202229; rev:1;) alert tcp $HOME_NET any -> [91.203.5.176] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202230; rev:1;) alert tcp $HOME_NET any -> [213.230.210.230] 53443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202231; rev:1;) alert tcp $HOME_NET any -> [23.108.245.93] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202232; rev:1;) alert tcp $HOME_NET any -> [43.225.58.212] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202233; rev:1;) alert tcp $HOME_NET any -> [188.120.248.192] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202234; rev:1;) alert tcp $HOME_NET any -> [109.248.32.176] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202235; rev:1;) alert tcp $HOME_NET any -> [167.114.248.76] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202236; rev:1;) alert tcp $HOME_NET any -> [31.222.167.245] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202237; rev:1;) alert tcp $HOME_NET any -> [31.184.196.81] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202238; rev:1;) alert tcp $HOME_NET any -> [85.17.82.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202239; rev:1;) alert tcp $HOME_NET any -> [146.185.254.45] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202240; rev:1;) alert tcp $HOME_NET any -> [185.36.102.51] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202241; rev:1;) alert tcp $HOME_NET any -> [91.107.109.154] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202242; rev:1;) alert tcp $HOME_NET any -> [185.82.202.173] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202243; rev:1;) alert tcp $HOME_NET any -> [185.51.246.38] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202244; rev:1;) alert tcp $HOME_NET any -> [91.230.60.201] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202245; rev:1;) alert tcp $HOME_NET any -> [96.9.244.114] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202246; rev:1;) alert tcp $HOME_NET any -> [93.189.43.99] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202247; rev:1;) alert tcp $HOME_NET any -> [185.117.73.207] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202248; rev:1;) alert tcp $HOME_NET any -> [91.240.84.90] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202249; rev:1;) alert tcp $HOME_NET any -> [87.236.215.21] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Sofacy C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202250; rev:1;) alert tcp $HOME_NET any -> [94.242.54.46] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202251; rev:1;) alert tcp $HOME_NET any -> [93.170.104.146] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202252; rev:1;) alert tcp $HOME_NET any -> [5.187.0.177] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202253; rev:1;) alert tcp $HOME_NET any -> [122.164.197.0] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202254; rev:1;) alert tcp $HOME_NET any -> [79.129.123.204] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202255; rev:1;) alert tcp $HOME_NET any -> [94.177.247.74] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202256; rev:1;) alert tcp $HOME_NET any -> [193.136.97.4] 13443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202257; rev:1;) alert tcp $HOME_NET any -> [93.122.165.54] 18443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202258; rev:1;) alert tcp $HOME_NET any -> [87.254.45.29] 40443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202259; rev:1;) alert tcp $HOME_NET any -> [76.69.91.161] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202260; rev:1;) alert tcp $HOME_NET any -> [78.8.109.89] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202261; rev:1;) alert tcp $HOME_NET any -> [96.9.244.10] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202262; rev:1;) alert tcp $HOME_NET any -> [62.76.189.48] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202263; rev:1;) alert tcp $HOME_NET any -> [94.23.169.75] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202264; rev:1;) alert tcp $HOME_NET any -> [62.109.13.69] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202265; rev:1;) alert tcp $HOME_NET any -> [62.109.13.25] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202266; rev:1;) alert tcp $HOME_NET any -> [54.235.86.173] 13443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202267; rev:1;) alert tcp $HOME_NET any -> [149.210.158.54] 53443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202268; rev:1;) alert tcp $HOME_NET any -> [137.74.194.227] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202269; rev:1;) alert tcp $HOME_NET any -> [82.146.32.87] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202270; rev:1;) alert tcp $HOME_NET any -> [83.20.96.160] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202271; rev:1;) alert tcp $HOME_NET any -> [116.100.211.197] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202272; rev:1;) alert tcp $HOME_NET any -> [81.177.13.236] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202273; rev:1;) alert tcp $HOME_NET any -> [193.107.111.164] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202274; rev:1;) alert tcp $HOME_NET any -> [185.125.32.118] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202275; rev:1;) alert tcp $HOME_NET any -> [166.78.144.68] 8343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202276; rev:1;) alert tcp $HOME_NET any -> [174.37.216.226] 8343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202277; rev:1;) alert tcp $HOME_NET any -> [188.126.72.179] 12443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202278; rev:1;) alert tcp $HOME_NET any -> [185.31.208.248] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202279; rev:1;) alert tcp $HOME_NET any -> [41.188.91.188] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202280; rev:1;) alert tcp $HOME_NET any -> [62.109.13.55] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202281; rev:1;) alert tcp $HOME_NET any -> [193.28.179.163] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202282; rev:1;) alert tcp $HOME_NET any -> [161.139.21.48] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202283; rev:1;) alert tcp $HOME_NET any -> [193.218.145.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202284; rev:1;) alert tcp $HOME_NET any -> [62.76.190.162] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202285; rev:1;) alert tcp $HOME_NET any -> [89.40.127.231] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Tuhkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202286; rev:1;) alert tcp $HOME_NET any -> [62.109.13.10] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202287; rev:1;) alert tcp $HOME_NET any -> [195.123.211.126] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202288; rev:1;) alert tcp $HOME_NET any -> [185.25.50.107] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202289; rev:1;) alert tcp $HOME_NET any -> [178.128.197.167] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202290; rev:1;) alert tcp $HOME_NET any -> [193.28.179.165] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202291; rev:1;) alert tcp $HOME_NET any -> [72.249.144.95] 8343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202292; rev:1;) alert tcp $HOME_NET any -> [188.214.179.241] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202293; rev:1;) alert tcp $HOME_NET any -> [146.120.110.163] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202294; rev:1;) alert tcp $HOME_NET any -> [37.1.213.189] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202295; rev:1;) alert tcp $HOME_NET any -> [77.246.158.191] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202296; rev:1;) alert tcp $HOME_NET any -> [71.228.17.79] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202297; rev:1;) alert tcp $HOME_NET any -> [89.46.73.127] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202298; rev:1;) alert tcp $HOME_NET any -> [185.15.208.238] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202299; rev:1;) alert tcp $HOME_NET any -> [83.220.168.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202300; rev:1;) alert tcp $HOME_NET any -> [146.148.124.166] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202301; rev:1;) alert tcp $HOME_NET any -> [104.223.21.3] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202302; rev:1;) alert tcp $HOME_NET any -> [178.159.38.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202303; rev:1;) alert tcp $HOME_NET any -> [91.134.123.102] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Flokibot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202304; rev:1;) alert tcp $HOME_NET any -> [185.25.50.12] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202305; rev:1;) alert tcp $HOME_NET any -> [185.17.120.166] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202306; rev:1;) alert tcp $HOME_NET any -> [2.89.220.124] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202307; rev:1;) alert tcp $HOME_NET any -> [185.62.189.83] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202308; rev:1;) alert tcp $HOME_NET any -> [87.98.163.119] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202309; rev:1;) alert tcp $HOME_NET any -> [62.109.12.173] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202310; rev:1;) alert tcp $HOME_NET any -> [192.189.25.142] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202311; rev:1;) alert tcp $HOME_NET any -> [107.171.180.198] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202312; rev:1;) alert tcp $HOME_NET any -> [185.141.25.220] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202313; rev:1;) alert tcp $HOME_NET any -> [88.246.171.125] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202314; rev:1;) alert tcp $HOME_NET any -> [36.37.176.6] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202315; rev:1;) alert tcp $HOME_NET any -> [77.246.144.227] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202316; rev:1;) alert tcp $HOME_NET any -> [195.133.144.94] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202317; rev:1;) alert tcp $HOME_NET any -> [62.109.6.44] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202318; rev:1;) alert tcp $HOME_NET any -> [184.18.128.137] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202319; rev:1;) alert tcp $HOME_NET any -> [198.24.151.214] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202320; rev:1;) alert tcp $HOME_NET any -> [89.40.124.71] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202321; rev:1;) alert tcp $HOME_NET any -> [151.242.20.227] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202322; rev:1;) alert tcp $HOME_NET any -> [93.170.104.146] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202323; rev:1;) alert tcp $HOME_NET any -> [188.127.237.245] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202324; rev:1;) alert tcp $HOME_NET any -> [172.245.62.117] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202325; rev:1;) alert tcp $HOME_NET any -> [185.15.245.114] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202326; rev:1;) alert tcp $HOME_NET any -> [154.16.245.154] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202327; rev:1;) alert tcp $HOME_NET any -> [5.149.249.178] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202328; rev:1;) alert tcp $HOME_NET any -> [95.46.44.35] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202329; rev:1;) alert tcp $HOME_NET any -> [179.60.147.99] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202330; rev:1;) alert tcp $HOME_NET any -> [192.189.25.143] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202331; rev:1;) alert tcp $HOME_NET any -> [216.218.208.114] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202332; rev:1;) alert tcp $HOME_NET any -> [178.218.78.15] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202333; rev:1;) alert tcp $HOME_NET any -> [85.143.210.193] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202334; rev:1;) alert tcp $HOME_NET any -> [104.222.145.137] 1805 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202335; rev:1;) alert tcp $HOME_NET any -> [144.217.47.3] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202336; rev:1;) alert tcp $HOME_NET any -> [192.189.25.148] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202337; rev:1;) alert tcp $HOME_NET any -> [94.177.229.198] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202338; rev:1;) alert tcp $HOME_NET any -> [31.24.30.182] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202339; rev:1;) alert tcp $HOME_NET any -> [192.3.21.24] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202340; rev:1;) alert tcp $HOME_NET any -> [185.118.66.80] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202341; rev:1;) alert tcp $HOME_NET any -> [85.25.236.32] 40443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202342; rev:1;) alert tcp $HOME_NET any -> [188.120.249.30] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202343; rev:1;) alert tcp $HOME_NET any -> [77.111.90.85] 18443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202344; rev:1;) alert tcp $HOME_NET any -> [89.36.216.204] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202345; rev:1;) alert tcp $HOME_NET any -> [79.100.73.20] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202346; rev:1;) alert tcp $HOME_NET any -> [89.248.170.232] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202347; rev:1;) alert tcp $HOME_NET any -> [178.218.214.138] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202348; rev:1;) alert tcp $HOME_NET any -> [185.117.72.11] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202349; rev:1;) alert tcp $HOME_NET any -> [176.114.3.48] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202350; rev:1;) alert tcp $HOME_NET any -> [167.88.8.189] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202351; rev:1;) alert tcp $HOME_NET any -> [161.18.42.190] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202352; rev:1;) alert tcp $HOME_NET any -> [93.189.43.28] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202353; rev:1;) alert tcp $HOME_NET any -> [216.127.161.5] 53443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202354; rev:1;) alert tcp $HOME_NET any -> [192.241.236.239] 8343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202355; rev:1;) alert tcp $HOME_NET any -> [179.33.157.217] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202356; rev:1;) alert tcp $HOME_NET any -> [185.62.39.171] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202357; rev:1;) alert tcp $HOME_NET any -> [5.199.129.213] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202358; rev:1;) alert tcp $HOME_NET any -> [54.213.4.206] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202359; rev:1;) alert tcp $HOME_NET any -> [209.95.52.140] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202360; rev:1;) alert tcp $HOME_NET any -> [88.99.80.51] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202361; rev:1;) alert tcp $HOME_NET any -> [90.63.214.213] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202362; rev:1;) alert tcp $HOME_NET any -> [91.235.129.199] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202363; rev:1;) alert tcp $HOME_NET any -> [62.76.189.215] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202364; rev:1;) alert tcp $HOME_NET any -> [78.155.218.234] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202365; rev:1;) alert tcp $HOME_NET any -> [216.126.199.179] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202366; rev:1;) alert tcp $HOME_NET any -> [184.105.192.2] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202367; rev:1;) alert tcp $HOME_NET any -> [185.48.56.205] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202368; rev:1;) alert tcp $HOME_NET any -> [109.248.222.180] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202369; rev:1;) alert tcp $HOME_NET any -> [201.236.219.180] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202370; rev:1;) alert tcp $HOME_NET any -> [68.232.180.122] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202371; rev:1;) alert tcp $HOME_NET any -> [83.54.108.164] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202372; rev:1;) alert tcp $HOME_NET any -> [149.56.201.67] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202373; rev:1;) alert tcp $HOME_NET any -> [188.68.50.34] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202374; rev:1;) alert tcp $HOME_NET any -> [212.200.111.170] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202375; rev:1;) alert tcp $HOME_NET any -> [71.6.155.196] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202376; rev:1;) alert tcp $HOME_NET any -> [74.63.209.174] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202377; rev:1;) alert tcp $HOME_NET any -> [176.9.238.164] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202378; rev:1;) alert tcp $HOME_NET any -> [86.105.212.26] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202379; rev:1;) alert tcp $HOME_NET any -> [77.246.149.92] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202380; rev:1;) alert tcp $HOME_NET any -> [77.81.107.193] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202381; rev:1;) alert tcp $HOME_NET any -> [192.188.58.163] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202382; rev:1;) alert tcp $HOME_NET any -> [69.43.168.214] 8343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202383; rev:1;) alert tcp $HOME_NET any -> [109.74.9.119] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202384; rev:1;) alert tcp $HOME_NET any -> [203.153.165.21] 8343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202385; rev:1;) alert tcp $HOME_NET any -> [185.101.94.187] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202386; rev:1;) alert tcp $HOME_NET any -> [188.120.230.245] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202387; rev:1;) alert tcp $HOME_NET any -> [89.223.26.112] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202388; rev:1;) alert tcp $HOME_NET any -> [186.170.104.105] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202389; rev:1;) alert tcp $HOME_NET any -> [207.35.75.110] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202390; rev:1;) alert tcp $HOME_NET any -> [82.196.5.27] 8343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202391; rev:1;) alert tcp $HOME_NET any -> [93.189.43.164] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202392; rev:1;) alert tcp $HOME_NET any -> [190.99.185.101] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202393; rev:1;) alert tcp $HOME_NET any -> [23.227.201.27] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202394; rev:1;) alert tcp $HOME_NET any -> [93.132.4.208] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202395; rev:1;) alert tcp $HOME_NET any -> [91.221.37.6] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202396; rev:1;) alert tcp $HOME_NET any -> [94.177.175.55] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202397; rev:1;) alert tcp $HOME_NET any -> [92.222.129.145] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202398; rev:1;) alert tcp $HOME_NET any -> [85.214.91.74] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202399; rev:1;) alert tcp $HOME_NET any -> [91.103.2.132] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202400; rev:1;) alert tcp $HOME_NET any -> [80.112.73.129] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202401; rev:1;) alert tcp $HOME_NET any -> [85.85.138.188] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202402; rev:1;) alert tcp $HOME_NET any -> [89.46.78.221] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202403; rev:1;) alert tcp $HOME_NET any -> [179.32.98.86] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202404; rev:1;) alert tcp $HOME_NET any -> [5.188.232.10] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202405; rev:1;) alert tcp $HOME_NET any -> [31.31.9.153] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202406; rev:1;) alert tcp $HOME_NET any -> [114.37.52.2] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202407; rev:1;) alert tcp $HOME_NET any -> [186.118.237.18] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202408; rev:1;) alert tcp $HOME_NET any -> [222.254.22.64] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202409; rev:1;) alert tcp $HOME_NET any -> [45.55.86.6] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202410; rev:1;) alert tcp $HOME_NET any -> [46.11.36.216] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202411; rev:1;) alert tcp $HOME_NET any -> [95.81.78.201] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202412; rev:1;) alert tcp $HOME_NET any -> [51.254.39.113] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202413; rev:1;) alert tcp $HOME_NET any -> [92.96.1.58] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202414; rev:1;) alert tcp $HOME_NET any -> [179.33.92.17] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202415; rev:1;) alert tcp $HOME_NET any -> [5.249.154.143] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202416; rev:1;) alert tcp $HOME_NET any -> [186.113.121.138] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202417; rev:1;) alert tcp $HOME_NET any -> [81.147.99.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202418; rev:1;) alert tcp $HOME_NET any -> [220.233.135.250] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202419; rev:1;) alert tcp $HOME_NET any -> [23.94.38.151] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202420; rev:1;) alert tcp $HOME_NET any -> [193.204.38.28] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202421; rev:1;) alert tcp $HOME_NET any -> [186.27.188.184] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202422; rev:1;) alert tcp $HOME_NET any -> [94.177.189.240] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202423; rev:1;) alert tcp $HOME_NET any -> [5.196.129.108] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202424; rev:1;) alert tcp $HOME_NET any -> [185.15.185.209] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202425; rev:1;) alert tcp $HOME_NET any -> [185.77.131.102] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202426; rev:1;) alert tcp $HOME_NET any -> [82.99.60.26] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202427; rev:1;) alert tcp $HOME_NET any -> [188.227.173.38] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202428; rev:1;) alert tcp $HOME_NET any -> [154.0.171.105] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202429; rev:1;) alert tcp $HOME_NET any -> [188.227.17.6] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202430; rev:1;) alert tcp $HOME_NET any -> [186.115.48.68] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202431; rev:1;) alert tcp $HOME_NET any -> [91.217.90.128] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202432; rev:1;) alert tcp $HOME_NET any -> [5.239.214.127] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202433; rev:1;) alert tcp $HOME_NET any -> [93.119.123.134] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202434; rev:1;) alert tcp $HOME_NET any -> [46.72.12.164] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202435; rev:1;) alert tcp $HOME_NET any -> [107.182.236.109] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202436; rev:1;) alert tcp $HOME_NET any -> [173.212.200.226] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202437; rev:1;) alert tcp $HOME_NET any -> [86.120.81.103] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202438; rev:1;) alert tcp $HOME_NET any -> [209.20.67.87] 4432 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202439; rev:1;) alert tcp $HOME_NET any -> [192.111.142.39] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202440; rev:1;) alert tcp $HOME_NET any -> [31.31.168.26] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202441; rev:1;) alert tcp $HOME_NET any -> [212.227.105.182] 8343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202442; rev:1;) alert tcp $HOME_NET any -> [62.109.2.195] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202443; rev:1;) alert tcp $HOME_NET any -> [68.169.45.193] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202444; rev:1;) alert tcp $HOME_NET any -> [81.130.131.55] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202445; rev:1;) alert tcp $HOME_NET any -> [84.234.75.108] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202446; rev:1;) alert tcp $HOME_NET any -> [77.236.97.60] 4433 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202447; rev:1;) alert tcp $HOME_NET any -> [114.215.223.85] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202448; rev:1;) alert tcp $HOME_NET any -> [216.55.182.20] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202449; rev:1;) alert tcp $HOME_NET any -> [79.137.13.22] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202450; rev:1;) alert tcp $HOME_NET any -> [93.113.131.123] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202451; rev:1;) alert tcp $HOME_NET any -> [190.68.232.25] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202452; rev:1;) alert tcp $HOME_NET any -> [193.238.152.198] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202453; rev:1;) alert tcp $HOME_NET any -> [88.202.188.35] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202454; rev:1;) alert tcp $HOME_NET any -> [191.113.180.68] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202455; rev:1;) alert tcp $HOME_NET any -> [144.76.2.182] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202456; rev:1;) alert tcp $HOME_NET any -> [217.29.220.255] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202457; rev:1;) alert tcp $HOME_NET any -> [62.221.97.151] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202458; rev:1;) alert tcp $HOME_NET any -> [31.184.198.27] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202459; rev:1;) alert tcp $HOME_NET any -> [194.150.118.25] 3101 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202460; rev:1;) alert tcp $HOME_NET any -> [209.20.67.87] 5353 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202461; rev:1;) alert tcp $HOME_NET any -> [109.235.76.95] 1843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202462; rev:1;) alert tcp $HOME_NET any -> [69.61.83.121] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202463; rev:1;) alert tcp $HOME_NET any -> [185.156.179.96] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202464; rev:1;) alert tcp $HOME_NET any -> [186.27.132.164] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202465; rev:1;) alert tcp $HOME_NET any -> [213.25.134.101] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202466; rev:1;) alert tcp $HOME_NET any -> [178.208.81.147] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202467; rev:1;) alert tcp $HOME_NET any -> [194.58.122.43] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202468; rev:1;) alert tcp $HOME_NET any -> [151.248.121.8] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202469; rev:1;) alert tcp $HOME_NET any -> [176.31.252.15] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Nexuslogger C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202470; rev:1;) alert tcp $HOME_NET any -> [52.33.54.94] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202471; rev:1;) alert tcp $HOME_NET any -> [146.185.243.51] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202472; rev:1;) alert tcp $HOME_NET any -> [186.115.225.54] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202473; rev:1;) alert tcp $HOME_NET any -> [91.121.30.169] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202474; rev:1;) alert tcp $HOME_NET any -> [194.190.161.63] 1503 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202475; rev:1;) alert tcp $HOME_NET any -> [51.254.129.140] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202476; rev:1;) alert tcp $HOME_NET any -> [188.226.154.38] 2221 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202477; rev:1;) alert tcp $HOME_NET any -> [212.116.113.184] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202478; rev:1;) alert tcp $HOME_NET any -> [5.107.29.149] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202479; rev:1;) alert tcp $HOME_NET any -> [170.81.24.154] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202480; rev:1;) alert tcp $HOME_NET any -> [103.17.72.238] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202481; rev:1;) alert tcp $HOME_NET any -> [136.243.209.34] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202482; rev:1;) alert tcp $HOME_NET any -> [188.127.249.70] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202483; rev:1;) alert tcp $HOME_NET any -> [117.220.210.235] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202484; rev:1;) alert tcp $HOME_NET any -> [5.101.120.73] 8343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202485; rev:1;) alert tcp $HOME_NET any -> [80.90.203.245] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202486; rev:1;) alert tcp $HOME_NET any -> [81.130.206.62] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202487; rev:1;) alert tcp $HOME_NET any -> [82.30.148.143] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202488; rev:1;) alert tcp $HOME_NET any -> [178.250.243.146] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202489; rev:1;) alert tcp $HOME_NET any -> [185.146.1.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202490; rev:1;) alert tcp $HOME_NET any -> [185.31.209.41] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202491; rev:1;) alert tcp $HOME_NET any -> [47.18.17.114] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202492; rev:1;) alert tcp $HOME_NET any -> [101.201.67.82] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202493; rev:1;) alert tcp $HOME_NET any -> [159.226.92.9] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202494; rev:1;) alert tcp $HOME_NET any -> [52.70.122.231] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202495; rev:1;) alert tcp $HOME_NET any -> [190.254.235.168] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202496; rev:1;) alert tcp $HOME_NET any -> [188.127.237.70] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202497; rev:1;) alert tcp $HOME_NET any -> [103.28.71.118] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202498; rev:1;) alert tcp $HOME_NET any -> [125.26.255.230] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202499; rev:1;) alert tcp $HOME_NET any -> [191.109.33.76] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202500; rev:1;) alert tcp $HOME_NET any -> [190.99.183.77] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202501; rev:1;) alert tcp $HOME_NET any -> [2.190.245.212] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202502; rev:1;) alert tcp $HOME_NET any -> [186.119.35.127] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202503; rev:1;) alert tcp $HOME_NET any -> [23.239.85.14] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202504; rev:1;) alert tcp $HOME_NET any -> [195.123.212.86] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202505; rev:1;) alert tcp $HOME_NET any -> [185.181.10.30] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202506; rev:1;) alert tcp $HOME_NET any -> [85.101.189.216] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202507; rev:1;) alert tcp $HOME_NET any -> [136.243.87.113] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202508; rev:1;) alert tcp $HOME_NET any -> [46.173.219.212] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202509; rev:1;) alert tcp $HOME_NET any -> [154.16.159.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202510; rev:1;) alert tcp $HOME_NET any -> [5.107.46.130] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202511; rev:1;) alert tcp $HOME_NET any -> [85.104.229.104] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202512; rev:1;) alert tcp $HOME_NET any -> [95.59.26.137] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202513; rev:1;) alert tcp $HOME_NET any -> [144.217.33.200] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202514; rev:1;) alert tcp $HOME_NET any -> [54.164.51.39] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202515; rev:1;) alert tcp $HOME_NET any -> [200.120.214.150] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202516; rev:1;) alert tcp $HOME_NET any -> [91.227.18.48] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202517; rev:1;) alert tcp $HOME_NET any -> [185.181.9.40] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202518; rev:1;) alert tcp $HOME_NET any -> [76.74.178.144] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202519; rev:1;) alert tcp $HOME_NET any -> [190.99.143.23] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202520; rev:1;) alert tcp $HOME_NET any -> [27.111.40.234] 3443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202521; rev:1;) alert tcp $HOME_NET any -> [122.174.13.63] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202522; rev:1;) alert tcp $HOME_NET any -> [8.8.247.90] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202523; rev:1;) alert tcp $HOME_NET any -> [198.167.136.139] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202524; rev:1;) alert tcp $HOME_NET any -> [179.49.120.5] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202525; rev:1;) alert tcp $HOME_NET any -> [217.13.119.81] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202526; rev:1;) alert tcp $HOME_NET any -> [50.102.69.43] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202527; rev:1;) alert tcp $HOME_NET any -> [73.26.63.118] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202528; rev:1;) alert tcp $HOME_NET any -> [124.171.125.94] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202529; rev:1;) alert tcp $HOME_NET any -> [178.32.107.190] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202530; rev:1;) alert tcp $HOME_NET any -> [70.48.48.240] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202531; rev:1;) alert tcp $HOME_NET any -> [116.108.114.214] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202532; rev:1;) alert tcp $HOME_NET any -> [24.119.14.82] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202533; rev:1;) alert tcp $HOME_NET any -> [74.5.136.50] 990 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202534; rev:1;) alert tcp $HOME_NET any -> [201.232.32.124] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202535; rev:1;) alert tcp $HOME_NET any -> [190.138.249.45] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202536; rev:1;) alert tcp $HOME_NET any -> [78.190.54.45] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202537; rev:1;) alert tcp $HOME_NET any -> [5.196.201.100] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202538; rev:1;) alert tcp $HOME_NET any -> [47.22.21.180] 995 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202539; rev:1;) alert tcp $HOME_NET any -> [98.191.105.101] 995 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202540; rev:1;) alert tcp $HOME_NET any -> [185.80.53.125] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202541; rev:1;) alert tcp $HOME_NET any -> [2.126.55.140] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202542; rev:1;) alert tcp $HOME_NET any -> [31.14.145.250] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202543; rev:1;) alert tcp $HOME_NET any -> [74.138.222.130] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202544; rev:1;) alert tcp $HOME_NET any -> [180.93.69.228] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202545; rev:1;) alert tcp $HOME_NET any -> [74.193.105.104] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202546; rev:1;) alert tcp $HOME_NET any -> [166.149.168.187] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202547; rev:1;) alert tcp $HOME_NET any -> [105.224.196.216] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202548; rev:1;) alert tcp $HOME_NET any -> [171.61.232.165] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202549; rev:1;) alert tcp $HOME_NET any -> [62.75.197.233] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202550; rev:1;) alert tcp $HOME_NET any -> [193.0.178.77] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202551; rev:1;) alert tcp $HOME_NET any -> [5.188.223.7] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202552; rev:1;) alert tcp $HOME_NET any -> [105.227.190.124] 995 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202553; rev:1;) alert tcp $HOME_NET any -> [27.3.86.221] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202554; rev:1;) alert tcp $HOME_NET any -> [203.92.62.46] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202555; rev:1;) alert tcp $HOME_NET any -> [89.154.213.154] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202556; rev:1;) alert tcp $HOME_NET any -> [73.176.255.26] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202557; rev:1;) alert tcp $HOME_NET any -> [76.177.4.114] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202558; rev:1;) alert tcp $HOME_NET any -> [24.6.98.88] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202559; rev:1;) alert tcp $HOME_NET any -> [71.88.202.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202560; rev:1;) alert tcp $HOME_NET any -> [85.85.140.82] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202561; rev:1;) alert tcp $HOME_NET any -> [59.96.182.66] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202562; rev:1;) alert tcp $HOME_NET any -> [185.98.86.114] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202563; rev:1;) alert tcp $HOME_NET any -> [190.69.239.72] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202564; rev:1;) alert tcp $HOME_NET any -> [205.186.129.254] 8043 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202565; rev:1;) alert tcp $HOME_NET any -> [192.3.165.10] 8043 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202566; rev:1;) alert tcp $HOME_NET any -> [91.203.145.34] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202567; rev:1;) alert tcp $HOME_NET any -> [195.174.126.121] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202568; rev:1;) alert tcp $HOME_NET any -> [62.109.13.107] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202569; rev:1;) alert tcp $HOME_NET any -> [89.163.220.168] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202570; rev:1;) alert tcp $HOME_NET any -> [67.231.16.71] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202571; rev:1;) alert tcp $HOME_NET any -> [104.207.153.107] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202572; rev:1;) alert tcp $HOME_NET any -> [190.238.62.69] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202573; rev:1;) alert tcp $HOME_NET any -> [173.25.234.18] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202574; rev:1;) alert tcp $HOME_NET any -> [97.126.1.61] 990 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202575; rev:1;) alert tcp $HOME_NET any -> [185.98.86.131] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202576; rev:1;) alert tcp $HOME_NET any -> [185.16.41.108] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202577; rev:1;) alert tcp $HOME_NET any -> [182.18.152.103] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202578; rev:1;) alert tcp $HOME_NET any -> [150.31.38.94] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202579; rev:1;) alert tcp $HOME_NET any -> [73.27.36.186] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202580; rev:1;) alert tcp $HOME_NET any -> [120.24.84.63] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202581; rev:1;) alert tcp $HOME_NET any -> [2.220.18.203] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202582; rev:1;) alert tcp $HOME_NET any -> [186.27.233.210] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202583; rev:1;) alert tcp $HOME_NET any -> [161.18.100.218] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202584; rev:1;) alert tcp $HOME_NET any -> [113.167.98.166] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202585; rev:1;) alert tcp $HOME_NET any -> [45.74.41.34] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202586; rev:1;) alert tcp $HOME_NET any -> [139.129.250.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202587; rev:1;) alert tcp $HOME_NET any -> [117.221.26.63] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202588; rev:1;) alert tcp $HOME_NET any -> [193.238.152.67] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202589; rev:1;) alert tcp $HOME_NET any -> [190.66.212.225] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202590; rev:1;) alert tcp $HOME_NET any -> [89.242.200.242] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202591; rev:1;) alert tcp $HOME_NET any -> [98.194.132.179] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202592; rev:1;) alert tcp $HOME_NET any -> [80.51.120.132] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202593; rev:1;) alert tcp $HOME_NET any -> [190.67.98.69] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202594; rev:1;) alert tcp $HOME_NET any -> [62.76.177.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202595; rev:1;) alert tcp $HOME_NET any -> [58.182.10.7] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202596; rev:1;) alert tcp $HOME_NET any -> [95.158.148.249] 3443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202597; rev:1;) alert tcp $HOME_NET any -> [59.125.50.132] 44443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202598; rev:1;) alert tcp $HOME_NET any -> [174.135.45.106] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202599; rev:1;) alert tcp $HOME_NET any -> [97.103.16.213] 995 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202600; rev:1;) alert tcp $HOME_NET any -> [217.182.45.166] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202601; rev:1;) alert tcp $HOME_NET any -> [144.217.16.189] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202602; rev:1;) alert tcp $HOME_NET any -> [67.87.108.136] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202603; rev:1;) alert tcp $HOME_NET any -> [186.27.246.62] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202604; rev:1;) alert tcp $HOME_NET any -> [179.32.209.39] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202605; rev:1;) alert tcp $HOME_NET any -> [104.236.181.85] 3443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202606; rev:1;) alert tcp $HOME_NET any -> [37.187.57.57] 8043 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202607; rev:1;) alert tcp $HOME_NET any -> [149.56.9.218] 8043 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202608; rev:1;) alert tcp $HOME_NET any -> [47.188.109.209] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202609; rev:1;) alert tcp $HOME_NET any -> [84.42.159.138] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202610; rev:1;) alert tcp $HOME_NET any -> [66.165.13.205] 32103 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202611; rev:1;) alert tcp $HOME_NET any -> [5.135.186.189] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202612; rev:1;) alert tcp $HOME_NET any -> [192.254.133.59] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202613; rev:1;) alert tcp $HOME_NET any -> [186.114.103.155] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202614; rev:1;) alert tcp $HOME_NET any -> [144.208.127.72] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202615; rev:1;) alert tcp $HOME_NET any -> [52.25.108.4] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202616; rev:1;) alert tcp $HOME_NET any -> [61.3.147.231] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202617; rev:1;) alert tcp $HOME_NET any -> [71.233.66.243] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202618; rev:1;) alert tcp $HOME_NET any -> [191.110.143.138] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202619; rev:1;) alert tcp $HOME_NET any -> [107.181.187.101] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaBanker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202620; rev:1;) alert tcp $HOME_NET any -> [89.33.64.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202621; rev:1;) alert tcp $HOME_NET any -> [178.57.222.136] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202622; rev:1;) alert tcp $HOME_NET any -> [186.112.44.52] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202623; rev:1;) alert tcp $HOME_NET any -> [94.102.55.27] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202624; rev:1;) alert tcp $HOME_NET any -> [50.198.141.161] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202625; rev:1;) alert tcp $HOME_NET any -> [36.66.107.162] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202626; rev:1;) alert tcp $HOME_NET any -> [85.143.214.43] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202627; rev:1;) alert tcp $HOME_NET any -> [190.68.87.97] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202628; rev:1;) alert tcp $HOME_NET any -> [186.112.78.150] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202629; rev:1;) alert tcp $HOME_NET any -> [185.35.138.117] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202630; rev:1;) alert tcp $HOME_NET any -> [190.99.203.251] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202631; rev:1;) alert tcp $HOME_NET any -> [64.250.115.129] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202632; rev:1;) alert tcp $HOME_NET any -> [5.237.63.68] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202633; rev:1;) alert tcp $HOME_NET any -> [35.187.46.239] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202634; rev:1;) alert tcp $HOME_NET any -> [52.38.159.164] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202635; rev:1;) alert tcp $HOME_NET any -> [103.4.18.170] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202636; rev:1;) alert tcp $HOME_NET any -> [83.141.2.155] 8043 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202637; rev:1;) alert tcp $HOME_NET any -> [183.87.11.253] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202638; rev:1;) alert tcp $HOME_NET any -> [175.136.183.22] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202639; rev:1;) alert tcp $HOME_NET any -> [91.200.14.88] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202640; rev:1;) alert tcp $HOME_NET any -> [185.158.249.46] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202641; rev:1;) alert tcp $HOME_NET any -> [200.120.214.150] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202642; rev:1;) alert tcp $HOME_NET any -> [93.170.104.145] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202643; rev:1;) alert tcp $HOME_NET any -> [200.116.206.58] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202644; rev:1;) alert tcp $HOME_NET any -> [185.35.139.248] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202645; rev:1;) alert tcp $HOME_NET any -> [161.10.212.151] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202646; rev:1;) alert tcp $HOME_NET any -> [117.204.131.25] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202647; rev:1;) alert tcp $HOME_NET any -> [203.92.62.46] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202648; rev:1;) alert tcp $HOME_NET any -> [107.181.255.244] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202649; rev:1;) alert tcp $HOME_NET any -> [107.170.146.72] 44343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202650; rev:1;) alert tcp $HOME_NET any -> [107.170.4.194] 943 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202651; rev:1;) alert tcp $HOME_NET any -> [92.63.111.201] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202652; rev:1;) alert tcp $HOME_NET any -> [107.170.0.14] 8043 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202653; rev:1;) alert tcp $HOME_NET any -> [8.8.247.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202654; rev:1;) alert tcp $HOME_NET any -> [37.120.172.171] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202655; rev:1;) alert tcp $HOME_NET any -> [158.69.209.193] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202656; rev:1;) alert tcp $HOME_NET any -> [178.62.65.89] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202657; rev:1;) alert tcp $HOME_NET any -> [203.76.105.82] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202658; rev:1;) alert tcp $HOME_NET any -> [216.66.0.143] 5353 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202659; rev:1;) alert tcp $HOME_NET any -> [217.182.53.102] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202660; rev:1;) alert tcp $HOME_NET any -> [104.236.252.178] 44343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202661; rev:1;) alert tcp $HOME_NET any -> [185.145.253.60] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202662; rev:1;) alert tcp $HOME_NET any -> [68.169.52.216] 44343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202663; rev:1;) alert tcp $HOME_NET any -> [194.1.238.206] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202664; rev:1;) alert tcp $HOME_NET any -> [81.12.229.190] 8043 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202665; rev:1;) alert tcp $HOME_NET any -> [185.98.86.242] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202666; rev:1;) alert tcp $HOME_NET any -> [149.62.168.5] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202667; rev:1;) alert tcp $HOME_NET any -> [202.195.246.3] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202668; rev:1;) alert tcp $HOME_NET any -> [45.51.20.176] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202669; rev:1;) alert tcp $HOME_NET any -> [185.75.59.226] 9945 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202670; rev:1;) alert tcp $HOME_NET any -> [208.87.225.248] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202671; rev:1;) alert tcp $HOME_NET any -> [71.79.50.183] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202672; rev:1;) alert tcp $HOME_NET any -> [195.54.162.230] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202673; rev:1;) alert tcp $HOME_NET any -> [79.172.242.28] 7272 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202674; rev:1;) alert tcp $HOME_NET any -> [174.127.99.178] 5001 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202675; rev:1;) alert tcp $HOME_NET any -> [178.175.138.146] 1011 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202676; rev:1;) alert tcp $HOME_NET any -> [181.215.47.182] 2087 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202677; rev:1;) alert tcp $HOME_NET any -> [91.219.28.55] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202678; rev:1;) alert tcp $HOME_NET any -> [178.32.255.130] 44343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202679; rev:1;) alert tcp $HOME_NET any -> [217.197.39.1] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202680; rev:1;) alert tcp $HOME_NET any -> [185.92.239.14] 7755 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202681; rev:1;) alert tcp $HOME_NET any -> [195.88.209.221] 4413 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202682; rev:1;) alert tcp $HOME_NET any -> [104.153.108.111] 9200 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202683; rev:1;) alert tcp $HOME_NET any -> [186.107.17.157] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202684; rev:1;) alert tcp $HOME_NET any -> [174.127.99.172] 8484 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202685; rev:1;) alert tcp $HOME_NET any -> [154.73.28.239] 78 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202686; rev:1;) alert tcp $HOME_NET any -> [186.208.106.234] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202687; rev:1;) alert tcp $HOME_NET any -> [5.175.225.33] 1177 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202688; rev:1;) alert tcp $HOME_NET any -> [174.127.99.250] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202689; rev:1;) alert tcp $HOME_NET any -> [46.102.152.208] 1350 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202690; rev:1;) alert tcp $HOME_NET any -> [117.99.183.127] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202691; rev:1;) alert tcp $HOME_NET any -> [5.101.4.41] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Neutrino C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202692; rev:1;) alert tcp $HOME_NET any -> [188.124.170.93] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202693; rev:1;) alert tcp $HOME_NET any -> [186.27.192.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202694; rev:1;) alert tcp $HOME_NET any -> [96.9.69.131] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202695; rev:1;) alert tcp $HOME_NET any -> [5.172.34.138] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202696; rev:1;) alert tcp $HOME_NET any -> [24.184.200.177] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202697; rev:1;) alert tcp $HOME_NET any -> [82.146.46.207] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202698; rev:1;) alert tcp $HOME_NET any -> [91.236.116.138] 2010 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202699; rev:1;) alert tcp $HOME_NET any -> [62.141.34.242] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202700; rev:1;) alert tcp $HOME_NET any -> [77.48.28.232] 9978 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202701; rev:1;) alert tcp $HOME_NET any -> [151.80.84.3] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202702; rev:1;) alert tcp $HOME_NET any -> [198.100.157.155] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202703; rev:1;) alert tcp $HOME_NET any -> [45.63.7.73] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaBanker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202704; rev:1;) alert tcp $HOME_NET any -> [84.200.65.35] 7274 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202705; rev:1;) alert tcp $HOME_NET any -> [46.183.217.22] 1608 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202706; rev:1;) alert tcp $HOME_NET any -> [204.152.219.120] 2556 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202707; rev:1;) alert tcp $HOME_NET any -> [185.29.9.3] 9455 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202708; rev:1;) alert tcp $HOME_NET any -> [198.100.127.43] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202709; rev:1;) alert tcp $HOME_NET any -> [81.95.126.146] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202710; rev:1;) alert tcp $HOME_NET any -> [77.48.28.248] 8854 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202711; rev:1;) alert tcp $HOME_NET any -> [23.105.131.211] 17387 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202712; rev:1;) alert tcp $HOME_NET any -> [82.153.121.186] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202713; rev:1;) alert tcp $HOME_NET any -> [87.120.254.222] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202714; rev:1;) alert tcp $HOME_NET any -> [160.202.163.251] 7755 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202715; rev:1;) alert tcp $HOME_NET any -> [115.186.139.104] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202716; rev:1;) alert tcp $HOME_NET any -> [195.225.231.79] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202717; rev:1;) alert tcp $HOME_NET any -> [49.156.45.139] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202718; rev:1;) alert tcp $HOME_NET any -> [179.43.158.169] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202719; rev:1;) alert tcp $HOME_NET any -> [160.202.163.240] 1111 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202720; rev:1;) alert tcp $HOME_NET any -> [154.16.201.3] 21777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202721; rev:1;) alert tcp $HOME_NET any -> [163.47.20.67] 1975 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202722; rev:1;) alert tcp $HOME_NET any -> [89.35.228.205] 9090 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202723; rev:1;) alert tcp $HOME_NET any -> [160.202.163.240] 9888 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202724; rev:1;) alert tcp $HOME_NET any -> [185.101.34.69] 5567 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202725; rev:1;) alert tcp $HOME_NET any -> [117.199.204.238] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202726; rev:1;) alert tcp $HOME_NET any -> [37.235.49.220] 1111 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202727; rev:1;) alert tcp $HOME_NET any -> [137.74.103.16] 9090 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202728; rev:1;) alert tcp $HOME_NET any -> [123.206.198.12] 8888 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202729; rev:1;) alert tcp $HOME_NET any -> [174.127.99.198] 2727 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202730; rev:1;) alert tcp $HOME_NET any -> [217.19.223.20] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202731; rev:1;) alert tcp $HOME_NET any -> [91.236.116.141] 1030 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202732; rev:1;) alert tcp $HOME_NET any -> [198.12.96.155] 2087 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202733; rev:1;) alert tcp $HOME_NET any -> [77.48.28.194] 5050 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202734; rev:1;) alert tcp $HOME_NET any -> [213.208.129.195] 27180 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202735; rev:1;) alert tcp $HOME_NET any -> [195.225.231.78] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202736; rev:1;) alert tcp $HOME_NET any -> [95.104.2.225] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202737; rev:1;) alert tcp $HOME_NET any -> [213.183.58.54] 7956 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202738; rev:1;) alert tcp $HOME_NET any -> [217.164.82.62] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202739; rev:1;) alert tcp $HOME_NET any -> [181.234.110.59] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202740; rev:1;) alert tcp $HOME_NET any -> [184.75.209.164] 5050 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202741; rev:1;) alert tcp $HOME_NET any -> [181.234.131.143] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202742; rev:1;) alert tcp $HOME_NET any -> [181.234.125.7] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202743; rev:1;) alert tcp $HOME_NET any -> [59.98.97.170] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202744; rev:1;) alert tcp $HOME_NET any -> [47.88.17.2] 25432 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202745; rev:1;) alert tcp $HOME_NET any -> [174.127.99.188] 8040 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202746; rev:1;) alert tcp $HOME_NET any -> [184.75.209.178] 9001 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202747; rev:1;) alert tcp $HOME_NET any -> [185.101.34.119] 1933 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202748; rev:1;) alert tcp $HOME_NET any -> [176.9.99.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202749; rev:1;) alert tcp $HOME_NET any -> [184.75.210.206] 7262 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202750; rev:1;) alert tcp $HOME_NET any -> [173.254.223.124] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202751; rev:1;) alert tcp $HOME_NET any -> [50.2.13.182] 2087 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202752; rev:1;) alert tcp $HOME_NET any -> [23.105.128.147] 2070 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202753; rev:1;) alert tcp $HOME_NET any -> [185.84.181.69] 2245 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202754; rev:1;) alert tcp $HOME_NET any -> [185.145.45.228] 9018 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202755; rev:1;) alert tcp $HOME_NET any -> [185.84.181.67] 1996 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202756; rev:1;) alert tcp $HOME_NET any -> [95.140.125.100] 9060 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202757; rev:1;) alert tcp $HOME_NET any -> [104.153.108.150] 3281 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202758; rev:1;) alert tcp $HOME_NET any -> [46.183.222.37] 4040 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202759; rev:1;) alert tcp $HOME_NET any -> [213.183.58.44] 6466 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202760; rev:1;) alert tcp $HOME_NET any -> [185.29.9.121] 7760 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202761; rev:1;) alert tcp $HOME_NET any -> [154.16.220.161] 1101 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202762; rev:1;) alert tcp $HOME_NET any -> [174.127.99.212] 54689 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202763; rev:1;) alert tcp $HOME_NET any -> [154.16.220.106] 20901 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202764; rev:1;) alert tcp $HOME_NET any -> [91.236.116.141] 1506 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202765; rev:1;) alert tcp $HOME_NET any -> [212.24.109.218] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202766; rev:1;) alert tcp $HOME_NET any -> [62.113.202.70] 5643 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202767; rev:1;) alert tcp $HOME_NET any -> [174.127.99.217] 3001 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202768; rev:1;) alert tcp $HOME_NET any -> [67.130.166.121] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202769; rev:1;) alert tcp $HOME_NET any -> [212.24.110.154] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202770; rev:1;) alert tcp $HOME_NET any -> [89.231.13.27] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202771; rev:1;) alert tcp $HOME_NET any -> [212.24.110.190] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202772; rev:1;) alert tcp $HOME_NET any -> [94.27.36.66] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202773; rev:1;) alert tcp $HOME_NET any -> [107.181.187.141] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202774; rev:1;) alert tcp $HOME_NET any -> [121.41.25.162] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202775; rev:1;) alert tcp $HOME_NET any -> [188.255.249.27] 445 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202776; rev:1;) alert tcp $HOME_NET any -> [212.24.109.200] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202777; rev:1;) alert tcp $HOME_NET any -> [31.215.129.180] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202778; rev:1;) alert tcp $HOME_NET any -> [163.47.20.60] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202779; rev:1;) alert tcp $HOME_NET any -> [160.202.163.249] 4487 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202780; rev:1;) alert tcp $HOME_NET any -> [213.183.40.11] 9797 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202781; rev:1;) alert tcp $HOME_NET any -> [95.141.43.196] 6660 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202782; rev:1;) alert tcp $HOME_NET any -> [213.183.58.48] 6464 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202783; rev:1;) alert tcp $HOME_NET any -> [174.127.99.145] 7171 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202784; rev:1;) alert tcp $HOME_NET any -> [191.7.30.30] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202785; rev:1;) alert tcp $HOME_NET any -> [23.227.201.157] 2087 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202786; rev:1;) alert tcp $HOME_NET any -> [213.183.58.29] 1609 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202787; rev:1;) alert tcp $HOME_NET any -> [94.42.91.27] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202788; rev:1;) alert tcp $HOME_NET any -> [195.69.196.77] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202789; rev:1;) alert tcp $HOME_NET any -> [118.91.178.121] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202790; rev:1;) alert tcp $HOME_NET any -> [159.224.26.79] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202791; rev:1;) alert tcp $HOME_NET any -> [161.10.192.68] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202792; rev:1;) alert tcp $HOME_NET any -> [89.231.13.18] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202793; rev:1;) alert tcp $HOME_NET any -> [89.231.13.33] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202794; rev:1;) alert tcp $HOME_NET any -> [213.208.129.198] 5564 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202795; rev:1;) alert tcp $HOME_NET any -> [89.231.13.18] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202796; rev:1;) alert tcp $HOME_NET any -> [213.183.58.53] 41969 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202797; rev:1;) alert tcp $HOME_NET any -> [104.243.37.52] 7070 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202798; rev:1;) alert tcp $HOME_NET any -> [213.183.58.27] 6442 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202799; rev:1;) alert tcp $HOME_NET any -> [213.183.58.29] 2559 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202800; rev:1;) alert tcp $HOME_NET any -> [213.183.58.55] 2426 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202801; rev:1;) alert tcp $HOME_NET any -> [85.228.193.94] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202802; rev:1;) alert tcp $HOME_NET any -> [195.62.53.213] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202803; rev:1;) alert tcp $HOME_NET any -> [195.2.252.178] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202804; rev:1;) alert tcp $HOME_NET any -> [206.221.186.201] 1414 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202805; rev:1;) alert tcp $HOME_NET any -> [200.28.113.178] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202806; rev:1;) alert tcp $HOME_NET any -> [161.10.39.218] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202807; rev:1;) alert tcp $HOME_NET any -> [117.200.11.11] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202808; rev:1;) alert tcp $HOME_NET any -> [179.33.115.200] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202809; rev:1;) alert tcp $HOME_NET any -> [154.16.49.145] 2087 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202810; rev:1;) alert tcp $HOME_NET any -> [163.53.206.187] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202811; rev:1;) alert tcp $HOME_NET any -> [91.206.4.216] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202812; rev:1;) alert tcp $HOME_NET any -> [46.160.165.16] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202813; rev:1;) alert tcp $HOME_NET any -> [195.133.197.179] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202814; rev:1;) alert tcp $HOME_NET any -> [83.234.136.55] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202815; rev:1;) alert tcp $HOME_NET any -> [194.87.111.85] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202816; rev:1;) alert tcp $HOME_NET any -> [46.160.165.31] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202817; rev:1;) alert tcp $HOME_NET any -> [213.183.58.54] 2558 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202818; rev:1;) alert tcp $HOME_NET any -> [93.99.68.140] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202819; rev:1;) alert tcp $HOME_NET any -> [186.114.237.54] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202820; rev:1;) alert tcp $HOME_NET any -> [194.68.59.77] 3443 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202821; rev:1;) alert tcp $HOME_NET any -> [213.183.58.50] 4055 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202822; rev:1;) alert tcp $HOME_NET any -> [118.91.178.114] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202823; rev:1;) alert tcp $HOME_NET any -> [118.91.178.98] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202824; rev:1;) alert tcp $HOME_NET any -> [118.91.178.145] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202825; rev:1;) alert tcp $HOME_NET any -> [190.34.158.250] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202826; rev:1;) alert tcp $HOME_NET any -> [23.253.243.44] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202827; rev:1;) alert tcp $HOME_NET any -> [91.236.116.143] 2322 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202828; rev:1;) alert tcp $HOME_NET any -> [189.84.113.83] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202829; rev:1;) alert tcp $HOME_NET any -> [212.7.218.60] 2010 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202830; rev:1;) alert tcp $HOME_NET any -> [178.175.138.224] 1414 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202831; rev:1;) alert tcp $HOME_NET any -> [31.171.155.68] 9455 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202832; rev:1;) alert tcp $HOME_NET any -> [154.16.49.144] 3087 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202833; rev:1;) alert tcp $HOME_NET any -> [172.94.117.219] 1609 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202834; rev:1;) alert tcp $HOME_NET any -> [209.222.111.183] 4545 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202835; rev:1;) alert tcp $HOME_NET any -> [154.16.49.125] 4087 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202836; rev:1;) alert tcp $HOME_NET any -> [95.141.43.199] 9090 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202837; rev:1;) alert tcp $HOME_NET any -> [86.99.122.180] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202838; rev:1;) alert tcp $HOME_NET any -> [154.16.49.141] 2087 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202839; rev:1;) alert tcp $HOME_NET any -> [213.183.58.35] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202840; rev:1;) alert tcp $HOME_NET any -> [154.16.49.142] 2087 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202841; rev:1;) alert tcp $HOME_NET any -> [216.244.79.18] 2087 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202842; rev:1;) alert tcp $HOME_NET any -> [185.84.181.89] 7262 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202843; rev:1;) alert tcp $HOME_NET any -> [213.183.58.35] 2446 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202844; rev:1;) alert tcp $HOME_NET any -> [103.68.223.134] 6329 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202845; rev:1;) alert tcp $HOME_NET any -> [185.84.181.78] 2022 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202846; rev:1;) alert tcp $HOME_NET any -> [186.103.161.204] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202847; rev:1;) alert tcp $HOME_NET any -> [185.84.181.96] 2556 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202848; rev:1;) alert tcp $HOME_NET any -> [5.188.231.125] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202849; rev:1;) alert tcp $HOME_NET any -> [94.74.81.176] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202850; rev:1;) alert tcp $HOME_NET any -> [94.23.170.129] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202851; rev:1;) alert tcp $HOME_NET any -> [5.8.88.194] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202852; rev:1;) alert tcp $HOME_NET any -> [89.223.31.232] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202853; rev:1;) alert tcp $HOME_NET any -> [37.59.183.143] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202854; rev:1;) alert tcp $HOME_NET any -> [37.59.80.99] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202855; rev:1;) alert tcp $HOME_NET any -> [146.185.254.139] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202856; rev:1;) alert tcp $HOME_NET any -> [94.242.208.183] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202857; rev:1;) alert tcp $HOME_NET any -> [5.188.231.10] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202858; rev:1;) alert tcp $HOME_NET any -> [5.8.88.40] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202859; rev:1;) alert tcp $HOME_NET any -> [94.242.252.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202860; rev:1;) alert tcp $HOME_NET any -> [154.16.49.165] 2087 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202861; rev:1;) alert tcp $HOME_NET any -> [213.152.161.149] 3487 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202862; rev:1;) alert tcp $HOME_NET any -> [185.172.31.111] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202863; rev:1;) alert tcp $HOME_NET any -> [193.124.117.102] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202864; rev:1;) alert tcp $HOME_NET any -> [69.247.60.183] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202865; rev:1;) alert tcp $HOME_NET any -> [131.153.37.30] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202866; rev:1;) alert tcp $HOME_NET any -> [91.214.114.179] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202867; rev:1;) alert tcp $HOME_NET any -> [81.95.123.210] 1985 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202868; rev:1;) alert tcp $HOME_NET any -> [185.30.144.205] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202869; rev:1;) alert tcp $HOME_NET any -> [213.184.126.131] 6022 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202870; rev:1;) alert tcp $HOME_NET any -> [185.208.210.40] 1334 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202871; rev:1;) alert tcp $HOME_NET any -> [181.215.247.123] 1605 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202872; rev:1;) alert tcp $HOME_NET any -> [23.105.131.158] 7033 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202873; rev:1;) alert tcp $HOME_NET any -> [172.93.148.168] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202874; rev:1;) alert tcp $HOME_NET any -> [185.75.59.209] 7719 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202875; rev:1;) alert tcp $HOME_NET any -> [66.11.124.213] 2087 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202876; rev:1;) alert tcp $HOME_NET any -> [38.95.111.202] 5577 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202877; rev:1;) alert tcp $HOME_NET any -> [174.127.99.128] 3445 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202878; rev:1;) alert tcp $HOME_NET any -> [146.71.87.11] 1989 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202879; rev:1;) alert tcp $HOME_NET any -> [23.105.131.156] 4321 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202880; rev:1;) alert tcp $HOME_NET any -> [204.152.219.93] 4466 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202881; rev:1;) alert tcp $HOME_NET any -> [185.120.144.151] 1906 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202882; rev:1;) alert tcp $HOME_NET any -> [151.80.84.2] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202883; rev:1;) alert tcp $HOME_NET any -> [178.175.138.200] 9010 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202884; rev:1;) alert tcp $HOME_NET any -> [23.105.131.186] 1101 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202885; rev:1;) alert tcp $HOME_NET any -> [5.133.15.5] 4245 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202886; rev:1;) alert tcp $HOME_NET any -> [176.10.124.226] 7033 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202887; rev:1;) alert tcp $HOME_NET any -> [192.237.180.245] 667 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202888; rev:1;) alert tcp $HOME_NET any -> [174.127.99.146] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202889; rev:1;) alert tcp $HOME_NET any -> [89.35.228.232] 4044 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202890; rev:1;) alert tcp $HOME_NET any -> [193.105.134.78] 1472 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202891; rev:1;) alert tcp $HOME_NET any -> [188.165.26.166] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202892; rev:1;) alert tcp $HOME_NET any -> [176.10.124.234] 1903 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202893; rev:1;) alert tcp $HOME_NET any -> [213.183.58.34] 2077 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202894; rev:1;) alert tcp $HOME_NET any -> [172.82.162.246] 8090 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202895; rev:1;) alert tcp $HOME_NET any -> [84.238.198.166] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202896; rev:1;) alert tcp $HOME_NET any -> [212.7.218.143] 7543 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202897; rev:1;) alert tcp $HOME_NET any -> [195.88.208.202] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202898; rev:1;) alert tcp $HOME_NET any -> [95.167.151.228] 7769 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202899; rev:1;) alert tcp $HOME_NET any -> [185.145.45.145] 2888 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202900; rev:1;) alert tcp $HOME_NET any -> [185.208.170.155] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202901; rev:1;) alert tcp $HOME_NET any -> [146.71.87.103] 1992 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202902; rev:1;) alert tcp $HOME_NET any -> [204.152.219.112] 1010 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202903; rev:1;) alert tcp $HOME_NET any -> [95.141.43.219] 2204 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202904; rev:1;) alert tcp $HOME_NET any -> [185.153.229.59] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Nexuslogger C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202905; rev:1;) alert tcp $HOME_NET any -> [213.183.58.37] 64666 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202906; rev:1;) alert tcp $HOME_NET any -> [144.208.127.126] 1989 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202907; rev:1;) alert tcp $HOME_NET any -> [185.84.181.89] 3545 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202908; rev:1;) alert tcp $HOME_NET any -> [37.10.71.146] 1961 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202909; rev:1;) alert tcp $HOME_NET any -> [213.183.58.56] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202910; rev:1;) alert tcp $HOME_NET any -> [185.141.27.19] 1008 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202911; rev:1;) alert tcp $HOME_NET any -> [23.227.201.27] 5053 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202912; rev:1;) alert tcp $HOME_NET any -> [5.187.49.226] 8088 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202913; rev:1;) alert tcp $HOME_NET any -> [213.183.58.34] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202914; rev:1;) alert tcp $HOME_NET any -> [174.127.99.130] 2014 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202915; rev:1;) alert tcp $HOME_NET any -> [192.166.218.230] 1779 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202916; rev:1;) alert tcp $HOME_NET any -> [213.183.58.42] 3012 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202917; rev:1;) alert tcp $HOME_NET any -> [185.29.9.15] 9220 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202918; rev:1;) alert tcp $HOME_NET any -> [146.255.79.170] 8190 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202919; rev:1;) alert tcp $HOME_NET any -> [37.49.224.26] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202920; rev:1;) alert tcp $HOME_NET any -> [174.127.99.171] 2017 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202921; rev:1;) alert tcp $HOME_NET any -> [174.127.99.153] 7789 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202922; rev:1;) alert tcp $HOME_NET any -> [191.101.22.21] 9876 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202923; rev:1;) alert tcp $HOME_NET any -> [194.68.59.36] 100 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202924; rev:1;) alert tcp $HOME_NET any -> [210.186.224.62] 4442 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202925; rev:1;) alert tcp $HOME_NET any -> [192.253.242.233] 6061 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202926; rev:1;) alert tcp $HOME_NET any -> [54.85.217.174] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202927; rev:1;) alert tcp $HOME_NET any -> [185.145.45.9] 2176 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202928; rev:1;) alert tcp $HOME_NET any -> [146.255.79.169] 7033 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202929; rev:1;) alert tcp $HOME_NET any -> [212.7.208.88] 2556 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202930; rev:1;) alert tcp $HOME_NET any -> [91.236.116.142] 2888 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202931; rev:1;) alert tcp $HOME_NET any -> [176.10.124.245] 7000 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202932; rev:1;) alert tcp $HOME_NET any -> [209.141.39.145] 9005 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202933; rev:1;) alert tcp $HOME_NET any -> [79.172.242.32] 7278 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202934; rev:1;) alert tcp $HOME_NET any -> [195.62.52.100] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202935; rev:1;) alert tcp $HOME_NET any -> [64.15.75.83] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202936; rev:1;) alert tcp $HOME_NET any -> [191.101.22.15] 7928 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202937; rev:1;) alert tcp $HOME_NET any -> [104.171.113.230] 1989 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202938; rev:1;) alert tcp $HOME_NET any -> [144.208.126.172] 1995 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202939; rev:1;) alert tcp $HOME_NET any -> [178.175.138.200] 4571 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202940; rev:1;) alert tcp $HOME_NET any -> [185.189.112.134] 8091 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202941; rev:1;) alert tcp $HOME_NET any -> [162.248.75.99] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202942; rev:1;) alert tcp $HOME_NET any -> [24.13.179.247] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202943; rev:1;) alert tcp $HOME_NET any -> [213.183.58.52] 4644 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202944; rev:1;) alert tcp $HOME_NET any -> [23.105.131.190] 7088 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202945; rev:1;) alert tcp $HOME_NET any -> [5.187.49.227] 8088 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202946; rev:1;) alert tcp $HOME_NET any -> [78.130.176.162] 54669 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202947; rev:1;) alert tcp $HOME_NET any -> [209.141.38.25] 3479 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202948; rev:1;) alert tcp $HOME_NET any -> [210.16.102.142] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202949; rev:1;) alert tcp $HOME_NET any -> [146.255.79.170] 7054 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202950; rev:1;) alert tcp $HOME_NET any -> [188.165.62.11] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202951; rev:1;) alert tcp $HOME_NET any -> [178.175.138.196] 2024 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202952; rev:1;) alert tcp $HOME_NET any -> [194.68.59.33] 7793 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202953; rev:1;) alert tcp $HOME_NET any -> [212.7.218.64] 19989 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202954; rev:1;) alert tcp $HOME_NET any -> [181.215.247.219] 3088 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202955; rev:1;) alert tcp $HOME_NET any -> [146.255.79.175] 7524 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202956; rev:1;) alert tcp $HOME_NET any -> [178.175.138.143] 2098 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202957; rev:1;) alert tcp $HOME_NET any -> [185.145.45.73] 4111 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202958; rev:1;) alert tcp $HOME_NET any -> [185.40.20.42] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202959; rev:1;) alert tcp $HOME_NET any -> [93.123.73.16] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202960; rev:1;) alert tcp $HOME_NET any -> [87.121.76.172] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202961; rev:1;) alert tcp $HOME_NET any -> [176.10.124.236] 8073 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202962; rev:1;) alert tcp $HOME_NET any -> [213.184.126.153] 5001 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202963; rev:1;) alert tcp $HOME_NET any -> [172.93.148.175] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202964; rev:1;) alert tcp $HOME_NET any -> [95.140.125.28] 9977 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202965; rev:1;) alert tcp $HOME_NET any -> [37.230.228.41] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202966; rev:1;) alert tcp $HOME_NET any -> [172.81.178.93] 1033 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202967; rev:1;) alert tcp $HOME_NET any -> [93.190.142.100] 8090 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202968; rev:1;) alert tcp $HOME_NET any -> [5.152.210.165] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202969; rev:1;) alert tcp $HOME_NET any -> [37.59.183.142] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202970; rev:1;) alert tcp $HOME_NET any -> [84.40.65.85] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202971; rev:1;) alert tcp $HOME_NET any -> [219.92.199.191] 4442 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202972; rev:1;) alert tcp $HOME_NET any -> [216.244.71.140] 3040 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202973; rev:1;) alert tcp $HOME_NET any -> [91.139.236.92] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202974; rev:1;) alert tcp $HOME_NET any -> [172.93.37.143] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202975; rev:1;) alert tcp $HOME_NET any -> [89.34.99.133] 2016 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202976; rev:1;) alert tcp $HOME_NET any -> [210.16.101.88] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202977; rev:1;) alert tcp $HOME_NET any -> [51.254.164.249] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202978; rev:1;) alert tcp $HOME_NET any -> [134.19.176.150] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202979; rev:1;) alert tcp $HOME_NET any -> [146.255.79.186] 2016 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202980; rev:1;) alert tcp $HOME_NET any -> [154.16.220.117] 9010 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202981; rev:1;) alert tcp $HOME_NET any -> [79.124.78.81] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202982; rev:1;) alert tcp $HOME_NET any -> [173.254.252.209] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202983; rev:1;) alert tcp $HOME_NET any -> [94.242.213.97] 3360 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202984; rev:1;) alert tcp $HOME_NET any -> [144.208.127.142] 1986 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202985; rev:1;) alert tcp $HOME_NET any -> [64.71.166.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202986; rev:1;) alert tcp $HOME_NET any -> [185.189.112.142] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202987; rev:1;) alert tcp $HOME_NET any -> [95.183.52.82] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202988; rev:1;) alert tcp $HOME_NET any -> [94.242.213.178] 3360 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202989; rev:1;) alert tcp $HOME_NET any -> [194.68.59.33] 7798 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202990; rev:1;) alert tcp $HOME_NET any -> [31.31.77.229] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202991; rev:1;) alert tcp $HOME_NET any -> [191.101.22.27] 1616 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202992; rev:1;) alert tcp $HOME_NET any -> [89.46.222.232] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202993; rev:1;) alert tcp $HOME_NET any -> [103.16.27.91] 5874 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202994; rev:1;) alert tcp $HOME_NET any -> [78.130.176.223] 6666 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202995; rev:1;) alert tcp $HOME_NET any -> [174.127.99.156] 4050 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202996; rev:1;) alert tcp $HOME_NET any -> [188.165.62.8] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202997; rev:1;) alert tcp $HOME_NET any -> [191.101.22.168] 1759 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202998; rev:1;) alert tcp $HOME_NET any -> [194.87.102.36] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903202999; rev:1;) alert tcp $HOME_NET any -> [173.254.223.88] 1592 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203000; rev:1;) alert tcp $HOME_NET any -> [181.215.247.7] 1988 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203001; rev:1;) alert tcp $HOME_NET any -> [78.130.176.192] 6463 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203002; rev:1;) alert tcp $HOME_NET any -> [146.255.79.167] 88 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203003; rev:1;) alert tcp $HOME_NET any -> [178.175.138.167] 9010 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203004; rev:1;) alert tcp $HOME_NET any -> [66.85.27.170] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203005; rev:1;) alert tcp $HOME_NET any -> [107.173.168.160] 3040 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203006; rev:1;) alert tcp $HOME_NET any -> [95.140.125.26] 1677 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203007; rev:1;) alert tcp $HOME_NET any -> [185.82.217.212] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203008; rev:1;) alert tcp $HOME_NET any -> [185.203.118.198] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203009; rev:1;) alert tcp $HOME_NET any -> [5.188.231.44] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203010; rev:1;) alert tcp $HOME_NET any -> [47.74.150.46] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203011; rev:1;) alert tcp $HOME_NET any -> [216.107.149.57] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203012; rev:1;) alert tcp $HOME_NET any -> [184.155.19.94] 995 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203013; rev:1;) alert tcp $HOME_NET any -> [185.82.200.159] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203014; rev:1;) alert tcp $HOME_NET any -> [194.87.99.62] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203015; rev:1;) alert tcp $HOME_NET any -> [195.133.48.80] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203016; rev:1;) alert tcp $HOME_NET any -> [194.68.59.45] 5657 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203017; rev:1;) alert tcp $HOME_NET any -> [91.236.116.144] 1818 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203018; rev:1;) alert tcp $HOME_NET any -> [178.156.202.159] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203019; rev:1;) alert tcp $HOME_NET any -> [103.208.86.215] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203020; rev:1;) alert tcp $HOME_NET any -> [185.80.128.230] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203021; rev:1;) alert tcp $HOME_NET any -> [5.133.179.13] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203022; rev:1;) alert tcp $HOME_NET any -> [74.208.167.95] 1443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203023; rev:1;) alert tcp $HOME_NET any -> [185.174.101.26] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203024; rev:1;) alert tcp $HOME_NET any -> [87.106.15.52] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203025; rev:1;) alert tcp $HOME_NET any -> [185.165.29.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203026; rev:1;) alert tcp $HOME_NET any -> [5.188.231.46] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203027; rev:1;) alert tcp $HOME_NET any -> [5.8.88.219] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203028; rev:1;) alert tcp $HOME_NET any -> [155.94.238.28] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203029; rev:1;) alert tcp $HOME_NET any -> [194.87.93.97] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203030; rev:1;) alert tcp $HOME_NET any -> [91.211.246.131] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203031; rev:1;) alert tcp $HOME_NET any -> [47.89.253.7] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Zloader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203032; rev:1;) alert tcp $HOME_NET any -> [91.83.88.51] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203033; rev:1;) alert tcp $HOME_NET any -> [18.221.102.212] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203034; rev:1;) alert tcp $HOME_NET any -> [178.175.138.198] 5030 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203035; rev:1;) alert tcp $HOME_NET any -> [185.86.150.63] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203036; rev:1;) alert tcp $HOME_NET any -> [194.87.99.225] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203037; rev:1;) alert tcp $HOME_NET any -> [5.188.231.16] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203038; rev:1;) alert tcp $HOME_NET any -> [45.32.70.144] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203039; rev:1;) alert tcp $HOME_NET any -> [188.137.122.5] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203040; rev:1;) alert tcp $HOME_NET any -> [185.94.191.82] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203041; rev:1;) alert tcp $HOME_NET any -> [190.1.231.231] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203042; rev:1;) alert tcp $HOME_NET any -> [195.133.145.222] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203043; rev:1;) alert tcp $HOME_NET any -> [52.90.250.177] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203044; rev:1;) alert tcp $HOME_NET any -> [47.89.254.87] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203045; rev:1;) alert tcp $HOME_NET any -> [176.10.124.228] 4147 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203046; rev:1;) alert tcp $HOME_NET any -> [18.220.233.103] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203047; rev:1;) alert tcp $HOME_NET any -> [5.8.88.31] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203048; rev:1;) alert tcp $HOME_NET any -> [73.166.89.239] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203049; rev:1;) alert tcp $HOME_NET any -> [195.133.144.27] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203050; rev:1;) alert tcp $HOME_NET any -> [188.137.122.68] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203051; rev:1;) alert tcp $HOME_NET any -> [185.158.115.57] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203052; rev:1;) alert tcp $HOME_NET any -> [188.137.122.40] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203053; rev:1;) alert tcp $HOME_NET any -> [89.231.13.38] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203054; rev:1;) alert tcp $HOME_NET any -> [195.133.147.228] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203055; rev:1;) alert tcp $HOME_NET any -> [107.189.162.131] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203056; rev:1;) alert tcp $HOME_NET any -> [103.25.58.168] 5676 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203057; rev:1;) alert tcp $HOME_NET any -> [185.141.25.242] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203058; rev:1;) alert tcp $HOME_NET any -> [34.229.150.157] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203059; rev:1;) alert tcp $HOME_NET any -> [54.208.118.55] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203060; rev:1;) alert tcp $HOME_NET any -> [194.87.110.49] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203061; rev:1;) alert tcp $HOME_NET any -> [176.10.124.223] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203062; rev:1;) alert tcp $HOME_NET any -> [5.45.83.115] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203063; rev:1;) alert tcp $HOME_NET any -> [5.8.88.181] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203064; rev:1;) alert tcp $HOME_NET any -> [195.133.146.156] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203065; rev:1;) alert tcp $HOME_NET any -> [47.74.154.177] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203066; rev:1;) alert tcp $HOME_NET any -> [45.77.97.99] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203067; rev:1;) alert tcp $HOME_NET any -> [191.101.22.20] 8787 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203068; rev:1;) alert tcp $HOME_NET any -> [49.51.133.206] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203069; rev:1;) alert tcp $HOME_NET any -> [94.75.77.162] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203070; rev:1;) alert tcp $HOME_NET any -> [194.87.98.234] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203071; rev:1;) alert tcp $HOME_NET any -> [185.158.115.61] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203072; rev:1;) alert tcp $HOME_NET any -> [5.45.86.128] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203073; rev:1;) alert tcp $HOME_NET any -> [194.87.111.83] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203074; rev:1;) alert tcp $HOME_NET any -> [49.51.135.109] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203075; rev:1;) alert tcp $HOME_NET any -> [185.117.72.98] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203076; rev:1;) alert tcp $HOME_NET any -> [193.218.145.101] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203077; rev:1;) alert tcp $HOME_NET any -> [78.130.176.213] 6790 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203078; rev:1;) alert tcp $HOME_NET any -> [185.84.181.85] 7177 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203079; rev:1;) alert tcp $HOME_NET any -> [205.185.117.108] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203080; rev:1;) alert tcp $HOME_NET any -> [209.200.27.76] 4343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203081; rev:1;) alert tcp $HOME_NET any -> [92.207.100.244] 4843 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203082; rev:1;) alert tcp $HOME_NET any -> [185.112.82.64] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203083; rev:1;) alert tcp $HOME_NET any -> [82.146.40.253] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203084; rev:1;) alert tcp $HOME_NET any -> [213.183.58.35] 4101 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203085; rev:1;) alert tcp $HOME_NET any -> [154.16.63.221] 9909 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203086; rev:1;) alert tcp $HOME_NET any -> [91.233.116.104] 7728 (msg:"SSL Blacklist: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203087; rev:1;) alert tcp $HOME_NET any -> [89.35.228.243] 4780 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203088; rev:1;) alert tcp $HOME_NET any -> [185.198.57.151] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203089; rev:1;) alert tcp $HOME_NET any -> [176.10.124.230] 1566 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203090; rev:1;) alert tcp $HOME_NET any -> [95.167.151.234] 9212 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203091; rev:1;) alert tcp $HOME_NET any -> [197.85.185.132] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203092; rev:1;) alert tcp $HOME_NET any -> [95.167.151.233] 4045 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203093; rev:1;) alert tcp $HOME_NET any -> [194.87.99.234] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203094; rev:1;) alert tcp $HOME_NET any -> [31.171.155.60] 5588 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203095; rev:1;) alert tcp $HOME_NET any -> [23.105.131.150] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203096; rev:1;) alert tcp $HOME_NET any -> [176.10.124.239] 7790 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203097; rev:1;) alert tcp $HOME_NET any -> [204.152.219.72] 7878 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203098; rev:1;) alert tcp $HOME_NET any -> [173.203.123.102] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203099; rev:1;) alert tcp $HOME_NET any -> [162.243.137.50] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203100; rev:1;) alert tcp $HOME_NET any -> [5.200.35.63] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203101; rev:1;) alert tcp $HOME_NET any -> [185.127.26.227] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203102; rev:1;) alert tcp $HOME_NET any -> [185.198.57.133] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203103; rev:1;) alert tcp $HOME_NET any -> [181.215.247.26] 9090 (msg:"SSL Blacklist: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203104; rev:1;) alert tcp $HOME_NET any -> [49.51.38.160] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203105; rev:1;) alert tcp $HOME_NET any -> [185.198.57.57] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203106; rev:1;) alert tcp $HOME_NET any -> [64.132.75.142] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203107; rev:1;) alert tcp $HOME_NET any -> [176.10.124.197] 3487 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203108; rev:1;) alert tcp $HOME_NET any -> [172.112.229.191] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203109; rev:1;) alert tcp $HOME_NET any -> [87.106.219.40] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203110; rev:1;) alert tcp $HOME_NET any -> [5.2.76.91] 6868 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203111; rev:1;) alert tcp $HOME_NET any -> [185.84.181.79] 4820 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203112; rev:1;) alert tcp $HOME_NET any -> [24.182.236.58] 995 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203113; rev:1;) alert tcp $HOME_NET any -> [108.35.21.79] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203114; rev:1;) alert tcp $HOME_NET any -> [189.244.44.128] 995 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203115; rev:1;) alert tcp $HOME_NET any -> [96.246.147.237] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203116; rev:1;) alert tcp $HOME_NET any -> [76.179.72.219] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203117; rev:1;) alert tcp $HOME_NET any -> [132.206.59.132] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203118; rev:1;) alert tcp $HOME_NET any -> [67.139.169.66] 995 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203119; rev:1;) alert tcp $HOME_NET any -> [216.187.170.2] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203120; rev:1;) alert tcp $HOME_NET any -> [46.237.117.193] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203121; rev:1;) alert tcp $HOME_NET any -> [194.87.236.59] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203122; rev:1;) alert tcp $HOME_NET any -> [194.87.239.200] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203123; rev:1;) alert tcp $HOME_NET any -> [185.158.153.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203124; rev:1;) alert tcp $HOME_NET any -> [49.51.35.119] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203125; rev:1;) alert tcp $HOME_NET any -> [195.133.49.17] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203126; rev:1;) alert tcp $HOME_NET any -> [194.87.92.191] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203127; rev:1;) alert tcp $HOME_NET any -> [195.133.196.130] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203128; rev:1;) alert tcp $HOME_NET any -> [86.105.1.102] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203129; rev:1;) alert tcp $HOME_NET any -> [216.126.58.132] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203130; rev:1;) alert tcp $HOME_NET any -> [185.198.57.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203131; rev:1;) alert tcp $HOME_NET any -> [107.170.101.158] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203132; rev:1;) alert tcp $HOME_NET any -> [66.222.49.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203133; rev:1;) alert tcp $HOME_NET any -> [185.158.152.225] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203134; rev:1;) alert tcp $HOME_NET any -> [82.146.47.127] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203135; rev:1;) alert tcp $HOME_NET any -> [92.63.102.64] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203136; rev:1;) alert tcp $HOME_NET any -> [85.221.243.6] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203137; rev:1;) alert tcp $HOME_NET any -> [82.146.40.206] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203138; rev:1;) alert tcp $HOME_NET any -> [185.82.218.26] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203139; rev:1;) alert tcp $HOME_NET any -> [185.158.113.194] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203140; rev:1;) alert tcp $HOME_NET any -> [194.87.102.14] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203141; rev:1;) alert tcp $HOME_NET any -> [49.51.134.93] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203142; rev:1;) alert tcp $HOME_NET any -> [194.87.103.74] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203143; rev:1;) alert tcp $HOME_NET any -> [92.63.102.221] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203144; rev:1;) alert tcp $HOME_NET any -> [194.87.103.240] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203145; rev:1;) alert tcp $HOME_NET any -> [82.146.56.32] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203146; rev:1;) alert tcp $HOME_NET any -> [185.117.73.13] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203147; rev:1;) alert tcp $HOME_NET any -> [104.140.247.125] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203148; rev:1;) alert tcp $HOME_NET any -> [185.159.131.127] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203149; rev:1;) alert tcp $HOME_NET any -> [5.196.54.0] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203150; rev:1;) alert tcp $HOME_NET any -> [82.146.59.247] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203151; rev:1;) alert tcp $HOME_NET any -> [82.146.45.93] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203152; rev:1;) alert tcp $HOME_NET any -> [146.255.79.165] 1010 (msg:"SSL Blacklist: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203153; rev:1;) alert tcp $HOME_NET any -> [194.87.93.172] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203154; rev:1;) alert tcp $HOME_NET any -> [78.130.176.162] 2018 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203155; rev:1;) alert tcp $HOME_NET any -> [146.255.79.173] 2888 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203156; rev:1;) alert tcp $HOME_NET any -> [194.87.103.184] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203157; rev:1;) alert tcp $HOME_NET any -> [194.87.232.219] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203158; rev:1;) alert tcp $HOME_NET any -> [74.202.242.28] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203159; rev:1;) alert tcp $HOME_NET any -> [185.84.181.83] 8088 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203160; rev:1;) alert tcp $HOME_NET any -> [185.82.218.28] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203161; rev:1;) alert tcp $HOME_NET any -> [94.177.12.245] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203162; rev:1;) alert tcp $HOME_NET any -> [70.184.5.210] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203163; rev:1;) alert tcp $HOME_NET any -> [141.255.167.112] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203164; rev:1;) alert tcp $HOME_NET any -> [196.202.194.202] 451 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203165; rev:1;) alert tcp $HOME_NET any -> [185.82.216.187] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203166; rev:1;) alert tcp $HOME_NET any -> [169.239.129.47] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203167; rev:1;) alert tcp $HOME_NET any -> [185.82.217.224] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203168; rev:1;) alert tcp $HOME_NET any -> [62.102.148.166] 4414 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203169; rev:1;) alert tcp $HOME_NET any -> [195.133.146.111] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203170; rev:1;) alert tcp $HOME_NET any -> [37.220.31.41] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203171; rev:1;) alert tcp $HOME_NET any -> [188.120.231.188] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203172; rev:1;) alert tcp $HOME_NET any -> [188.137.86.7] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203173; rev:1;) alert tcp $HOME_NET any -> [107.161.160.30] 8443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203174; rev:1;) alert tcp $HOME_NET any -> [109.230.199.19] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203175; rev:1;) alert tcp $HOME_NET any -> [79.170.7.139] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203176; rev:1;) alert tcp $HOME_NET any -> [37.60.177.199] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203177; rev:1;) alert tcp $HOME_NET any -> [86.105.227.137] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203178; rev:1;) alert tcp $HOME_NET any -> [193.124.117.39] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203179; rev:1;) alert tcp $HOME_NET any -> [80.87.198.198] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203180; rev:1;) alert tcp $HOME_NET any -> [119.28.153.245] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Zloader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203181; rev:1;) alert tcp $HOME_NET any -> [185.183.96.165] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203182; rev:1;) alert tcp $HOME_NET any -> [185.80.128.154] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203183; rev:1;) alert tcp $HOME_NET any -> [141.255.167.123] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203184; rev:1;) alert tcp $HOME_NET any -> [79.119.121.185] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203185; rev:1;) alert tcp $HOME_NET any -> [185.80.128.27] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203186; rev:1;) alert tcp $HOME_NET any -> [185.77.128.166] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203187; rev:1;) alert tcp $HOME_NET any -> [93.95.97.138] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203188; rev:1;) alert tcp $HOME_NET any -> [188.120.248.190] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203189; rev:1;) alert tcp $HOME_NET any -> [149.154.69.131] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203190; rev:1;) alert tcp $HOME_NET any -> [62.109.9.121] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203191; rev:1;) alert tcp $HOME_NET any -> [185.198.57.172] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203192; rev:1;) alert tcp $HOME_NET any -> [185.117.73.235] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203193; rev:1;) alert tcp $HOME_NET any -> [188.120.249.77] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203194; rev:1;) alert tcp $HOME_NET any -> [77.244.215.81] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203195; rev:1;) alert tcp $HOME_NET any -> [212.38.166.236] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203196; rev:1;) alert tcp $HOME_NET any -> [194.87.234.254] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203197; rev:1;) alert tcp $HOME_NET any -> [80.188.120.11] 4343 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203198; rev:1;) alert tcp $HOME_NET any -> [37.230.112.61] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203199; rev:1;) alert tcp $HOME_NET any -> [89.45.67.144] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203200; rev:1;) alert tcp $HOME_NET any -> [181.211.34.154] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203201; rev:1;) alert tcp $HOME_NET any -> [194.87.239.104] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203202; rev:1;) alert tcp $HOME_NET any -> [164.132.28.118] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203203; rev:1;) alert tcp $HOME_NET any -> [46.22.211.167] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203204; rev:1;) alert tcp $HOME_NET any -> [104.236.49.165] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203205; rev:1;) alert tcp $HOME_NET any -> [194.87.236.168] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203206; rev:1;) alert tcp $HOME_NET any -> [95.213.251.95] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203207; rev:1;) alert tcp $HOME_NET any -> [78.24.217.88] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203208; rev:1;) alert tcp $HOME_NET any -> [195.133.146.117] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203209; rev:1;) alert tcp $HOME_NET any -> [145.249.105.20] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203210; rev:1;) alert tcp $HOME_NET any -> [5.200.35.40] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203211; rev:1;) alert tcp $HOME_NET any -> [156.17.92.161] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203212; rev:1;) alert tcp $HOME_NET any -> [187.191.0.42] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203213; rev:1;) alert tcp $HOME_NET any -> [195.133.146.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203214; rev:1;) alert tcp $HOME_NET any -> [185.106.120.167] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203215; rev:1;) alert tcp $HOME_NET any -> [194.87.236.180] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203216; rev:1;) alert tcp $HOME_NET any -> [95.213.252.23] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203217; rev:1;) alert tcp $HOME_NET any -> [89.171.146.30] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203218; rev:1;) alert tcp $HOME_NET any -> [104.131.89.74] 4431 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203219; rev:1;) alert tcp $HOME_NET any -> [154.16.63.167] 7878 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203220; rev:1;) alert tcp $HOME_NET any -> [194.87.236.216] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203221; rev:1;) alert tcp $HOME_NET any -> [91.134.203.113] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203222; rev:1;) alert tcp $HOME_NET any -> [185.213.209.194] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203223; rev:1;) alert tcp $HOME_NET any -> [78.155.206.233] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203224; rev:1;) alert tcp $HOME_NET any -> [174.127.99.172] 4242 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203225; rev:1;) alert tcp $HOME_NET any -> [185.82.200.224] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203226; rev:1;) alert tcp $HOME_NET any -> [176.10.124.226] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203227; rev:1;) alert tcp $HOME_NET any -> [149.154.71.146] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203228; rev:1;) alert tcp $HOME_NET any -> [95.213.194.244] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203229; rev:1;) alert tcp $HOME_NET any -> [92.53.66.73] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203230; rev:1;) alert tcp $HOME_NET any -> [89.45.67.104] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203231; rev:1;) alert tcp $HOME_NET any -> [95.213.195.174] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203232; rev:1;) alert tcp $HOME_NET any -> [95.213.251.5] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203233; rev:1;) alert tcp $HOME_NET any -> [194.87.102.119] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203234; rev:1;) alert tcp $HOME_NET any -> [185.28.63.109] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203235; rev:1;) alert tcp $HOME_NET any -> [92.63.105.132] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203236; rev:1;) alert tcp $HOME_NET any -> [86.105.227.152] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203237; rev:1;) alert tcp $HOME_NET any -> [185.198.57.11] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203238; rev:1;) alert tcp $HOME_NET any -> [5.8.88.78] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203239; rev:1;) alert tcp $HOME_NET any -> [79.106.41.23] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203240; rev:1;) alert tcp $HOME_NET any -> [107.170.65.224] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203241; rev:1;) alert tcp $HOME_NET any -> [108.49.159.2] 995 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203242; rev:1;) alert tcp $HOME_NET any -> [185.80.130.216] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203243; rev:1;) alert tcp $HOME_NET any -> [146.255.79.173] 6767 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203244; rev:1;) alert tcp $HOME_NET any -> [179.43.147.235] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203245; rev:1;) alert tcp $HOME_NET any -> [174.127.99.129] 1234 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203246; rev:1;) alert tcp $HOME_NET any -> [213.183.58.43] 1011 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203247; rev:1;) alert tcp $HOME_NET any -> [204.152.219.98] 9988 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203248; rev:1;) alert tcp $HOME_NET any -> [27.102.106.140] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203249; rev:1;) alert tcp $HOME_NET any -> [109.120.152.175] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203250; rev:1;) alert tcp $HOME_NET any -> [95.213.252.209] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203251; rev:1;) alert tcp $HOME_NET any -> [194.87.145.199] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203252; rev:1;) alert tcp $HOME_NET any -> [176.10.124.237] 2556 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203253; rev:1;) alert tcp $HOME_NET any -> [176.10.124.197] 1888 (msg:"SSL Blacklist: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203254; rev:1;) alert tcp $HOME_NET any -> [162.255.117.34] 800 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203255; rev:1;) alert tcp $HOME_NET any -> [187.188.162.150] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203256; rev:1;) alert tcp $HOME_NET any -> [185.164.34.16] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203257; rev:1;) alert tcp $HOME_NET any -> [46.249.62.244] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203258; rev:1;) alert tcp $HOME_NET any -> [79.172.242.24] 1895 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203259; rev:1;) alert tcp $HOME_NET any -> [91.92.128.144] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203260; rev:1;) alert tcp $HOME_NET any -> [60.190.27.162] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203261; rev:1;) alert tcp $HOME_NET any -> [89.37.226.101] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203262; rev:1;) alert tcp $HOME_NET any -> [83.0.245.234] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203263; rev:1;) alert tcp $HOME_NET any -> [45.63.77.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203264; rev:1;) alert tcp $HOME_NET any -> [185.34.52.200] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203265; rev:1;) alert tcp $HOME_NET any -> [79.172.242.86] 9555 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203266; rev:1;) alert tcp $HOME_NET any -> [176.10.124.196] 1313 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203267; rev:1;) alert tcp $HOME_NET any -> [212.7.218.59] 8741 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203268; rev:1;) alert tcp $HOME_NET any -> [160.202.163.200] 1987 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203269; rev:1;) alert tcp $HOME_NET any -> [195.133.197.115] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203270; rev:1;) alert tcp $HOME_NET any -> [95.213.236.81] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203271; rev:1;) alert tcp $HOME_NET any -> [194.87.238.194] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203272; rev:1;) alert tcp $HOME_NET any -> [27.102.67.144] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203273; rev:1;) alert tcp $HOME_NET any -> [208.69.58.252] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203274; rev:1;) alert tcp $HOME_NET any -> [37.230.113.231] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203275; rev:1;) alert tcp $HOME_NET any -> [94.250.254.104] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203276; rev:1;) alert tcp $HOME_NET any -> [194.87.103.71] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203277; rev:1;) alert tcp $HOME_NET any -> [128.199.244.136] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203278; rev:1;) alert tcp $HOME_NET any -> [164.177.159.22] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203279; rev:1;) alert tcp $HOME_NET any -> [95.150.72.177] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203280; rev:1;) alert tcp $HOME_NET any -> [94.177.12.101] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203281; rev:1;) alert tcp $HOME_NET any -> [172.75.241.225] 995 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203282; rev:1;) alert tcp $HOME_NET any -> [154.16.63.19] 6045 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203283; rev:1;) alert tcp $HOME_NET any -> [66.146.66.27] 995 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203284; rev:1;) alert tcp $HOME_NET any -> [104.200.67.112] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203285; rev:1;) alert tcp $HOME_NET any -> [213.183.58.51] 4141 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203286; rev:1;) alert tcp $HOME_NET any -> [176.10.124.195] 8877 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203287; rev:1;) alert tcp $HOME_NET any -> [194.87.111.134] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203288; rev:1;) alert tcp $HOME_NET any -> [212.38.166.228] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203289; rev:1;) alert tcp $HOME_NET any -> [184.75.209.163] 5434 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203290; rev:1;) alert tcp $HOME_NET any -> [194.87.102.252] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203291; rev:1;) alert tcp $HOME_NET any -> [5.133.11.63] 8088 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203292; rev:1;) alert tcp $HOME_NET any -> [185.228.232.68] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203293; rev:1;) alert tcp $HOME_NET any -> [213.183.58.45] 6767 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203294; rev:1;) alert tcp $HOME_NET any -> [213.152.161.239] 10752 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203295; rev:1;) alert tcp $HOME_NET any -> [185.84.181.87] 1759 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203296; rev:1;) alert tcp $HOME_NET any -> [31.41.46.196] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203297; rev:1;) alert tcp $HOME_NET any -> [185.175.158.213] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203298; rev:1;) alert tcp $HOME_NET any -> [91.92.128.45] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203299; rev:1;) alert tcp $HOME_NET any -> [23.254.202.203] 2688 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203300; rev:1;) alert tcp $HOME_NET any -> [213.183.40.10] 1988 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203301; rev:1;) alert tcp $HOME_NET any -> [86.105.227.136] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203302; rev:1;) alert tcp $HOME_NET any -> [178.175.138.212] 9572 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203303; rev:1;) alert tcp $HOME_NET any -> [95.140.125.23] 2051 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203304; rev:1;) alert tcp $HOME_NET any -> [185.171.25.13] 6447 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203305; rev:1;) alert tcp $HOME_NET any -> [185.22.173.238] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203306; rev:1;) alert tcp $HOME_NET any -> [5.39.47.22] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203307; rev:1;) alert tcp $HOME_NET any -> [137.74.150.218] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203308; rev:1;) alert tcp $HOME_NET any -> [85.217.170.217] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203309; rev:1;) alert tcp $HOME_NET any -> [92.53.78.220] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203310; rev:1;) alert tcp $HOME_NET any -> [194.87.102.69] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203311; rev:1;) alert tcp $HOME_NET any -> [94.177.12.239] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203312; rev:1;) alert tcp $HOME_NET any -> [185.133.42.243] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203313; rev:1;) alert tcp $HOME_NET any -> [185.164.34.18] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203314; rev:1;) alert tcp $HOME_NET any -> [27.102.107.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203315; rev:1;) alert tcp $HOME_NET any -> [213.208.152.206] 2889 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203316; rev:1;) alert tcp $HOME_NET any -> [91.92.136.107] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203317; rev:1;) alert tcp $HOME_NET any -> [213.183.58.56] 2644 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203318; rev:1;) alert tcp $HOME_NET any -> [95.213.235.211] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203319; rev:1;) alert tcp $HOME_NET any -> [185.34.52.58] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203320; rev:1;) alert tcp $HOME_NET any -> [92.53.66.115] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203321; rev:1;) alert tcp $HOME_NET any -> [78.24.223.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203322; rev:1;) alert tcp $HOME_NET any -> [95.154.199.98] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203323; rev:1;) alert tcp $HOME_NET any -> [185.92.239.13] 9000 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203324; rev:1;) alert tcp $HOME_NET any -> [185.22.173.239] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203325; rev:1;) alert tcp $HOME_NET any -> [185.200.117.131] 3567 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203326; rev:1;) alert tcp $HOME_NET any -> [5.133.11.56] 1840 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203327; rev:1;) alert tcp $HOME_NET any -> [27.102.66.99] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203328; rev:1;) alert tcp $HOME_NET any -> [62.109.26.193] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203329; rev:1;) alert tcp $HOME_NET any -> [185.159.130.63] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203330; rev:1;) alert tcp $HOME_NET any -> [62.109.16.70] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203331; rev:1;) alert tcp $HOME_NET any -> [185.80.130.32] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203332; rev:1;) alert tcp $HOME_NET any -> [173.212.227.54] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203333; rev:1;) alert tcp $HOME_NET any -> [138.197.255.18] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203334; rev:1;) alert tcp $HOME_NET any -> [95.213.204.105] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203335; rev:1;) alert tcp $HOME_NET any -> [5.200.55.47] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203336; rev:1;) alert tcp $HOME_NET any -> [185.186.140.192] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203337; rev:1;) alert tcp $HOME_NET any -> [185.198.58.164] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203338; rev:1;) alert tcp $HOME_NET any -> [86.105.1.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203339; rev:1;) alert tcp $HOME_NET any -> [109.120.155.23] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203340; rev:1;) alert tcp $HOME_NET any -> [178.33.182.138] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203341; rev:1;) alert tcp $HOME_NET any -> [194.68.59.32] 2323 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203342; rev:1;) alert tcp $HOME_NET any -> [179.43.147.200] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203343; rev:1;) alert tcp $HOME_NET any -> [67.209.219.92] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203344; rev:1;) alert tcp $HOME_NET any -> [212.7.208.82] 6060 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203345; rev:1;) alert tcp $HOME_NET any -> [46.8.158.149] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203346; rev:1;) alert tcp $HOME_NET any -> [185.171.25.4] 1988 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203347; rev:1;) alert tcp $HOME_NET any -> [191.101.22.2] 1990 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203348; rev:1;) alert tcp $HOME_NET any -> [185.224.133.57] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203349; rev:1;) alert tcp $HOME_NET any -> [213.183.58.56] 1997 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203350; rev:1;) alert tcp $HOME_NET any -> [191.101.22.163] 3348 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203351; rev:1;) alert tcp $HOME_NET any -> [94.250.255.50] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203352; rev:1;) alert tcp $HOME_NET any -> [200.111.97.235] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203353; rev:1;) alert tcp $HOME_NET any -> [195.2.253.127] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203354; rev:1;) alert tcp $HOME_NET any -> [176.56.237.133] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203355; rev:1;) alert tcp $HOME_NET any -> [193.124.117.189] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203356; rev:1;) alert tcp $HOME_NET any -> [194.87.236.228] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203357; rev:1;) alert tcp $HOME_NET any -> [82.146.48.241] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203358; rev:1;) alert tcp $HOME_NET any -> [188.120.243.242] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203359; rev:1;) alert tcp $HOME_NET any -> [94.250.253.142] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203360; rev:1;) alert tcp $HOME_NET any -> [94.75.240.80] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203361; rev:1;) alert tcp $HOME_NET any -> [92.53.66.162] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203362; rev:1;) alert tcp $HOME_NET any -> [185.161.210.92] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203363; rev:1;) alert tcp $HOME_NET any -> [27.102.107.180] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203364; rev:1;) alert tcp $HOME_NET any -> [192.254.173.150] 4443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203365; rev:1;) alert tcp $HOME_NET any -> [191.101.22.101] 1020 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203366; rev:1;) alert tcp $HOME_NET any -> [94.242.58.113] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203367; rev:1;) alert tcp $HOME_NET any -> [107.170.231.118] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203368; rev:1;) alert tcp $HOME_NET any -> [162.248.246.229] 4050 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203369; rev:1;) alert tcp $HOME_NET any -> [95.46.98.93] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203370; rev:1;) alert tcp $HOME_NET any -> [46.8.158.34] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203371; rev:1;) alert tcp $HOME_NET any -> [93.170.123.151] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203372; rev:1;) alert tcp $HOME_NET any -> [191.101.22.150] 2889 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203373; rev:1;) alert tcp $HOME_NET any -> [185.82.217.96] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203374; rev:1;) alert tcp $HOME_NET any -> [95.46.114.118] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203375; rev:1;) alert tcp $HOME_NET any -> [45.58.49.244] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203376; rev:1;) alert tcp $HOME_NET any -> [104.236.172.37] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203377; rev:1;) alert tcp $HOME_NET any -> [213.183.58.3] 5097 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203378; rev:1;) alert tcp $HOME_NET any -> [78.130.176.192] 6796 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203379; rev:1;) alert tcp $HOME_NET any -> [195.133.201.94] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203380; rev:1;) alert tcp $HOME_NET any -> [151.106.2.127] 7050 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203381; rev:1;) alert tcp $HOME_NET any -> [85.204.49.128] 6088 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203382; rev:1;) alert tcp $HOME_NET any -> [185.227.83.56] 3052 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203383; rev:1;) alert tcp $HOME_NET any -> [190.123.44.141] 1501 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203384; rev:1;) alert tcp $HOME_NET any -> [77.48.28.201] 22777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203385; rev:1;) alert tcp $HOME_NET any -> [185.101.34.84] 2675 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203386; rev:1;) alert tcp $HOME_NET any -> [145.239.21.254] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203387; rev:1;) alert tcp $HOME_NET any -> [146.255.79.187] 9010 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203388; rev:1;) alert tcp $HOME_NET any -> [89.18.27.155] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203389; rev:1;) alert tcp $HOME_NET any -> [5.8.88.133] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203390; rev:1;) alert tcp $HOME_NET any -> [194.87.238.84] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203391; rev:1;) alert tcp $HOME_NET any -> [92.53.91.109] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203392; rev:1;) alert tcp $HOME_NET any -> [98.191.134.121] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203393; rev:1;) alert tcp $HOME_NET any -> [46.30.45.208] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203394; rev:1;) alert tcp $HOME_NET any -> [95.213.251.136] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203395; rev:1;) alert tcp $HOME_NET any -> [86.27.41.234] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203396; rev:1;) alert tcp $HOME_NET any -> [66.222.48.40] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203397; rev:1;) alert tcp $HOME_NET any -> [185.106.120.201] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203398; rev:1;) alert tcp $HOME_NET any -> [176.31.46.70] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203399; rev:1;) alert tcp $HOME_NET any -> [94.177.229.24] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Downloader.AuotIT.ZLIB C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203400; rev:1;) alert tcp $HOME_NET any -> [203.24.188.166] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203401; rev:1;) alert tcp $HOME_NET any -> [89.36.214.238] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Downloader.AuotIT.ZLIB C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203402; rev:1;) alert tcp $HOME_NET any -> [178.159.36.92] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely LockPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203403; rev:1;) alert tcp $HOME_NET any -> [5.188.231.7] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203404; rev:1;) alert tcp $HOME_NET any -> [5.188.231.141] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203405; rev:1;) alert tcp $HOME_NET any -> [193.124.117.229] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203406; rev:1;) alert tcp $HOME_NET any -> [5.188.231.3] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203407; rev:1;) alert tcp $HOME_NET any -> [37.230.115.129] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203408; rev:1;) alert tcp $HOME_NET any -> [185.234.15.7] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203409; rev:1;) alert tcp $HOME_NET any -> [93.113.45.10] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203410; rev:1;) alert tcp $HOME_NET any -> [131.108.170.231] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203411; rev:1;) alert tcp $HOME_NET any -> [73.76.201.210] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203412; rev:1;) alert tcp $HOME_NET any -> [184.155.19.94] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203413; rev:1;) alert tcp $HOME_NET any -> [95.213.195.169] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203414; rev:1;) alert tcp $HOME_NET any -> [194.87.145.179] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203415; rev:1;) alert tcp $HOME_NET any -> [109.234.37.132] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203416; rev:1;) alert tcp $HOME_NET any -> [62.109.26.251] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203417; rev:1;) alert tcp $HOME_NET any -> [213.183.58.26] 5011 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203418; rev:1;) alert tcp $HOME_NET any -> [194.68.59.34] 9125 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203419; rev:1;) alert tcp $HOME_NET any -> [185.227.83.34] 2012 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203420; rev:1;) alert tcp $HOME_NET any -> [78.24.218.206] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203421; rev:1;) alert tcp $HOME_NET any -> [82.146.57.127] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203422; rev:1;) alert tcp $HOME_NET any -> [95.154.199.237] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203423; rev:1;) alert tcp $HOME_NET any -> [78.155.218.189] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203424; rev:1;) alert tcp $HOME_NET any -> [92.63.106.43] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203425; rev:1;) alert tcp $HOME_NET any -> [37.230.114.93] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203426; rev:1;) alert tcp $HOME_NET any -> [62.109.25.11] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203427; rev:1;) alert tcp $HOME_NET any -> [141.255.167.124] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203428; rev:1;) alert tcp $HOME_NET any -> [212.7.218.56] 9480 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203429; rev:1;) alert tcp $HOME_NET any -> [95.213.237.49] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203430; rev:1;) alert tcp $HOME_NET any -> [94.103.80.134] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203431; rev:1;) alert tcp $HOME_NET any -> [191.96.15.135] 2675 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203432; rev:1;) alert tcp $HOME_NET any -> [109.234.36.181] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203433; rev:1;) alert tcp $HOME_NET any -> [194.87.92.147] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203434; rev:1;) alert tcp $HOME_NET any -> [185.140.53.212] 2000 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203435; rev:1;) alert tcp $HOME_NET any -> [46.19.137.137] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203436; rev:1;) alert tcp $HOME_NET any -> [194.87.93.225] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203437; rev:1;) alert tcp $HOME_NET any -> [95.140.125.123] 2018 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203438; rev:1;) alert tcp $HOME_NET any -> [172.104.10.121] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203439; rev:1;) alert tcp $HOME_NET any -> [185.158.114.129] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203440; rev:1;) alert tcp $HOME_NET any -> [191.101.22.27] 11339 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203441; rev:1;) alert tcp $HOME_NET any -> [109.234.34.110] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203442; rev:1;) alert tcp $HOME_NET any -> [146.255.79.174] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203443; rev:1;) alert tcp $HOME_NET any -> [213.183.58.31] 4040 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203444; rev:1;) alert tcp $HOME_NET any -> [212.7.208.71] 1979 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203445; rev:1;) alert tcp $HOME_NET any -> [185.145.45.176] 2888 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203446; rev:1;) alert tcp $HOME_NET any -> [185.227.83.49] 6060 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203447; rev:1;) alert tcp $HOME_NET any -> [107.155.72.119] 1602 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203448; rev:1;) alert tcp $HOME_NET any -> [185.171.25.10] 5531 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203449; rev:1;) alert tcp $HOME_NET any -> [46.21.248.108] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203450; rev:1;) alert tcp $HOME_NET any -> [160.202.163.242] 2000 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203451; rev:1;) alert tcp $HOME_NET any -> [194.68.59.33] 7321 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203452; rev:1;) alert tcp $HOME_NET any -> [137.74.157.90] 2020 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203453; rev:1;) alert tcp $HOME_NET any -> [78.130.176.162] 5543 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203454; rev:1;) alert tcp $HOME_NET any -> [174.127.99.214] 1313 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203455; rev:1;) alert tcp $HOME_NET any -> [185.228.232.87] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203456; rev:1;) alert tcp $HOME_NET any -> [77.244.215.158] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203457; rev:1;) alert tcp $HOME_NET any -> [37.230.115.201] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203458; rev:1;) alert tcp $HOME_NET any -> [62.109.27.157] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203459; rev:1;) alert tcp $HOME_NET any -> [94.250.252.22] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203460; rev:1;) alert tcp $HOME_NET any -> [174.127.99.165] 1010 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203461; rev:1;) alert tcp $HOME_NET any -> [194.87.95.2] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203462; rev:1;) alert tcp $HOME_NET any -> [91.192.100.60] 1985 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203463; rev:1;) alert tcp $HOME_NET any -> [185.84.181.99] 2258 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203464; rev:1;) alert tcp $HOME_NET any -> [191.101.22.24] 4914 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203465; rev:1;) alert tcp $HOME_NET any -> [23.105.131.192] 1010 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203466; rev:1;) alert tcp $HOME_NET any -> [216.38.7.252] 8585 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203467; rev:1;) alert tcp $HOME_NET any -> [185.56.90.79] 2000 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203468; rev:1;) alert tcp $HOME_NET any -> [95.140.125.34] 2888 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203469; rev:1;) alert tcp $HOME_NET any -> [94.103.82.18] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203470; rev:1;) alert tcp $HOME_NET any -> [95.213.194.9] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203471; rev:1;) alert tcp $HOME_NET any -> [45.77.82.205] 2002 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203472; rev:1;) alert tcp $HOME_NET any -> [185.227.83.45] 6890 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203473; rev:1;) alert tcp $HOME_NET any -> [149.255.36.229] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203474; rev:1;) alert tcp $HOME_NET any -> [78.155.218.18] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203475; rev:1;) alert tcp $HOME_NET any -> [178.175.138.200] 1722 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203476; rev:1;) alert tcp $HOME_NET any -> [191.101.22.139] 18993 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203477; rev:1;) alert tcp $HOME_NET any -> [154.16.93.177] 3465 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203478; rev:1;) alert tcp $HOME_NET any -> [185.186.244.86] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203479; rev:1;) alert tcp $HOME_NET any -> [181.215.247.126] 4201 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203480; rev:1;) alert tcp $HOME_NET any -> [185.171.25.6] 1985 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203481; rev:1;) alert tcp $HOME_NET any -> [77.48.28.226] 7383 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203482; rev:1;) alert tcp $HOME_NET any -> [185.227.83.36] 3939 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203483; rev:1;) alert tcp $HOME_NET any -> [185.236.130.123] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203484; rev:1;) alert tcp $HOME_NET any -> [95.140.125.72] 2555 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203485; rev:1;) alert tcp $HOME_NET any -> [23.105.131.132] 1010 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203486; rev:1;) alert tcp $HOME_NET any -> [213.183.58.36] 6466 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203487; rev:1;) alert tcp $HOME_NET any -> [95.140.125.115] 1010 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203488; rev:1;) alert tcp $HOME_NET any -> [205.178.144.133] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203489; rev:1;) alert tcp $HOME_NET any -> [85.214.62.153] 4143 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203490; rev:1;) alert tcp $HOME_NET any -> [213.208.129.199] 3422 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203491; rev:1;) alert tcp $HOME_NET any -> [94.242.57.57] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Cobalt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203492; rev:1;) alert tcp $HOME_NET any -> [213.152.162.165] 34071 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203493; rev:1;) alert tcp $HOME_NET any -> [23.105.131.159] 1002 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203494; rev:1;) alert tcp $HOME_NET any -> [185.171.25.10] 5534 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203495; rev:1;) alert tcp $HOME_NET any -> [213.208.129.203] 100 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203496; rev:1;) alert tcp $HOME_NET any -> [185.236.130.28] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203497; rev:1;) alert tcp $HOME_NET any -> [91.192.100.27] 6042 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203498; rev:1;) alert tcp $HOME_NET any -> [185.236.130.122] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203499; rev:1;) alert tcp $HOME_NET any -> [185.62.188.94] 49575 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203500; rev:1;) alert tcp $HOME_NET any -> [174.127.99.139] 2888 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203501; rev:1;) alert tcp $HOME_NET any -> [91.192.100.20] 8088 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203502; rev:1;) alert tcp $HOME_NET any -> [92.53.78.158] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203503; rev:1;) alert tcp $HOME_NET any -> [91.192.100.19] 4101 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203504; rev:1;) alert tcp $HOME_NET any -> [216.38.7.248] 1212 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203505; rev:1;) alert tcp $HOME_NET any -> [185.145.45.81] 2888 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203506; rev:1;) alert tcp $HOME_NET any -> [185.227.83.36] 1956 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203507; rev:1;) alert tcp $HOME_NET any -> [176.10.100.157] 3020 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203508; rev:1;) alert tcp $HOME_NET any -> [174.127.99.175] 7039 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203509; rev:1;) alert tcp $HOME_NET any -> [146.255.79.167] 4343 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203510; rev:1;) alert tcp $HOME_NET any -> [60.50.229.87] 9349 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203511; rev:1;) alert tcp $HOME_NET any -> [91.192.100.26] 8102 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203512; rev:1;) alert tcp $HOME_NET any -> [144.217.20.62] 2525 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203513; rev:1;) alert tcp $HOME_NET any -> [191.101.27.3] 4933 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203514; rev:1;) alert tcp $HOME_NET any -> [23.105.131.191] 8088 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203515; rev:1;) alert tcp $HOME_NET any -> [213.183.58.53] 6643 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203516; rev:1;) alert tcp $HOME_NET any -> [191.101.22.29] 53826 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203517; rev:1;) alert tcp $HOME_NET any -> [91.192.100.2] 4914 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203518; rev:1;) alert tcp $HOME_NET any -> [219.92.131.188] 3255 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203519; rev:1;) alert tcp $HOME_NET any -> [185.227.83.52] 70 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203520; rev:1;) alert tcp $HOME_NET any -> [176.10.100.155] 6789 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203521; rev:1;) alert tcp $HOME_NET any -> [78.130.176.178] 9000 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203522; rev:1;) alert tcp $HOME_NET any -> [195.133.144.162] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203523; rev:1;) alert tcp $HOME_NET any -> [92.53.77.125] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203524; rev:1;) alert tcp $HOME_NET any -> [78.130.176.186] 8181 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203525; rev:1;) alert tcp $HOME_NET any -> [109.234.36.11] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203526; rev:1;) alert tcp $HOME_NET any -> [91.192.100.43] 1991 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203527; rev:1;) alert tcp $HOME_NET any -> [79.172.242.97] 3917 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203528; rev:1;) alert tcp $HOME_NET any -> [194.68.59.34] 3366 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203529; rev:1;) alert tcp $HOME_NET any -> [67.215.9.226] 5680 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203530; rev:1;) alert tcp $HOME_NET any -> [185.227.83.52] 7110 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203531; rev:1;) alert tcp $HOME_NET any -> [89.35.228.196] 1989 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203532; rev:1;) alert tcp $HOME_NET any -> [62.102.148.156] 64271 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203533; rev:1;) alert tcp $HOME_NET any -> [178.175.138.231] 8181 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203534; rev:1;) alert tcp $HOME_NET any -> [194.68.59.38] 10101 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203535; rev:1;) alert tcp $HOME_NET any -> [185.24.232.164] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203536; rev:1;) alert tcp $HOME_NET any -> [195.133.1.211] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203537; rev:1;) alert tcp $HOME_NET any -> [185.171.25.28] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203538; rev:1;) alert tcp $HOME_NET any -> [185.29.8.119] 2020 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203539; rev:1;) alert tcp $HOME_NET any -> [185.101.34.90] 1789 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203540; rev:1;) alert tcp $HOME_NET any -> [185.171.25.8] 1313 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203541; rev:1;) alert tcp $HOME_NET any -> [137.74.157.92] 2020 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203542; rev:1;) alert tcp $HOME_NET any -> [185.163.45.48] 1992 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203543; rev:1;) alert tcp $HOME_NET any -> [185.145.45.9] 2526 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203544; rev:1;) alert tcp $HOME_NET any -> [185.171.25.11] 1010 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203545; rev:1;) alert tcp $HOME_NET any -> [91.192.100.62] 6789 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203546; rev:1;) alert tcp $HOME_NET any -> [154.16.93.178] 5678 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203547; rev:1;) alert tcp $HOME_NET any -> [185.45.192.185] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203548; rev:1;) alert tcp $HOME_NET any -> [69.124.38.159] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203549; rev:1;) alert tcp $HOME_NET any -> [95.213.204.124] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203550; rev:1;) alert tcp $HOME_NET any -> [185.227.83.43] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203551; rev:1;) alert tcp $HOME_NET any -> [5.196.121.163] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203552; rev:1;) alert tcp $HOME_NET any -> [213.183.58.37] 1818 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203553; rev:1;) alert tcp $HOME_NET any -> [191.101.22.5] 4040 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203554; rev:1;) alert tcp $HOME_NET any -> [178.175.138.209] 1987 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203555; rev:1;) alert tcp $HOME_NET any -> [185.227.83.54] 4781 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203556; rev:1;) alert tcp $HOME_NET any -> [84.200.84.224] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203557; rev:1;) alert tcp $HOME_NET any -> [185.209.85.70] 1010 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203558; rev:1;) alert tcp $HOME_NET any -> [185.171.25.28] 7119 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203559; rev:1;) alert tcp $HOME_NET any -> [185.227.83.35] 1010 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203560; rev:1;) alert tcp $HOME_NET any -> [178.175.138.146] 1987 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203561; rev:1;) alert tcp $HOME_NET any -> [84.38.135.148] 7777 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203562; rev:1;) alert tcp $HOME_NET any -> [185.227.83.38] 2019 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203563; rev:1;) alert tcp $HOME_NET any -> [191.101.22.86] 8181 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203564; rev:1;) alert tcp $HOME_NET any -> [79.172.242.33] 7037 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203565; rev:1;) alert tcp $HOME_NET any -> [95.141.43.194] 3333 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203566; rev:1;) alert tcp $HOME_NET any -> [185.145.45.33] 32266 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203567; rev:1;) alert tcp $HOME_NET any -> [103.68.223.149] 1991 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203568; rev:1;) alert tcp $HOME_NET any -> [23.105.131.186] 4455 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203569; rev:1;) alert tcp $HOME_NET any -> [95.141.43.197] 2212 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203570; rev:1;) alert tcp $HOME_NET any -> [185.209.85.69] 3940 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203571; rev:1;) alert tcp $HOME_NET any -> [45.32.24.40] 3033 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203572; rev:1;) alert tcp $HOME_NET any -> [91.192.100.44] 7075 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203573; rev:1;) alert tcp $HOME_NET any -> [185.171.25.8] 2103 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203574; rev:1;) alert tcp $HOME_NET any -> [69.64.251.41] 2565 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203575; rev:1;) alert tcp $HOME_NET any -> [178.124.140.154] 1994 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203576; rev:1;) alert tcp $HOME_NET any -> [185.209.85.177] 3076 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203577; rev:1;) alert tcp $HOME_NET any -> [173.254.223.83] 5434 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203578; rev:1;) alert tcp $HOME_NET any -> [79.172.242.94] 6692 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203579; rev:1;) alert tcp $HOME_NET any -> [160.202.163.200] 1991 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203580; rev:1;) alert tcp $HOME_NET any -> [185.189.112.157] 3040 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203581; rev:1;) alert tcp $HOME_NET any -> [185.208.211.171] 7119 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203582; rev:1;) alert tcp $HOME_NET any -> [212.14.51.43] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203583; rev:1;) alert tcp $HOME_NET any -> [78.155.219.55] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203584; rev:1;) alert tcp $HOME_NET any -> [185.24.232.163] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203585; rev:1;) alert tcp $HOME_NET any -> [179.43.147.247] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203586; rev:1;) alert tcp $HOME_NET any -> [194.87.239.78] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203587; rev:1;) alert tcp $HOME_NET any -> [178.33.108.70] 2050 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203588; rev:1;) alert tcp $HOME_NET any -> [173.212.248.207] 5051 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203589; rev:1;) alert tcp $HOME_NET any -> [89.45.67.21] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203590; rev:1;) alert tcp $HOME_NET any -> [92.114.92.11] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203591; rev:1;) alert tcp $HOME_NET any -> [185.212.149.47] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203592; rev:1;) alert tcp $HOME_NET any -> [174.127.99.218] 8088 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203593; rev:1;) alert tcp $HOME_NET any -> [185.211.247.31] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203594; rev:1;) alert tcp $HOME_NET any -> [185.175.158.202] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Cobalt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203595; rev:1;) alert tcp $HOME_NET any -> [91.192.100.25] 7799 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203596; rev:1;) alert tcp $HOME_NET any -> [185.140.53.81] 1810 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203597; rev:1;) alert tcp $HOME_NET any -> [212.14.51.56] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203598; rev:1;) alert tcp $HOME_NET any -> [212.92.98.7] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203599; rev:1;) alert tcp $HOME_NET any -> [206.255.220.53] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203600; rev:1;) alert tcp $HOME_NET any -> [95.140.125.122] 7499 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203601; rev:1;) alert tcp $HOME_NET any -> [160.202.163.240] 8877 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203602; rev:1;) alert tcp $HOME_NET any -> [194.87.237.93] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203603; rev:1;) alert tcp $HOME_NET any -> [194.87.234.173] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203604; rev:1;) alert tcp $HOME_NET any -> [195.133.144.185] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203605; rev:1;) alert tcp $HOME_NET any -> [5.187.49.225] 8088 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203606; rev:1;) alert tcp $HOME_NET any -> [185.145.44.174] 1313 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203607; rev:1;) alert tcp $HOME_NET any -> [45.113.70.163] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203608; rev:1;) alert tcp $HOME_NET any -> [78.130.176.198] 7798 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203609; rev:1;) alert tcp $HOME_NET any -> [185.208.211.33] 2060 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203610; rev:1;) alert tcp $HOME_NET any -> [213.183.58.33] 1996 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203611; rev:1;) alert tcp $HOME_NET any -> [5.133.179.117] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203612; rev:1;) alert tcp $HOME_NET any -> [213.183.58.6] 2378 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203613; rev:1;) alert tcp $HOME_NET any -> [213.183.58.49] 7741 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203614; rev:1;) alert tcp $HOME_NET any -> [185.48.239.33] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203615; rev:1;) alert tcp $HOME_NET any -> [213.152.162.84] 56293 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203616; rev:1;) alert tcp $HOME_NET any -> [176.223.111.157] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203617; rev:1;) alert tcp $HOME_NET any -> [212.92.98.106] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203618; rev:1;) alert tcp $HOME_NET any -> [213.183.58.36] 6774 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203619; rev:1;) alert tcp $HOME_NET any -> [31.171.155.33] 1215 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203620; rev:1;) alert tcp $HOME_NET any -> [210.187.214.162] 9349 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203621; rev:1;) alert tcp $HOME_NET any -> [194.87.235.92] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203622; rev:1;) alert tcp $HOME_NET any -> [91.192.100.5] 8877 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203623; rev:1;) alert tcp $HOME_NET any -> [46.21.249.52] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203624; rev:1;) alert tcp $HOME_NET any -> [194.87.236.45] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203625; rev:1;) alert tcp $HOME_NET any -> [81.169.128.232] 4743 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203626; rev:1;) alert tcp $HOME_NET any -> [37.187.54.76] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203627; rev:1;) alert tcp $HOME_NET any -> [89.35.228.199] 2067 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203628; rev:1;) alert tcp $HOME_NET any -> [81.176.239.167] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203629; rev:1;) alert tcp $HOME_NET any -> [181.175.124.212] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203630; rev:1;) alert tcp $HOME_NET any -> [95.46.8.65] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Cobalt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203631; rev:1;) alert tcp $HOME_NET any -> [185.68.93.41] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203632; rev:1;) alert tcp $HOME_NET any -> [86.105.18.64] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203633; rev:1;) alert tcp $HOME_NET any -> [185.212.149.48] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203634; rev:1;) alert tcp $HOME_NET any -> [185.227.83.36] 7575 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203635; rev:1;) alert tcp $HOME_NET any -> [91.243.80.21] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203636; rev:1;) alert tcp $HOME_NET any -> [23.105.131.148] 4001 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203637; rev:1;) alert tcp $HOME_NET any -> [46.148.26.106] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203638; rev:1;) alert tcp $HOME_NET any -> [185.228.233.229] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203639; rev:1;) alert tcp $HOME_NET any -> [91.221.36.71] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203640; rev:1;) alert tcp $HOME_NET any -> [37.220.31.11] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203641; rev:1;) alert tcp $HOME_NET any -> [109.234.35.121] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203642; rev:1;) alert tcp $HOME_NET any -> [199.247.7.16] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203643; rev:1;) alert tcp $HOME_NET any -> [192.71.247.158] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203644; rev:1;) alert tcp $HOME_NET any -> [185.209.85.73] 2141 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203645; rev:1;) alert tcp $HOME_NET any -> [89.248.171.38] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203646; rev:1;) alert tcp $HOME_NET any -> [45.77.61.121] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203647; rev:1;) alert tcp $HOME_NET any -> [134.0.115.63] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203648; rev:1;) alert tcp $HOME_NET any -> [5.63.158.236] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203649; rev:1;) alert tcp $HOME_NET any -> [46.249.62.219] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203650; rev:1;) alert tcp $HOME_NET any -> [185.246.65.222] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203651; rev:1;) alert tcp $HOME_NET any -> [46.249.62.206] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203652; rev:1;) alert tcp $HOME_NET any -> [46.21.249.49] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203653; rev:1;) alert tcp $HOME_NET any -> [178.170.244.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203654; rev:1;) alert tcp $HOME_NET any -> [138.128.5.96] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203655; rev:1;) alert tcp $HOME_NET any -> [94.177.12.145] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203656; rev:1;) alert tcp $HOME_NET any -> [91.243.80.131] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203657; rev:1;) alert tcp $HOME_NET any -> [5.255.94.80] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203658; rev:1;) alert tcp $HOME_NET any -> [217.63.197.185] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203659; rev:1;) alert tcp $HOME_NET any -> [195.133.146.156] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203660; rev:1;) alert tcp $HOME_NET any -> [185.180.197.58] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203661; rev:1;) alert tcp $HOME_NET any -> [185.180.196.99] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203662; rev:1;) alert tcp $HOME_NET any -> [185.209.85.75] 7768 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203663; rev:1;) alert tcp $HOME_NET any -> [212.14.51.56] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203664; rev:1;) alert tcp $HOME_NET any -> [185.180.196.109] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203665; rev:1;) alert tcp $HOME_NET any -> [31.172.177.90] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203666; rev:1;) alert tcp $HOME_NET any -> [31.134.60.181] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203667; rev:1;) alert tcp $HOME_NET any -> [46.28.204.81] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely QuantLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203668; rev:1;) alert tcp $HOME_NET any -> [192.251.231.14] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203669; rev:1;) alert tcp $HOME_NET any -> [5.8.88.166] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203670; rev:1;) alert tcp $HOME_NET any -> [66.70.218.34] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203671; rev:1;) alert tcp $HOME_NET any -> [82.202.226.62] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203672; rev:1;) alert tcp $HOME_NET any -> [185.55.64.47] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203673; rev:1;) alert tcp $HOME_NET any -> [109.234.35.3] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203674; rev:1;) alert tcp $HOME_NET any -> [23.105.131.139] 2023 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203675; rev:1;) alert tcp $HOME_NET any -> [109.173.183.245] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203676; rev:1;) alert tcp $HOME_NET any -> [81.227.0.215] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203677; rev:1;) alert tcp $HOME_NET any -> [85.143.175.248] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203678; rev:1;) alert tcp $HOME_NET any -> [86.105.1.116] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203679; rev:1;) alert tcp $HOME_NET any -> [5.188.231.226] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203680; rev:1;) alert tcp $HOME_NET any -> [91.243.81.13] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203681; rev:1;) alert tcp $HOME_NET any -> [31.131.26.13] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203682; rev:1;) alert tcp $HOME_NET any -> [86.105.18.236] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203683; rev:1;) alert tcp $HOME_NET any -> [195.123.233.83] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203684; rev:1;) alert tcp $HOME_NET any -> [178.209.40.104] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203685; rev:1;) alert tcp $HOME_NET any -> [82.214.141.134] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203686; rev:1;) alert tcp $HOME_NET any -> [186.2.168.150] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely QuantLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203687; rev:1;) alert tcp $HOME_NET any -> [199.247.31.200] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203688; rev:1;) alert tcp $HOME_NET any -> [109.95.113.130] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203689; rev:1;) alert tcp $HOME_NET any -> [185.228.232.215] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203690; rev:1;) alert tcp $HOME_NET any -> [92.53.78.236] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203691; rev:1;) alert tcp $HOME_NET any -> [188.227.72.195] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203692; rev:1;) alert tcp $HOME_NET any -> [93.95.97.136] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203693; rev:1;) alert tcp $HOME_NET any -> [195.123.213.188] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203694; rev:1;) alert tcp $HOME_NET any -> [85.222.109.54] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203695; rev:1;) alert tcp $HOME_NET any -> [82.146.59.117] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203696; rev:1;) alert tcp $HOME_NET any -> [31.131.27.106] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203697; rev:1;) alert tcp $HOME_NET any -> [178.32.52.15] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203698; rev:1;) alert tcp $HOME_NET any -> [192.95.35.78] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203699; rev:1;) alert tcp $HOME_NET any -> [95.181.179.96] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203700; rev:1;) alert tcp $HOME_NET any -> [185.228.232.14] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203701; rev:1;) alert tcp $HOME_NET any -> [185.56.90.77] 19000 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203702; rev:1;) alert tcp $HOME_NET any -> [93.181.186.127] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203703; rev:1;) alert tcp $HOME_NET any -> [185.174.173.116] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203704; rev:1;) alert tcp $HOME_NET any -> [185.159.128.75] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203705; rev:1;) alert tcp $HOME_NET any -> [31.134.52.42] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203706; rev:1;) alert tcp $HOME_NET any -> [109.234.35.230] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203707; rev:1;) alert tcp $HOME_NET any -> [95.213.235.54] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203708; rev:1;) alert tcp $HOME_NET any -> [94.230.20.47] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203709; rev:1;) alert tcp $HOME_NET any -> [109.234.38.199] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203710; rev:1;) alert tcp $HOME_NET any -> [192.225.226.15] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203711; rev:1;) alert tcp $HOME_NET any -> [78.155.206.228] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203712; rev:1;) alert tcp $HOME_NET any -> [31.41.81.47] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203713; rev:1;) alert tcp $HOME_NET any -> [195.133.147.9] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203714; rev:1;) alert tcp $HOME_NET any -> [185.158.155.56] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203715; rev:1;) alert tcp $HOME_NET any -> [85.143.221.60] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203716; rev:1;) alert tcp $HOME_NET any -> [195.123.216.102] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203717; rev:1;) alert tcp $HOME_NET any -> [193.233.62.127] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203718; rev:1;) alert tcp $HOME_NET any -> [185.26.174.189] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203719; rev:1;) alert tcp $HOME_NET any -> [195.133.196.2] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203720; rev:1;) alert tcp $HOME_NET any -> [92.53.91.229] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203721; rev:1;) alert tcp $HOME_NET any -> [86.23.59.198] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203722; rev:1;) alert tcp $HOME_NET any -> [89.223.24.221] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203723; rev:1;) alert tcp $HOME_NET any -> [207.140.15.87] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203724; rev:1;) alert tcp $HOME_NET any -> [185.159.128.158] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203725; rev:1;) alert tcp $HOME_NET any -> [94.103.82.65] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203726; rev:1;) alert tcp $HOME_NET any -> [89.37.56.24] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203727; rev:1;) alert tcp $HOME_NET any -> [185.249.254.45] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203728; rev:1;) alert tcp $HOME_NET any -> [189.84.125.37] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203729; rev:1;) alert tcp $HOME_NET any -> [85.143.222.45] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203730; rev:1;) alert tcp $HOME_NET any -> [146.185.254.16] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203731; rev:1;) alert tcp $HOME_NET any -> [146.255.79.186] 5030 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203732; rev:1;) alert tcp $HOME_NET any -> [69.122.117.95] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203733; rev:1;) alert tcp $HOME_NET any -> [92.53.78.213] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203734; rev:1;) alert tcp $HOME_NET any -> [65.123.48.221] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203735; rev:1;) alert tcp $HOME_NET any -> [95.213.252.10] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203736; rev:1;) alert tcp $HOME_NET any -> [93.181.186.127] 451 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203737; rev:1;) alert tcp $HOME_NET any -> [85.143.214.12] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203738; rev:1;) alert tcp $HOME_NET any -> [185.243.131.63] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203739; rev:1;) alert tcp $HOME_NET any -> [176.121.215.149] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203740; rev:1;) alert tcp $HOME_NET any -> [94.103.82.78] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203741; rev:1;) alert tcp $HOME_NET any -> [37.230.114.136] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203742; rev:1;) alert tcp $HOME_NET any -> [185.26.174.189] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203743; rev:1;) alert tcp $HOME_NET any -> [90.63.223.63] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203744; rev:1;) alert tcp $HOME_NET any -> [109.234.37.114] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203745; rev:1;) alert tcp $HOME_NET any -> [185.159.129.10] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203746; rev:1;) alert tcp $HOME_NET any -> [85.143.173.177] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203747; rev:1;) alert tcp $HOME_NET any -> [109.234.39.242] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203748; rev:1;) alert tcp $HOME_NET any -> [91.243.80.109] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203749; rev:1;) alert tcp $HOME_NET any -> [176.122.20.28] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203750; rev:1;) alert tcp $HOME_NET any -> [194.87.103.45] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203751; rev:1;) alert tcp $HOME_NET any -> [94.103.80.27] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203752; rev:1;) alert tcp $HOME_NET any -> [130.180.89.70] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203753; rev:1;) alert tcp $HOME_NET any -> [70.91.134.61] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203754; rev:1;) alert tcp $HOME_NET any -> [86.105.1.15] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203755; rev:1;) alert tcp $HOME_NET any -> [185.228.233.23] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203756; rev:1;) alert tcp $HOME_NET any -> [137.74.159.36] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203757; rev:1;) alert tcp $HOME_NET any -> [91.206.4.216] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203758; rev:1;) alert tcp $HOME_NET any -> [185.228.232.218] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203759; rev:1;) alert tcp $HOME_NET any -> [118.91.178.106] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203760; rev:1;) alert tcp $HOME_NET any -> [95.213.204.217] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203761; rev:1;) alert tcp $HOME_NET any -> [185.223.95.108] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203762; rev:1;) alert tcp $HOME_NET any -> [94.103.81.11] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203763; rev:1;) alert tcp $HOME_NET any -> [109.234.38.128] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203764; rev:1;) alert tcp $HOME_NET any -> [195.136.226.11] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203765; rev:1;) alert tcp $HOME_NET any -> [46.20.207.204] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203766; rev:1;) alert tcp $HOME_NET any -> [185.223.95.66] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203767; rev:1;) alert tcp $HOME_NET any -> [68.96.73.154] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203768; rev:1;) alert tcp $HOME_NET any -> [95.213.252.243] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203769; rev:1;) alert tcp $HOME_NET any -> [173.220.6.194] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203770; rev:1;) alert tcp $HOME_NET any -> [185.159.128.224] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203771; rev:1;) alert tcp $HOME_NET any -> [185.42.192.194] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203772; rev:1;) alert tcp $HOME_NET any -> [179.107.89.145] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203773; rev:1;) alert tcp $HOME_NET any -> [78.155.199.161] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203774; rev:1;) alert tcp $HOME_NET any -> [185.249.255.172] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203775; rev:1;) alert tcp $HOME_NET any -> [185.228.233.133] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203776; rev:1;) alert tcp $HOME_NET any -> [185.228.233.185] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203777; rev:1;) alert tcp $HOME_NET any -> [195.123.237.208] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203778; rev:1;) alert tcp $HOME_NET any -> [195.133.48.9] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203779; rev:1;) alert tcp $HOME_NET any -> [109.95.114.28] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203780; rev:1;) alert tcp $HOME_NET any -> [82.146.62.102] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203781; rev:1;) alert tcp $HOME_NET any -> [92.53.91.229] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203782; rev:1;) alert tcp $HOME_NET any -> [86.105.1.151] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203783; rev:1;) alert tcp $HOME_NET any -> [194.87.111.48] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203784; rev:1;) alert tcp $HOME_NET any -> [176.32.33.9] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203785; rev:1;) alert tcp $HOME_NET any -> [144.48.51.8] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203786; rev:1;) alert tcp $HOME_NET any -> [89.37.226.157] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203787; rev:1;) alert tcp $HOME_NET any -> [193.0.179.140] 80 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203788; rev:1;) alert tcp $HOME_NET any -> [172.86.120.111] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203789; rev:1;) alert tcp $HOME_NET any -> [193.233.62.145] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203790; rev:1;) alert tcp $HOME_NET any -> [185.236.130.126] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203791; rev:1;) alert tcp $HOME_NET any -> [191.6.18.166] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203792; rev:1;) alert tcp $HOME_NET any -> [46.21.249.211] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203793; rev:1;) alert tcp $HOME_NET any -> [203.86.222.142] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203794; rev:1;) alert tcp $HOME_NET any -> [95.161.180.42] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203795; rev:1;) alert tcp $HOME_NET any -> [188.209.52.62] 49575 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203796; rev:1;) alert tcp $HOME_NET any -> [185.209.85.71] 4181 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203797; rev:1;) alert tcp $HOME_NET any -> [212.92.98.179] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203798; rev:1;) alert tcp $HOME_NET any -> [185.68.93.12] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203799; rev:1;) alert tcp $HOME_NET any -> [185.4.29.143] 7962 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203800; rev:1;) alert tcp $HOME_NET any -> [92.53.67.190] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203801; rev:1;) alert tcp $HOME_NET any -> [185.174.175.14] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203802; rev:1;) alert tcp $HOME_NET any -> [91.192.100.33] 3917 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203803; rev:1;) alert tcp $HOME_NET any -> [146.255.79.161] 8475 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203804; rev:1;) alert tcp $HOME_NET any -> [81.177.255.76] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203805; rev:1;) alert tcp $HOME_NET any -> [162.244.32.217] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203806; rev:1;) alert tcp $HOME_NET any -> [68.227.31.46] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203807; rev:1;) alert tcp $HOME_NET any -> [80.87.195.120] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203808; rev:1;) alert tcp $HOME_NET any -> [185.159.128.236] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203809; rev:1;) alert tcp $HOME_NET any -> [185.208.211.64] 7366 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203810; rev:1;) alert tcp $HOME_NET any -> [37.230.112.67] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203811; rev:1;) alert tcp $HOME_NET any -> [185.209.85.72] 8970 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203812; rev:1;) alert tcp $HOME_NET any -> [185.209.85.186] 3821 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203813; rev:1;) alert tcp $HOME_NET any -> [85.143.214.226] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203814; rev:1;) alert tcp $HOME_NET any -> [85.217.170.201] 4535 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203815; rev:1;) alert tcp $HOME_NET any -> [5.102.177.205] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203816; rev:1;) alert tcp $HOME_NET any -> [194.68.59.70] 3288 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203817; rev:1;) alert tcp $HOME_NET any -> [46.148.26.11] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203818; rev:1;) alert tcp $HOME_NET any -> [185.209.85.69] 2019 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203819; rev:1;) alert tcp $HOME_NET any -> [194.87.238.137] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203820; rev:1;) alert tcp $HOME_NET any -> [185.148.241.35] 8181 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203821; rev:1;) alert tcp $HOME_NET any -> [109.234.37.89] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203822; rev:1;) alert tcp $HOME_NET any -> [185.159.129.149] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203823; rev:1;) alert tcp $HOME_NET any -> [107.144.49.162] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203824; rev:1;) alert tcp $HOME_NET any -> [195.54.162.77] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203825; rev:1;) alert tcp $HOME_NET any -> [185.208.211.102] 3661 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203826; rev:1;) alert tcp $HOME_NET any -> [185.209.85.181] 5541 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203827; rev:1;) alert tcp $HOME_NET any -> [185.208.211.48] 2888 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203828; rev:1;) alert tcp $HOME_NET any -> [185.249.255.77] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203829; rev:1;) alert tcp $HOME_NET any -> [82.202.236.81] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203830; rev:1;) alert tcp $HOME_NET any -> [203.86.222.142] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203831; rev:1;) alert tcp $HOME_NET any -> [209.121.142.202] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203832; rev:1;) alert tcp $HOME_NET any -> [92.53.66.161] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203833; rev:1;) alert tcp $HOME_NET any -> [181.215.247.24] 6789 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203834; rev:1;) alert tcp $HOME_NET any -> [185.208.211.156] 2888 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203835; rev:1;) alert tcp $HOME_NET any -> [185.228.233.169] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203836; rev:1;) alert tcp $HOME_NET any -> [185.209.85.71] 7171 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203837; rev:1;) alert tcp $HOME_NET any -> [185.209.85.66] 1985 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203838; rev:1;) alert tcp $HOME_NET any -> [208.75.117.70] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203839; rev:1;) alert tcp $HOME_NET any -> [185.174.172.226] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203840; rev:1;) alert tcp $HOME_NET any -> [62.109.18.210] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203841; rev:1;) alert tcp $HOME_NET any -> [46.243.179.212] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203842; rev:1;) alert tcp $HOME_NET any -> [80.87.195.247] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203843; rev:1;) alert tcp $HOME_NET any -> [185.243.131.171] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203844; rev:1;) alert tcp $HOME_NET any -> [185.209.85.180] 2050 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203845; rev:1;) alert tcp $HOME_NET any -> [94.112.52.197] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203846; rev:1;) alert tcp $HOME_NET any -> [185.227.83.53] 2557 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203847; rev:1;) alert tcp $HOME_NET any -> [181.215.247.5] 2442 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203848; rev:1;) alert tcp $HOME_NET any -> [185.208.211.60] 586 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203849; rev:1;) alert tcp $HOME_NET any -> [92.55.251.211] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203850; rev:1;) alert tcp $HOME_NET any -> [185.209.85.182] 7063 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203851; rev:1;) alert tcp $HOME_NET any -> [185.148.241.36] 2071 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203852; rev:1;) alert tcp $HOME_NET any -> [185.209.85.186] 6022 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203853; rev:1;) alert tcp $HOME_NET any -> [172.81.133.35] 1989 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203854; rev:1;) alert tcp $HOME_NET any -> [185.159.130.87] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203855; rev:1;) alert tcp $HOME_NET any -> [46.72.175.17] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203856; rev:1;) alert tcp $HOME_NET any -> [185.180.198.78] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203857; rev:1;) alert tcp $HOME_NET any -> [154.127.59.97] 1780 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203858; rev:1;) alert tcp $HOME_NET any -> [185.84.181.72] 4040 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203859; rev:1;) alert tcp $HOME_NET any -> [185.220.68.230] 1989 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203860; rev:1;) alert tcp $HOME_NET any -> [91.192.100.36] 2675 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203861; rev:1;) alert tcp $HOME_NET any -> [109.234.35.166] 447 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203862; rev:1;) alert tcp $HOME_NET any -> [74.118.139.79] 1414 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203863; rev:1;) alert tcp $HOME_NET any -> [172.94.47.7] 6014 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203864; rev:1;) alert tcp $HOME_NET any -> [185.148.241.41] 6540 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203865; rev:1;) alert tcp $HOME_NET any -> [185.48.56.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203866; rev:1;) alert tcp $HOME_NET any -> [5.187.0.158] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203867; rev:1;) alert tcp $HOME_NET any -> [209.121.142.214] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203868; rev:1;) alert tcp $HOME_NET any -> [185.227.83.52] 1987 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203869; rev:1;) alert tcp $HOME_NET any -> [185.227.83.55] 2675 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203870; rev:1;) alert tcp $HOME_NET any -> [71.85.72.9] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203871; rev:1;) alert tcp $HOME_NET any -> [85.143.174.206] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203872; rev:1;) alert tcp $HOME_NET any -> [194.68.59.69] 7791 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203873; rev:1;) alert tcp $HOME_NET any -> [80.53.57.146] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203874; rev:1;) alert tcp $HOME_NET any -> [83.168.83.29] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203875; rev:1;) alert tcp $HOME_NET any -> [66.232.212.59] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203876; rev:1;) alert tcp $HOME_NET any -> [93.170.123.78] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203877; rev:1;) alert tcp $HOME_NET any -> [109.86.227.152] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203878; rev:1;) alert tcp $HOME_NET any -> [144.48.51.8] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203879; rev:1;) alert tcp $HOME_NET any -> [198.50.170.69] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203880; rev:1;) alert tcp $HOME_NET any -> [185.125.205.70] 2060 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203881; rev:1;) alert tcp $HOME_NET any -> [91.192.100.57] 5050 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203882; rev:1;) alert tcp $HOME_NET any -> [185.117.75.121] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203883; rev:1;) alert tcp $HOME_NET any -> [185.208.211.199] 8773 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203884; rev:1;) alert tcp $HOME_NET any -> [185.209.85.188] 3333 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203885; rev:1;) alert tcp $HOME_NET any -> [146.255.79.162] 1111 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203886; rev:1;) alert tcp $HOME_NET any -> [65.30.201.40] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203887; rev:1;) alert tcp $HOME_NET any -> [185.125.205.69] 6897 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203888; rev:1;) alert tcp $HOME_NET any -> [93.109.242.134] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203889; rev:1;) alert tcp $HOME_NET any -> [190.7.199.42] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203890; rev:1;) alert tcp $HOME_NET any -> [66.189.228.49] 995 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203891; rev:1;) alert tcp $HOME_NET any -> [185.168.185.218] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203892; rev:1;) alert tcp $HOME_NET any -> [185.148.241.59] 6692 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203893; rev:1;) alert tcp $HOME_NET any -> [109.234.35.177] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203894; rev:1;) alert tcp $HOME_NET any -> [46.173.218.66] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203895; rev:1;) alert tcp $HOME_NET any -> [185.141.62.100] 1010 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203896; rev:1;) alert tcp $HOME_NET any -> [46.47.50.44] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203897; rev:1;) alert tcp $HOME_NET any -> [185.208.211.139] 1864 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203898; rev:1;) alert tcp $HOME_NET any -> [181.215.247.66] 8088 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203899; rev:1;) alert tcp $HOME_NET any -> [158.58.131.54] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203900; rev:1;) alert tcp $HOME_NET any -> [103.43.75.105] 1972 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203901; rev:1;) alert tcp $HOME_NET any -> [181.215.247.208] 20903 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203902; rev:1;) alert tcp $HOME_NET any -> [185.209.85.65] 4040 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203903; rev:1;) alert tcp $HOME_NET any -> [200.111.167.227] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203904; rev:1;) alert tcp $HOME_NET any -> [185.209.85.183] 5888 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203905; rev:1;) alert tcp $HOME_NET any -> [185.148.241.51] 3011 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203906; rev:1;) alert tcp $HOME_NET any -> [24.228.185.224] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203907; rev:1;) alert tcp $HOME_NET any -> [77.246.158.28] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203908; rev:1;) alert tcp $HOME_NET any -> [70.169.12.141] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203909; rev:1;) alert tcp $HOME_NET any -> [182.253.210.130] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203910; rev:1;) alert tcp $HOME_NET any -> [85.143.202.82] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203911; rev:1;) alert tcp $HOME_NET any -> [87.255.24.238] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203912; rev:1;) alert tcp $HOME_NET any -> [146.255.79.181] 1818 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203913; rev:1;) alert tcp $HOME_NET any -> [190.4.189.129] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203914; rev:1;) alert tcp $HOME_NET any -> [185.208.211.76] 3033 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203915; rev:1;) alert tcp $HOME_NET any -> [181.215.247.51] 5030 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203916; rev:1;) alert tcp $HOME_NET any -> [104.247.219.27] 1717 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203917; rev:1;) alert tcp $HOME_NET any -> [185.209.85.64] 4001 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203918; rev:1;) alert tcp $HOME_NET any -> [155.133.31.21] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203919; rev:1;) alert tcp $HOME_NET any -> [206.123.145.108] 1010 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203920; rev:1;) alert tcp $HOME_NET any -> [66.98.121.192] 5555 (msg:"SSL Blacklist: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203921; rev:1;) alert tcp $HOME_NET any -> [181.215.247.89] 2543 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203922; rev:1;) alert tcp $HOME_NET any -> [185.208.211.218] 7751 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203923; rev:1;) alert tcp $HOME_NET any -> [185.208.211.2] 1818 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203924; rev:1;) alert tcp $HOME_NET any -> [204.16.247.51] 1414 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203925; rev:1;) alert tcp $HOME_NET any -> [146.255.79.180] 1177 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203926; rev:1;) alert tcp $HOME_NET any -> [46.21.154.83] 14486 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203927; rev:1;) alert tcp $HOME_NET any -> [185.209.85.180] 7890 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203928; rev:1;) alert tcp $HOME_NET any -> [188.124.167.132] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203929; rev:1;) alert tcp $HOME_NET any -> [185.148.241.53] 4545 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203930; rev:1;) alert tcp $HOME_NET any -> [185.209.85.66] 2675 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203931; rev:1;) alert tcp $HOME_NET any -> [185.209.85.186] 6420 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203932; rev:1;) alert tcp $HOME_NET any -> [185.148.241.41] 2888 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203933; rev:1;) alert tcp $HOME_NET any -> [194.68.59.50] 2311 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203934; rev:1;) alert tcp $HOME_NET any -> [185.209.85.65] 7177 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203935; rev:1;) alert tcp $HOME_NET any -> [185.208.211.202] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203936; rev:1;) alert tcp $HOME_NET any -> [36.74.100.211] 449 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203937; rev:1;) alert tcp $HOME_NET any -> [185.209.85.75] 7219 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203938; rev:1;) alert tcp $HOME_NET any -> [185.208.211.137] 4546 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203939; rev:1;) alert tcp $HOME_NET any -> [41.211.9.226] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203940; rev:1;) alert tcp $HOME_NET any -> [138.34.32.218] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203941; rev:1;) alert tcp $HOME_NET any -> [185.209.85.67] 6969 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203942; rev:1;) alert tcp $HOME_NET any -> [185.148.241.58] 5050 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203943; rev:1;) alert tcp $HOME_NET any -> [144.76.237.29] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203944; rev:1;) alert tcp $HOME_NET any -> [181.174.165.162] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Neutrino C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203945; rev:1;) alert tcp $HOME_NET any -> [213.183.59.130] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203946; rev:1;) alert tcp $HOME_NET any -> [86.61.177.139] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203947; rev:1;) alert tcp $HOME_NET any -> [62.31.150.202] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203948; rev:1;) alert tcp $HOME_NET any -> [185.209.85.183] 90 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203949; rev:1;) alert tcp $HOME_NET any -> [91.192.100.16] 2888 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203950; rev:1;) alert tcp $HOME_NET any -> [185.209.85.182] 2222 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203951; rev:1;) alert tcp $HOME_NET any -> [185.209.85.68] 2442 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203952; rev:1;) alert tcp $HOME_NET any -> [200.2.126.98] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203953; rev:1;) alert tcp $HOME_NET any -> [185.115.32.166] 2000 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203954; rev:1;) alert tcp $HOME_NET any -> [185.208.211.139] 4040 (msg:"SSL Blacklist: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203955; rev:1;) alert tcp $HOME_NET any -> [185.148.241.43] 8890 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203956; rev:1;) alert tcp $HOME_NET any -> [185.209.85.75] 2889 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203957; rev:1;) alert tcp $HOME_NET any -> [185.209.85.188] 665 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203958; rev:1;) alert tcp $HOME_NET any -> [181.215.247.33] 2343 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203959; rev:1;) alert tcp $HOME_NET any -> [185.208.211.12] 2097 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203960; rev:1;) alert tcp $HOME_NET any -> [181.215.247.211] 8890 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203961; rev:1;) alert tcp $HOME_NET any -> [185.208.211.42] 8088 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203962; rev:1;) alert tcp $HOME_NET any -> [185.148.241.39] 5786 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203963; rev:1;) alert tcp $HOME_NET any -> [45.32.235.225] 1983 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203964; rev:1;) alert tcp $HOME_NET any -> [91.192.100.9] 1153 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203965; rev:1;) alert tcp $HOME_NET any -> [138.34.32.74] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203966; rev:1;) alert tcp $HOME_NET any -> [185.208.211.208] 7734 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203967; rev:1;) alert tcp $HOME_NET any -> [187.163.215.32] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203968; rev:1;) alert tcp $HOME_NET any -> [91.192.100.22] 8420 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203969; rev:1;) alert tcp $HOME_NET any -> [91.192.100.4] 1918 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203970; rev:1;) alert tcp $HOME_NET any -> [151.106.30.239] 1989 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203971; rev:1;) alert tcp $HOME_NET any -> [146.255.79.176] 1177 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203972; rev:1;) alert tcp $HOME_NET any -> [67.159.157.150] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203973; rev:1;) alert tcp $HOME_NET any -> [47.40.90.210] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203974; rev:1;) alert tcp $HOME_NET any -> [185.227.83.45] 5007 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203975; rev:1;) alert tcp $HOME_NET any -> [5.188.232.238] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203976; rev:1;) alert tcp $HOME_NET any -> [185.125.205.86] 8088 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203977; rev:1;) alert tcp $HOME_NET any -> [185.227.83.36] 7748 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203978; rev:1;) alert tcp $HOME_NET any -> [185.227.83.44] 5888 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203979; rev:1;) alert tcp $HOME_NET any -> [185.148.241.49] 9555 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203980; rev:1;) alert tcp $HOME_NET any -> [185.227.83.49] 7119 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203981; rev:1;) alert tcp $HOME_NET any -> [73.107.42.28] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203982; rev:1;) alert tcp $HOME_NET any -> [213.252.247.235] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203983; rev:1;) alert tcp $HOME_NET any -> [185.125.205.79] 8970 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203984; rev:1;) alert tcp $HOME_NET any -> [185.227.83.35] 3885 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203985; rev:1;) alert tcp $HOME_NET any -> [181.215.247.215] 6420 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203986; rev:1;) alert tcp $HOME_NET any -> [181.215.247.173] 8890 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203987; rev:1;) alert tcp $HOME_NET any -> [91.192.100.27] 1373 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203988; rev:1;) alert tcp $HOME_NET any -> [185.148.145.197] 2672 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203989; rev:1;) alert tcp $HOME_NET any -> [45.56.2.247] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203990; rev:1;) alert tcp $HOME_NET any -> [185.208.211.51] 1990 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203991; rev:1;) alert tcp $HOME_NET any -> [185.148.241.56] 5888 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203992; rev:1;) alert tcp $HOME_NET any -> [95.181.179.31] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203993; rev:1;) alert tcp $HOME_NET any -> [185.208.211.19] 4045 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203994; rev:1;) alert tcp $HOME_NET any -> [185.209.85.73] 8088 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203995; rev:1;) alert tcp $HOME_NET any -> [89.105.194.234] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203996; rev:1;) alert tcp $HOME_NET any -> [90.69.224.122] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203997; rev:1;) alert tcp $HOME_NET any -> [201.174.70.238] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203998; rev:1;) alert tcp $HOME_NET any -> [185.208.211.73] 33524 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903203999; rev:1;) alert tcp $HOME_NET any -> [194.68.23.182] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903204000; rev:1;) alert tcp $HOME_NET any -> [185.227.83.41] 7720 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903204001; rev:1;) alert tcp $HOME_NET any -> [89.117.107.13] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903204002; rev:1;) alert tcp $HOME_NET any -> [185.125.205.70] 4455 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903204003; rev:1;) alert tcp $HOME_NET any -> [185.125.205.87] 7600 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903204004; rev:1;) alert tcp $HOME_NET any -> [185.224.249.29] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903204005; rev:1;) alert tcp $HOME_NET any -> [185.227.83.35] 1986 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903204006; rev:1;) alert tcp $HOME_NET any -> [178.78.202.189] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903204007; rev:1;) alert tcp $HOME_NET any -> [118.91.178.101] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903204008; rev:1;) alert tcp $HOME_NET any -> [208.78.58.170] 443 (msg:"SSL Blacklist: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:903204009; rev:1;) alert tcp $HOME_NET any -> [185.208.211.103] 2888 (msg:"SSL Blacklist: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; thre